Companies have expensive firewalls to protect their IT systems against external attack. But most damage comes from insiders - and they're already inside the firewall. Neil Campbell reports.

Firewalls are software devices that monitor all digital `traffic' at the entry and exit points of an organisation's information technology network. They sit between the company's IT system and the outside world. You can program firewalls to block certain types of traffic. That way, you are, you hope, protecting your system against attack. You can also use other techniques - encryption, digital signatures - to fend off outside attack. But the biggest threat to your system is likely to be someone sitting inside your offices - inside the firewall.

A well-placed insider is the simplest and most effective means of accessing information, or causing damage. Insiders render nearly all security safeguards redundant. The risks from uncontrolled insiders multiplies in an age where companies' reliance on information technology, global networks, e-mail and the Internet is increasing exponentially.

Companies have grown increasingly dependent on complex information systems, and on the individuals who design, maintain and operate them. More and more data of critical importance is being placed on corporate computers and global computer networks.

As a result, companies have become increasingly susceptible to computer crime and security attacks - the rise of the `rogue insider'.

Who are the rogue insiders?
Rogue insiders are typically computer operators, programmers, network engineers and system administrators. They will often have detailed knowledge of the company's IT system. They possess the necessary computing skills, and are charged with a significant level of `trust'. They can cause untold disruption:

  • Access or alter sensitive, confidential information and trade secrets
  • Give or sell business plans to competitors
  • Disrupt network usage or cause the client or server to hang up
  • Alter information surreptitiously
  • Glean information to use in their new job with a rival company or new start-up.

    Compromised companies tend to deal with insider issues with minimal fuss, in the hope that they can avoid adverse publicity.

    How they escape detection ...
    Until the recent lay-offs, there has been extreme pressure to recruit the top IT professionals. If you find the `ideal' candidate, you may override or ignore standard security processes. People recruited into the key `at-risk' roles need to be checked out thoroughly.

    There's also the increasing unwillingness of companies to provide full and informative references - often because of legal concerns. And because the culture is to keep quiet about rogue insiders rather than prosecute them, repeat offenders can move - with an apparently clean record - from job to job.

    ... and what are they like?
    Research into the psychological profile of rogue highlights a number of risk factors

  • Social and personal frustrations
  • Introversion
  • Addictive attachment to computer systems and the Internet
  • Ethical `flexibility' (a willingness to bend the rules in everyday operations)
  • Lack of employer loyalty
  • Self-entitlement and anger towards authorities
  • Complete disregard for the impact of their actions on others.

    So before letting people loose on your IT system, it's sensible to see how many risk factors they carry, and, of course, you need tight and monitored internal controls.

    Don't forget that rogue insiders can easily be casual or temporary workers: so don't limit precautions to people on the permanent staff.

    Safeguards within the firewall
    Large corporations can dedicate staff to develop internal security policies. The bulk of small to medium-sized companies, however, can only react to actual breaches of security.

    Experts claim that companies are only spending 1-3 three per cent of their information technology budgets to avert insider hacking. Many security software providers and consultants continue to over-emphasise defence against external intruders.

    Technological safeguards
    Companies have been slow to recognise the difference between access control - this is a firewall limiting access to legitimate users; and intrusion control, which protects your system against attacks from users inside the firewall.

    However, there is now increasing interest in Intrusion Detection Systems.

    These systems monitor and record what is occurring inside the network. They identify patterns of use, anomalies in usage, attempts to stray beyond normal limits of authority. When something out of the ordinary is detected, an automatic warning goes to security personnel.

    Intrusion Detetction Systems are the last line of defence. They enable you to observe an insider's actions, to scrutinize an insider's attempts to gather information about your network, to detect intrusion attempts and to terminate a user connection if necessary.

    Other safeguards
    In addition to Intrusion Detection Systems, what other technological safeguards should you be building into to your protocols?

  • At the outset, develop an underlying computer system architecture designed explicitly with security, both external and internal, as the priority
  • Utilise differential access controls - give users the minimum access needed to accomplish their task
  • Maintain and monitor an accountability log of all modifications to critical computing system components
  • Spread computer systems knowledge across a number of personnel
  • Insist that employees use a password- protected screensaver, activated within a short period of time
  • Encrypt sensitive files
  • Monitor e-mail and Internet communications
  • Conduct, and regularly review, comprehensive information security audits.

    Merely addressing and putting in place technological safeguards cannot fully resolve the insider hacking issue. Insiders are also a human resource concern. Your company can be held liable for illegal acts committed by employees unless you have a well-defined and supported code of ethics. Your human resource department should consider incorporating the following procedures into everyday practice:

  • Communicate clear, standardised rules governing the use of company information systems with explicit consequences for misuse
  • Develop specific recruitment procedures for information technology specialists
  • Conduct careful screening of people recruited into at-risk roles
  • Consider specialised training for information technology managers to help them recognise vulnerable individuals and to use appropriate intervention techniques
  • Develop protocols for introducing new employees to the company, and conduct exit interviews with employees who leave.

    Only by adopting such an approach to computer systems security, applying both technological and human resource factors, can an organisation adequately protect itself from the threat of external hackers and the more serious threat posed by insiders.

  • US experts claim that insider hacking represents 70 per cent of the total number of attacks on companies' information technology systems
  • The financial cost to US companies is estimated at $1 billion per annum
  • The DTI estimates that insider hacking has cost UK companies approximately $2.4 billion in the six years from 1992
  • US Research carried out in 1999 revealed that 55 per cent of respondents had experienced unauthorised insider system access - compared to 44 per cent in 1998
  • US government statistics cite the cost of an average external hacking incident to be $57,000. In stark contrast, the cost of a serious insider hacking incident is circa $2.7 million.

    Case study
    Elite Web Hosting, Orlando, September 2000
    The roof caved in for Elite Web Hosting in September 2000. A former employee is alleged to have entered the company's computer system without authorisation.

    He is alleged to have sent an e-mail to all Elite's customers, containing offensive language, and saying that Elite was developing a Web porn business. Furthermore, the e-mail claimed that Elite's owner had been siphoning company funds for personal use.

    Immediately, thirty steady customers took their business elsewhere, ripping a hole in Elite's cash flow. The company folded shortly afterwards.

    Regional headquarters of an international energy company
    A management information systems contractor shut down the UNIX-based telephonic switching system for the complex. Subsequent investigation uncovered that the contractor had been told of the termination of their contract the previous week. Furthermore, they had two previous felony convictions.