The Verse - Volume 25
return

Tech Tips - The Threat Inside The Office

A company’s biggest security threat isn't the sinister hacker trying to break into the company’s network from the outside, but employees and partners with easy access to company information. A Company usually trusts its employees and the employees usually trust each other, so it’s natural to focus computer network defenses and other IT security measures on outside rather than inside threats.

Recently, some very large and technically savvy companies have been hurt to the tune of millions of dollars by internal breeches of their IT security.

In December of 2004, Apple (as in computers, iPods, iTunes, etc.) filed two lawsuits accusing insiders and partners of leaking proprietary information. Apple is not exactly what you’d call a technology novice, but they were still susceptible to insiders. 

“The Threat Within,” in the June 12, 2006 issue of Information Week, tells the story of UBS Paine Webber’s (now called UBS Wealth Management USA) March 2002 network crash. United States prosecutors claim a disgruntled employee planted a “logic bomb,” simply some malicious computer programming code that crashed about 2,000 of the company’s servers on March 4, 2002. The server crash left 8,000 UBS brokers across the country unable to work for days and even weeks in some cases. To date, UBS has spent $3.1 million assessing and repairing damage that was so severe that four years later, all of it hasn’t been repaired. UBS hasn’t put a price on the amount of business they have lost, but you can imagine it is astronomical. Even though trading resumed in the days after the attack, some servers were never fully restored, largely because about 20% of them did not have backup tapes.

All of this happened, prosecutors claim, because a systems administrator at the company felt he got less than he should have on an annual bonus. The defense contends that the company’s lax security let someone else login with the employee’s ID and password and plant the malicious code that caused the crash. The case is now being argued, but the damage was already done. A manager at UBS who assisted in the recovery process after the crash said it best: “The most important thing was for users to be able to log in to their desktops…They couldn’t do the work they do on a daily basis.” UBS is an enormous company with deep pockets. How would the average small business fare in a similar situation? Most would fold if the interruption went past a few days.

To demonstrate how easily security breaches can happen, a CTO of a Medical Records Company asked the company’s department heads to attend a meeting on social engineering. He explained how within 30 seconds he could break into their system and gain mid-level access to their state-of-the art system, by making one phone call, without using his access code.

Randomly, he selected one of the department managers, making sure he did not know her personally. He chose Kelly Blake, who happened to be late to the meeting.

He called Kelly and said, “Hi, this is Peter Livingston from the computer department, have you noticed your computer slowing down recently?”

“Who are you?”

“Oh, I’m Mark’s (the CTO) assistant. He asked me to check with everyone regarding the recent slowdown of our filing system. Did you notice anything slowing down?”

“Well, it did seem rather slow the other day.”

“OK, hang on, I’m going to log onto your terminal, now your user name is kblake?”

“No, it’s kblakey.”

“Ah, thanks. Sorry I’m still new here, OK. Hang on, oh, what’s your password?”

“sam89,” she replied.

“Thanks, now Kelly, would you please come to the security session meeting you were scheduled for. You just allowed a total stranger access to the system.”

She was embarrassed, but she managed to keep her job.

If this was tried at your company, would the results be the same?

It’s up to you to keep your company secure. You must protect your organization against stupidity, gullibility, curiosity, or outright criminal intent.  Create training and awareness programs that involve the entire organization and repeat them on a regular basis.  User education, awareness, and accountability are the key to keeping your company's IT systems secure.