O'Reilly logo

Enemy at the Water Cooler by Brian T Contos

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Insider Threats
from a Human Perspective
The dangers related to insider threats are similar to the dangers caused by
external attackers.The threats are similar but often overlooked because mali-
cious insiders are not the nameless, faceless cyber criminals who are despised
the world around.They are trusted employees, consultants, partners, vendors,
and others who have legitimate reasons to be on the network. In some cases,
they are even friends.
I recall a situation from several years ago when I was working in Santiago,
Chile. I was brought in to design and deploy a secure architecture in a
telecommunications company for a new Internet Service Provider (ISP).
There wasn’t anything particularly exciting about the deployment until our
team started discovering that things were missing. Computer memory, hard
drives, software, network gear, and other related computer components were
slowly, but steadily growing legs.There were no video cameras or access con-
trols for the server rooms, and I can’t recall ever seeing a guard actually in the
guard booth. With vendors, consultants, employees, and visitors coming and
going from the facility, it was nearly impossible to keep tabs on who had been
there and what they may have been leaving with.
After a few weeks, theft had reached the point where entire servers were
missing, monitors were disappearing, and even some personal laptops had
been stolen. At this time, things changed, moving from our simply keeping an
eye out to a full investigation. It turned out that one of the telephone com-
pany employees responsible for providing wiring, power, air conditioning, and
various other infrastructure components had been stuffing computer gear into
garbage bags and sneaking it out through the air conditioning conduits. He
wasn’t caught because of the investigation; he was caught because he com-
mitted one of the cardinal sins of thieves: He got greedy.
One evening when he was stealing two large servers (SUN E250s), the air
conditioning conduit collapsed under their weight. Shortly after the servers
fell to the ground, so did he. Employees of the telecommunication company
took him to another building, and we all assumed that he would be fired and
likely go to jail.The truly interesting thing was that a friend he had played
www.syngress.com
Insider Threats • Chapter 2 59
424_Wtr_Clr_02.qxd 7/26/06 4:14 PM Page 59
soccer with almost daily since childhood was in charge of security and also in
charge of the investigation.
In spite of all the evidence and the number of witnesses, the security
investigator couldn’t bring himself to fire his friend, and later that week,
allowed him to return to work in the same facility with the same access.
While the company had strict policies about how to address external theft,
insiders were simply not a consideration.The investigator, not wanting his
friend to go to jail, found that the easiest thing to do was to do nothing at all.
I’ve seen this time and again. An organization is attacked from outside.
With elevated adrenalin and the feeling that they are action movie stars, secu-
rity analysts and managers alike try to hunt down the source of the attack and
stop it.This is often done with complete disregard for policies and proce-
dures.A Latin expression comes to mind, Inter arma silent leges: During
wartime, laws are silent.
Interestingly, when the perpetrator is an insider, investigation procedures
come to a grinding halt, and those same analysts and managers are not as
ardent in their response as they are with outsiders. Why? Because most people
would rather do anything than admit that a trusted co-worker or friend is
malicious.
Emotional issues that are almost non-existent with an external event are
suddenly playing on the minds of all those involved with the insider. Consider
what it would be like having lunch with a co-worker you know to be under
investigation, or think of sharing proprietary information with her as a
normal part of doing business.Think of your role in keeping the person
unaware of the investigation until the team determines it to be appropriate to
let him or her know. And remember, the investigation may prove that the
insider hasn’t done anything malicious at all.
A Word on Policies
As with any security incident management program—but particularly for an
incident related to insiders—having clear policies and procedures is essential. I
must stress however, that having a bunch of policies sitting in a red binder
collecting dust atop an auditor’s desk, is as useful as having no polices at all.
I’ll even argue that this makes an organization less secure, because it creates
the illusion that steps are being taken to enhance security when nothing is
www.syngress.com
60 Chapter 2 • Insider Threats
424_Wtr_Clr_02.qxd 7/26/06 4:14 PM Page 60

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required