The enemy within
The enemy within
Corporate IT security concerns continued to rise last year as hackers learnt new, sophisticated ways of attacking companies, but there are fears that this year could see an even more dangerous enemy emerge - employees. Rodney Appleyard reports on why organisations need to be careful over the growing trend of criminal activity from within their own ranks
A Russian antivirus company, Kasperry Labs, reported in its annual review last year that the vast majority of malicious software now in circulation across the Internet is written by organised criminals in an attempt to steal money, instead of the usual perception of a naughty teenager.
Additionally, a recent report from the Financial Services Authority (FSA) in the U.K. found evidence that organised crime groups are deliberately targeting firms by planting staff in the companies as infiltrators to commit commercial crime, especially identity theft.
It is clear that Australian companies will have to be on their guard to prevent this new trend from hitting this country over the course of this year.
Phillip Robinson, the financial crime sector leader at the FSA, says that firms should pay more due care and attention to vetting staff before assigning jobs. "Firms should follow a preventative approach rather than reacting to a situation once it has happened which can be costly and damaging to reputation.
"Consumers must also take steps to prevent attacks from fraudsters, by taking care when disclosing their personal details or following the security tips offered by their online banking services."
Robinson finds that hackers and fraudsters are continually refining and improving their techniques.
"In the fight against fraud, firms will have to run to stand still if they are to protect their assets and those of their customers. Having been the target of criminals in recent times, via the Internet, and other technologies, the major banks tend to have strong defences in place, but there is no room for complacency and criminals will seek to exploit vulnerable points where they can find them, including in other sectors or smaller firms."
Many recruitment agencies in Australia were reluctant to comment on insiders slipping through their security net, but one managing director of an agency based in Melbourne, who chose to be anonymous, said that he did not believe that this was currently a problem in this country.
"I haven't heard of any cases of this happening in Australia yet, and we certainly haven't experienced it in our firm so far. We have heard of individuals targeting companies deliberately to steal data and carry out cyber crime attacks, but not organised gangs yet.
"The best way we can prevent this from happening is to do police checks, but we don't have a policy of doing police checks on everyone. I guess there could be better ways of vetting potential employees."
If this air of unawareness and complacency is common throughout the whole of Australia, it seems that financial services could be an open target for organised crime in the future.
Strong evidence that the threat of financial attacks on organisations from insiders looms large was released last year in the United States in the shape of the "Insider Threat Study", carried out by the U.S. Secret Service and Carnegie Mellon University Software Engineering Institute's CERT Coordination Centre. The study focused on people who have had access to and have perpetrated harm using information systems in the banking and finance sector, which includes credit unions and financial institutions.
Twenty-three cases, carried out by 26 insiders between 1996 and 2002, were examined. The findings showed that most of the incidents were not technically sophisticated or complex. 87 percent of the cases involved insiders using legitimate and user commands to carry out the crimes, and 78 percent of the insiders were authorised users with active computer accounts.
Most of the incidents (81 percent), were planned in advance, with other people being aware of the insiders intentions in most cases, and this same amount were motivated by financial gain, rather than a desire to harm the company or information system.
The impact of nearly all insider incidents in the banking and finance sector was financial loss for the organisation: in 30 percent of cases, the financial loss exceeded US $500,000. Most of the incidents (83 percent) were executed from within the insiders organisation and took place during normal business hours.
The study involved interviews with the insiders. One of them said that he wanted the company that terminated his contract "to feel the shame [he] had to go home with that night." He also wanted to show the company that he was right about his fears over the company's computer security. Examples such as this illustrate the importance of discontinuing system access to employees who have had their contracts terminated.
Another anonymous insider justified his action by saying: "Do you walk up to a car an just try to unlock it? No... that's disrespectful. Online, it feels okay."
Michael Warrilow, a senior analyst for Meta Group, explains how bad the situation is in Australia at the moment and what could be done to prevent things getting worse.
"There are plenty of cases of when multi-million dollar fraud has happened in this country without the perpetrators ever being caught. Companies just don't have the evidence to back up these accusations and they also fear counter suits which might backfire and cost even more money.
"One famous example of an insider attack in Australia involved the greengrocer.com site. The insider hacked into the company's computer system, erased files and disabled the Internet link to customers. The business was knocked out for five days, so you can imagine how much money was lost to the business during that period? In the end, the 27 year old culprit was let off lightly by receiving a good behaviour bond with 18 months supervision"Warrilow says that too many organisations now accept that they will face a loss due to insider attacks because they are too frightened to take attackers to court.
He believes that the only way to stop it getting out of hand is for organisations to follow guidelines on security that encourage auditing, authentication and access rights. There needs to be a record of evidence that a transaction was definitely made by somebody. That way, the record has more chance of standing up in court as substantial proof, instead of one person's word against another. If an illegal transaction takes place, Warrilow says that a system should be in place to trace it and show exactly who carried it out, and prove that nobody else could have made that transaction apart from the name attached to the procedure.
Another alternative security measure involves using biometric fingerprint technology to provide access via identity management to certain critical information.
Warrilow also recommends that companies should read the Standards Australia handbook HB 171-2003, titled: "Guidelines for the management of IT evidence". This provides advice on managing IT evidence and the purpose of the handbook is to provide guidance on, and improve the likelihood of collecting admissible computer-related evidence. He said that reviewing the document will prepare security practitioners to implement mechanisms that improve confidence in the admissibility of IT evidence used to prosecute offenders. One thing is for sure, the vulnerabilities are constantly being abused, and organisations will have to be more vigilant than ever to make sure they don't fall victim to the enemy within.
Related Article:
Free personal web hosting sites providing safe havens for hackers