Reasons to be Fearful

August 23, 2009

Earlier this year, an IT consultant who was sacked for lying on his CV decided to retaliate by hacking into his company’s computer system and deleting e-mails that were meant to delegate work between colleagues.  As a result, the company lost a month’s work on a project, which then collapsed, leading to several more workers losing their jobs.  Apparently, the employee had been dismissed after his employers discovered that his boasts of a master’s degree and top government jobs were all lies – and he wasn’t very happy about it.


Meanwhile, a sacked worker in the USA has just admitted planting malware on his former employer’s computer network in another revenge attack. By planting three malicious systems-cacheing files on systems connected to the company’s extranet, the employee succeeded in infecting 25 servers at various client sites, causing thousands of dollars worth of damage for his former employer.


As the global recession starts to intensify, many companies are reporting an increase in incidents like these, as well as other attacks aimed at their IT systems. With so many employees losing their jobs at the moment, and the ease and availability of tools and information relating to hacking, many of these disgruntled ex-employees are making the transition from white-collar worker to hacker.  Of course, attackers have been exploiting IT vulnerabilities and weaknesses for years; the difference right now is that it’s no longer the career criminals who are attacking, but the ‘average Joe.’ 


There are two main reasons for this phenomenon.  First, as illustrated by the stories above, employees will often take reprisals internally against companies that have made them redundant.  At the same time, a great deal of ill-will can also be generated very quickly by companies who have been forced to make pay cuts, reduce staff hours, implement a pay freeze, and/or reduce employee benefits.  Unfortunately, angry employees can quickly become dangerous assailants, especially if they possess high-level IT skills.


Secondly, there is also a growing number of unemployed, highly skilled IT staff who suddenly find themselves out of work, and who are therefore suddenly tempted to use their IT skills for illicit purposes as a way to make some ‘easy money’.   Such opportunities will often come via an unscrupulous third-party that wants to get their hands on a competitor’s business data. And who better to ask then a disgruntled ex-employee?  Unfortunately, hard economic times can make even the most decent-seeming people feel completely desperate, which means that they may well do things they wouldn’t normally consider.


To make things worse, the Internet now makes all of this information very easy to access, and instructions on how to exploit any vulnerabilities in security are readily available. Years ago, hacking was more akin to a dark art form, back when running the tools and hacking into sites was a lot more than just a point-and-click exercise. Today, however, the amount of experience required to breach security systems is considerably less, making it much easier for out-of-work IT staff to hack into a server and steal valuable information.


It’s always amazing to us when we come across a company which is willing to spend vast sums of money on their IT security, and yet does nothing when it comes to protecting itself from internal threats, even though this kind of activity can result in drastic revenue loss, legal liabilities, diminished productivity, and brand erosion.


For years, the thought of viruses and other risks has led many companies to take action and protect themselves from an outside attack, even though it’s actually the ‘enemy within’ that is causing the biggest problem. In fact, according to Forrester Research, the majority of security breaches involve internal employees, with some estimates putting it as high as 85% of attacks coming from within the organisation.


The problem is that it’s not unusual for an employee to have regular access to multiple computer systems in order to perform his or her job role properly. Unfortunately, it is precisely this access that can endanger the security of business-critical applications. Despite today’s sophisticated user provisioning systems, many IT administrators are simply too strapped for time actively to update users’ access and privileges.  In fact, according to some estimates, it can sometimes take more than four months to remove the user rights of a former employee. Within that time-span, there’s no telling what havoc a disgruntled employee can wreak on a company’s IT system.


As is often the case, a technology problem like access control can also be solved with a technology solution, and there’s no shortage of vendors promising to simplify the user provisioning process by offering solutions that automate policy enforcement and delegate administration for user provisioning in order to maintain security levels amongst a large numbers of users. Some automated user provisioning solutions can even be used to grant, revoke, or modify access to any operating system, application, Web portal or other IT assets instantly, without manual intervention.


Likewise, strict usage policies can stop employees from being tricked into sending sensitive information via insecure e-mail. E-mail content scanning technology can also help, thanks to the latest specialist software that scans and monitors e-mail before it ever reaches a network, ensuring that it’s free from harmful or damaging content.


Firewalls are another common security tool, and have been deployed as a frontline defence against online attacks for years. By also using an ‘intrawall,’ or departmental firewall, however, all outgoing connections that don’t serve a specific business need for that department can also be blocked in order to keep an even tighter control over how data is being shared both within and outside the organisation.


Until companies adopt this kind of common sense security as fundamental business practice – and incorporate it in to every aspect of their organisation – they will continue to leave themselves open to attacks from employees, ex-employees, and outsiders as well.   Perfect security is an unattainable ideal and obviously not a reality, but it is still a noble goal. By implementing comprehensive security policies, providing the right education and training, and adjusting staff attitudes toward security, companies can begin to combat the rising level of attacks both during and after the recession.


Martin O’Neal is a Director at Corsaire, the information security consultancy: