Disgruntled former employees who want revenge can inflict damage
and ruin your company's reputation if you are not careful.
Prevention procedures must be followed to keep your IT system
safe
When San Francisco-based Slip.net had its IT systems hacked and key
customer accounts and databases tampered with in 1998, the ISP was
not the victim of an anonymous hacker. The saboteur was a former
member of its IT staff, computer administrator Nicholas Middleton,
who had been unhappy in his job and had quit shortly before the
incident.
With his knowledge of Slip.net's internal systems, including
employee and program passwords, Middleton used a test account to
break into the company's computer system. He then set up two bogus
accounts in the name of a sales rep to get into another system
responsible for the company's administrative functions and hosting
customers' Web sites.
Once inside, Middleton ran amok. A California court heard in 1999
that he altered administrative passwords and the computer's
registry, deleted Slip.net's entire billing system and erased two
internal databases. Middleton's parting shot knocked some of the
ISP's biggest customers offline for several hours and saddled the
firm with a bill for more than $40,000 (£28,000) from the
investigation into the attack and repair work. He was sentenced to
three years' probation and ordered to pay $9,147 to his
ex-employer.
Slip.net's plight is far from unusual. In fact, even users most
associated with tight security standards such as the US Federal
Bureau of Investigations (FBI) and Chicago's O'Hare international
airport have been blind-sided by former employees. In a recent poll
of 531 major US users by San Francisco's Computer Security
Institute (CSI) and the FBI's Computer Intrusion Squad, 49%
reported incidents of "unauthorised access by insiders".
Meanwhile, with companies cutting jobs as the economic downturn
deepens, the incidence of sabotage is spiralling. "There is a
renewed threat from disgruntled employees in times of economic
downturn because more people are angered at losing their jobs,"
says Richard Power, editorial director at the CSI. Experts and law
enforcers advise users to increase their vigilance in line with the
potential threat from disgruntled ex-employees.
In San Francisco and Silicon Valley, mass lay-offs are creating
extra casework for the local branch of the Computer Intrusion
Squad. Supervisory special agent Peter Trahon says his team of nine
agents, the largest of 16 teams located across the US, is fielding
up to six cases a day arising from malicious attacks on firms by
former employees nursing grievances - only a fraction of which it
has the resources to pursue. The team is investigating between
eight and 12 cases out of the 60 it has on its books.
Trahon's squad is called on to probe a wide variety of cases.
"Recently, a disgruntled former employee intruded into the network
and sent disparaging e-mails about one individual to 50,000
employees across the company," he recalls. Other hacks include
denial of service attacks to bring down e-mail servers, stealing
customer lists and destroying data.
You can add theft of intellectual property to that list, says Kris
Hawarth, manager of consultant Deloitte & Touche's San
Francisco computer forensics laboratory. Investigations into
smuggling of confidential competitive information to rivals
accounts for 90% of her practice's workload. "Intellectual property
theft is the biggest threat because of its simplicity - $1m worth
of R&D can be transferred onto a floppy. Twenty years ago,
people had to walk out with a box," says Hawarth.
Sabotage by ex-employees is not normally difficult to crack, says
Trahon. "They are bright individuals, but they don't have a
criminal mindset and are a bit angry. Covering their tracks is
often an after-thought." However, in their determination to wreak
vengeance, former insiders inflict far more damage than a
disinterested, anonymous hacker.
In many cases, organisations leave themselves open through a basic
oversight. "Typically, the last person to be notified that a person
has been fired is the system administrator and they are the
gatekeeper to the crown jewels of the corporation," says Trahon.
System administrators need to be in the loop when lay-offs are
being made and advised of whose network access rights should be
terminated, he recommends.
A clearly-defined exit procedure for outgoing employees is the
cornerstone of any prevention policy, say the experts.
"Employees are increasingly asked to clear their desks out and are
escorted to the door by a guard - companies must do the same
process online. As well as being asked to give back the keys to the
office, employees need to hand in their keys to the electronic
office," says Power. This entails immediate closure of e-mail
accounts and network access.
As well as internal staff, external consultants working in-house
pose a risk if they feel they have not been properly reimbursed or
are otherwise aggrieved, says Trahon.
Other security loopholes are unused programs on servers, adds
Trahon. Web servers often include file transfer protocol or e-mail
management systems, pre-installed by supp-liers so the hardware is
ready to go for a range of purposes straight out of the box.
"Vulnerabilities escalate exponentially with these services," says
Trahon, who advises users to scan Internet protocol addresses for
additional programs running on servers.
Firms need to be wise to the threat posed by security breaches,
says Trahon. "Sometimes, when a company is intruded upon, we end up
talking to a security person who doesn't know anything about IT,"
he says. End-users should be grilled on whether they shut down
their systems after use or regularly change their password, to
instill security awareness, suggests Power.
Much can be done to reduce exposure to the crippling financial,
operational and public relations blows that sabotage by ex-IT staff
can inflict. Failure to do so could make cost-cutting job lay-offs
a false economy.
Ex-staff wreak havoc on IT systems
September 2000
Former Federal Aviation Administration software engineer Thomas
Varlotta was convicted of stealing the only copy of the source code
for a vital program he co-developed for Chicago's O'Hare airport.
US federal investigators recovered the code, vital to fix glitches
in the automated system used to transmit information between
on-site and off-site air traffic control teams, from Varlotta's
house in June 1998, but took eight months to unscramble the
14-digit password the ex-IT staffer had encrypted it with
December 2000
Joseph Durnal was ordered to pay Peak Technologies, where he had
worked as an IT contractor, more than $48,000 after being convicted
of hacking its computer systems. Durnal sent e-mails with
pornographic attachments, purportedly from management, telling
workers that the Columbia, Maryland-based logistics systems
integrator was going out of business
February 2001
FBI counterintelligence agent Robert Hanssen
was arrested for allegedly stealing dozens of files from the
bureau's computer network and passing them to the former Soviet
Union and present day Russia over 15 years. Hanssen, described as a
"highly-skilled programmer", enjoyed access to the FBI's internal
network, containing its classified records of investigations,
throughout this period.
.