The problem of the internal "black hat" (person intent on doing harm to a computer system) is not a new one. Many organisations choose to implement a system in which they escort staff from the premises when they are made redundant or fired, in order to reduce the risk of damage to systems or the unauthorised removal of sensitive information, wites Denis Edgar-Nevill, chairman, Cybercrime Forensics Specialist Group, BCS, Chartered Institute for IT.
Understanding the potential for harm is one matter; putting in place proactive processes and mechanisms to detect nefarious activity is quite another. We tend to trust people who deliver the goods and keep our systems running. Just exactly how much trust is placed in an individual is directly proportional to how much risk we are exposed to.
One important thing to remember: everyone leaves a forensic footprint. As soon as you start interacting with computer systems, information is recorded in files, logs made by the OS and network events date and time stamped. Attempts to manipulate forensic data (for example, resetting the computer clock) usually make the situation worse, only adding to the mountain of forensic data. Those who choose to steal or cause problems stand a good chance of seeing what they have done reconstructed. Even if the in-house skill to carry out forensic investigations does not exist, there are many companies that can do it.
But by the time most companies get to the point of performing computer forensic investigations, it is usually an after-the-event post mortem. There is no quick and easy, and above all cheap, solution to the internal threat. The first step is to recognise that it exists.
Read more think tank articles
This was first published in April 2010