Ignoring the insider threat

Insider attacks take many forms, so harden your internal controls.

As any auditor knows, internal fraud is as old as business itself. The classic case involves the secretary who is responsible for accounts payable as well as procurement. This person generates bogus invoices and pays them to bogus companies.

I have a friend in Chicago whose business was ruined this way. A law firm in Michigan lost millions of dollars to the Nigerian 419 scam because its secretary had access to the firm’s funds.

Modern accounting controls are supposed to prevent this kind of fraud, but the real danger is that controls are not keeping pace with technology. In fact, computers make the fraudster’s job easier.

In one recent case, a midlevel IT manager at the Canadian Defense Department created bogus orders that were funneled through a supplier to front companies from which he would get kickbacks. The point is that IT staffers are not above sneaking a buck out of the till now and then. Imagine the consequences if a developer or internal admin monkeys with the workings of your automated billing and receivables software?

Then there was the disgruntled system administrator who installed a time bomb at UBS that took out 2,000 servers while he bought short positions in the company’s stock. Just the assessment and remediation costs were reported to be $3.1 million. Losses from being unable to use systems at 400 branch offices for over a day were not reported.

The stock never tanked, so the guy’s plan failed, and now he is facing 30 years in prison. But the insider threat is real and, in fact, it has taken an ugly turn in recent months, with criminal elements recruiting employees to steal information.

This can take several forms. The simplest recruitment is over the Internet. A call center employee is approached with an offer to purchase credit card information. As he takes orders over the phone, he enters them into the order-processing system while simultaneously using an instant messaging system to send them to a middleman who sells them on the open market for identities.

The next level is where the employee is approached on the way to work and offered money in exchange for bank account information.

The there is infiltration, where someone is recruited by a criminal organization to get hired into your company. If they are tech savvy and get an IT position, you could be facing a Trojan horse magnitudes more dangerous than a piece of malware.

Combating the real and present danger of abuse by insiders should be a top priority. The three keys to internal protection are monitoring, hardening and filtering.

1. By monitoring employee use of the network and applications, you are deploying the equivalent of security cameras that monitor tellers in banks. The knowledge that they are being watched is the best disincentive for malicious behavior. Netflow-based tools such as those provided by Mazu, Q1Labs, Lancope and Arbor Networks are the easiest to deploy and the most immediately valuable.

2. Hardening the internal network means starting to treat the inside as a hostile environment. Internal servers should be protected by firewalls, users should have limited abilities to download and install software that could be used for hacking, and vulnerability management should be ratcheted up a notch.

3. Finally, proactive filtering via internal network intrusion-prevention systems should be deployed to block port scans and hacking attempts. These systems can be used to block unusual behavior at the LAN switch.

It is probably a good time to review internal controls at your organization. Rolling out a new layer of authentication could cut short any existing fraudulent operations. Strong authentication for any treasury function should be mandated.

An audit of existing controls, including a test of those controls, would be good. Internal controls should be in place to block the unwanted PC from connecting or the unwanted hacker program executing.

Combating the internal threat is a matter of hardening inside controls and reducing the explicit trust granted to employees, contractors and vendors.

Stiennon is chief research analyst at IT-Harvest. He can be reached at Richard@IT-Harvest.com.

Learn more about this topic

VA breach shows growing insider threats 06/19/06


Breach at insurance company highlights insider threat


Security company touts new approach on insider threat


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2006 IDG Communications, Inc.