• United States

Filching files from within

Mar 01, 20043 mins

Revenge is one reason employees misuse and abuse systems. The most common motivator behind the inside job is a sense of entitlement, experts say.

Revenge is one reason employees misuse and abuse systems, as was the case when Kenneth Patterson, former data communications manager for American Eagle Outfitters, disabled his company’s ability to process credit card purchases for the first five days of the holiday shopping season in 2002. But the most common motivator behind the inside job is a sense of entitlement, experts say.

“The threat from inside is not just disgruntled employees wanting to get even,” C&W’s Neal says. “Businesses have always had what you could call shrinkage. Employees rationalize stealing pencils, paper clips and bottles of Coke. But with digital assets stored in computers, this process becomes more impersonal, repeatable – and scalable. Now you can steal a case of pencils instead of a box of pencils, metaphorically speaking.”

So strong is this feeling of entitlement that employee theft of data makes up about 75% of the cases investigated by Anton Litchfield, director of forensics consulting services for NTI, an electronic evidence discovery firm.

For example, last summer a vice president of sales for a stock analysis firm quit to go to a competitor. But before she left, she copied the customer database to take with her.

Suspicions were raised when one of her co-workers told his network manager that he’d seen a Windows dialog box copying large files to a folder on her home computer the week before she left – while nobody was at her desk. She’d accessed her office computer from her home computer using GoToMyPC.


Profile 3:

Create network accounts for themselves and their friends.
Access accounts and applications they wouldn’t normally use for their daily jobs.
E-mail former and prospective employers.
Conduct furtive instant-messaging chats.
Visit Web sites that cater to disgruntled employees, such as f’
Perform large downloads and file copying.
Access the network during off-hours.
Enforce least privilege, only allowing access to the resources employees need to do their job.
Set logs to see what users access and what commands they’re putting in.
Protect those resources that are most important with strong authentication.
If you see someone accessing something they shouldn’t, have that person’s manager discuss it with the employee to deter future bad behavior.
Upon termination, delete all computer and network access.
When employees leave the company, make a mirror image of their hard drive before reissuing it. That evidence might be needed if your company information turns up at a competitor.

That’s when the network manager contacted NTI.

“Through forensics analysis of her home computer, her office computer and the network logs, we were able to prove that she’d accessed those files from home and copied them onto her home computer just before she quit,” Litchfield says. “But if that employee hadn’t seen her computer copying those files, nobody would have been the wiser.”

In cases of both a disgruntled employee causing damage or one who feels entitled to steal, you won’t see much digital evidence of a crime, Neal says. That’s because they already have the access and the insider knowledge. For example, in the American Outfitters case, for which Patterson was sentenced to 18 months in prison in December 2003, he used his own password to access the system and cause the damage. The female vice president also used her own remote logon program to get to the files she downloaded.

Main | Next: Adrian Lamo: Profiling network administrators