My apologies in advance for this being such a long post.
I’ve held off commenting on the case of a disgruntled San Francisco administrator who was jailed for launching his own denial of service attack on his employer. Initially the reason was that I didn’t want to make a post that simply repeated what everyone else was saying. You see the Insider Threat is one that is personal to me. My wife lost her job as a result of what was very likely the work of a malicious insider. I’m interested in what motivates this type of individual, the patterns of behavior, and what companies can do to reduce the likelihood that a malicious insider can impact their business.
I’ve spend the week or so since I’ve heard of this most recent case reflecting on the insider threat and reviewing some research material that I’ve come across over the years. I started a project a few years ago during my master program but have let it sit around since I graduated. Now may be the time to dust off the research and revisit the topic. This will be the first post in a multi-part series on the insider threat and possible how it can be managed within an organization. But first my story:
When I first started in this business, my wife was able to get me a job with her company in the network support group. We worked for a medium sized company in the Washington D.C. suburbs. The support department was pretty small; only five people doing everything from answering the phone and running desktop support calls to server and infrastructure administration. We were it so we did it all. This is where I cut my teeth.
Since no one else wanted the responsibility, I took over the firewalls, routers, and the security aspects of the company DMZ. I learned a lot in those days and ended up getting a GIAC certification to fill in some of the gaps in my knowledge. Things went well and when the company decided to migrate from Novell to Windows 2000 I was asked to prepare a security briefing for the IT steering committee. My boss and I worked on a strategy to segregate the company’s information and control access via least privilege. (Pretty standard really) The problem is that we were shot down.
The division heads wanted the free flow of information so that people could “collaborate.” Everyone in their respective divisions could access any of the other work going on within the division and at times across divisions. As work on various projects would ebb and flow, resources were transferred from one project to another and back again necessitating the need to access different types of information. The division heads did not want to disrupt their ability to do this.
We explained that this situation was normal and that while our plan would restrict access it wouldn’t hamper anyone’s ability to do their work. A request for a change in access could be responded to within one business day in most cases, two days in rare circumstances. We were still denied – nothing should interfere with the work being done. In hindsight I also think that they were uncomfortable with the fact that we could audit and track what was being done with their information. This was an organization that grew up from a “mom and pop” type beginning and grew organically. Everyone was trusted and any threat was perceived to be from outside.
About four months prior to these discussions someone new showed up at work. This was an individual who had worked as a subcontractor for the company on one short term project and was known to a division head. He just started showing up every morning, got someone to let him in, and squatted in an office. Since the office wasn’t being used at the time he received permission to use that office. They liked having him around “in case” work requiring his skills be required. Let’s call him “Joe.”
“Joe” was a very nice older gentleman. He was soft spoken and apparently well liked among the staff on that floor. We found out that he wasn’t an employee when he called in a trouble ticket for his computer not being able to print. The problem was that he didn’t have a log in thus he wasn’t able to map the print queue. We reported this to our boss and when he went upstairs to investigate the division head, a vice president, said we shouldn’t worry about it. She apparently liked having staff that didn’t impact her overhead when they didn’t have work. So we documented this and moved on. “Joe” figured out how to map the printer directly so his issue was solved. (We were running Windows 98 workstations that allowed guest access and any device with an internal IP could surf the web. Yup, we lost those battles too. Again this was against corporate culture.)
Within a year “Joe” was hired on full time and worked on some projects in the same division as my wife. As work would ebb and flow, he tried to get onto a few projects but apparently he had worn out his welcome because some projects preferred to work shorthanded rather than take him on. Nothing much was thought about “Joe” really and I had all but forgotten about him. After a few years I had progressed as far as I could and although I knew I’d miss my colleagues and the company it was time to move on. I moved on to a systems integrator across town to start my new life as a consultant.
A few months after I left my wife and I found out that we were expecting our first born. We were excited and began planning on the future. My wife still worked at my former company. She was the Deputy Project Manager for a multi-million dollar government contract. The company was very family friendly and since the project was set up to pretty much run itself they agreed that it would be alright for her to step back from the project for a year and then come back. We were overjoyed. We trimmed our budget to the bare minimum so that we could save her paycheck. We needed to have some savings if she was going to stay at home to raise our son the first year. We made it eleven months as our son decided to show up a month early.
While my wife was home with our son, the contract she was working for came up for its normal recomplete. The government had already awarded all of its option years and by law had to recomplete it. No one was concerned. Everyone at the government agency loved the work that was being done as well as the people working on the project. Everyone working with the federal government at the state and local level loved the work that was being done. The company went into this recomplete about as strong as any company could.
Little did they know about what “Joe” was doing. You see “Joe” was apparently upset that he wasn’t allowed to work on certain projects and that he wasn’t promoted into a senior management position. He shared his frustration with management but when his concerns went unanswered he kept his feelings to himself.
About the time the Request for Proposals (RFP) was released by the government, “Joe” resigned and went to work for another company in the next county. Surprisingly enough, this same company bid against my wife’s company on the RFP although they had no previous experience doing that sort of work or working for this government agency. Apparently they had the right answers because they were able to successfully win the RFP with a slightly lower bid. Oh yeah, and while “Joe” wasn’t named on their proposal response. He ended up having a senior position on that account. (According to unofficial sources from the government agency.)
Coincidence? Perhaps but experience tells me that it was unlikely. The resulting aftermath was that most of the people that worked on that project were laid off. Had my wife still officially been on maternity leave they would have had to find something for her to do but she had changed that status two months previously to “on-call” for a reason that escapes me right now. Subsequently she was also laid off.
Did “Joe” take valuable project information to his new company? Honestly, no one will ever be able to prove it. The principle of least privilege wasn’t followed when setting up access. Everyone was pretty much given access to everything within the company. The network group wasn’t allowed the resources to audit access to critical information. There are any number of plausible scenarios but the one that has “Joe” copying all the proprietary information on the project then leaving for a position with a competitor who ended up being awarded the work is the most plausible.
What triggers this sort of behavior? I’m not sure anyone can say for sure but in the coming weeks I’ll explore this concept. In Part Two I’m going to look at some research that has been conducted into the insider threat as well as how people act and learn in groups in an attempt to build a basis for Part Three which will deal with how these concepts can be applied to help an organization properly manage the insider threat.
Entries (RSS)
I once worked for a company that had an “open culture” like this. There was not much information that you could not get your hands on, if you wanted to. There were few places you could not get to, either, if you wanted to take a look around. It can be very hard to turn your back on the open culture, because a lot of people begin to identify with it. When more controls and limits began to be imposed over time, there was plenty of push back.
The irony is that we never had trouble with employees running scams UNTIL after a lot of controls were put into place. They began to hire from the outside, rather than promote from within, in order to reinforce this new culture.