Vulnerabilities / Threats
5/16/2012
11:50 AM
Connect Directly
RSS
E-Mail
50%
50%

5 Ways To Lose A Malicious Insider Lawsuit

Making the case against an insider takes preparation and proactive work with HR and legal. Consider this expert advice to make sure you're ready.

When the worst-case scenario strikes and a malicious insider does damage to an organization, be it by theft or sabotage, legal recourse may be in order. But if IT doesn't prepare in advance to cooperate with human resources and legal, the civil or criminal case against a bad former employee may be doomed from the start.

According to security and legal experts, failing to cover your legal bases before presenting your case to judge and jury can effectively give the defendant that proverbial "get-out-of-jail-free card" and leave your organization without much leverage at all.

Here are some of the most common ways that enterprises tend to blow their cases against malicious insiders.

1. Don't Make Employees Sign A Contract or Policy
According to Damon Petraglia of Chartstone, one of the most common civil cases he's brought in to help forensically investigate is when employees steal information from their employers or do something inappropriate with technology. In order to make a case against such an employee, it is important to not only prove they stole or did something wrong, but that they had intent.

"If you want to fire someone or you want to sue someone, you have to prove that they had intent to do something malicious. Just because I installed something on my computer, it doesn't really prove I did something malicious," said Petraglia, director of forensic and information security services for Chartstone. "A lot of times, when I'm looking at something forensically, a company will not have any policy in place that says you cannot do something. That makes it very difficult to prosecute or to fire someone."

This is where signed acceptable use policies and confidentiality agreements are key. While signing such a document might seem like a mere formality when employees or contractors are brought in, their existence can make or break a case when things go wrong.

"If I were advising someone that has confidential information, data, or technology, I'd say the most important thing to do is have agreements with your employees that make it clear that there is confidential information that limit the employees' ability to use that information, and to prevent the employees from taking it or disclosing it to anyone else," said Jim Davis, partner at Dallas, Tex.-based law firm Klemchuck Kubasta.

Read the rest of this article on Dark Reading.

Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

CVE-2014-4511
Published: 2014-07-22
Gitlist before 0.5.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the file name in the URI of a request for a (1) blame, (2) file, or (3) stats page, as demonstrated by requests to blame/master/, master/, and stats/master/.

CVE-2014-4911
Published: 2014-07-22
The ssl_decrypt_buf function in library/ssl_tls.c in PolarSSL before 1.2.11 and 1.3.x before 1.3.8 allows remote attackers to cause a denial of service (crash) via vectors related to the GCM ciphersuites, as demonstrated using the Codenomicon Defensics toolkit.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.