Vulnerabilities / Threats
5/16/2012
11:50 AM
Connect Directly
RSS
E-Mail
50%
50%

5 Ways To Lose A Malicious Insider Lawsuit

Making the case against an insider takes preparation and proactive work with HR and legal. Consider this expert advice to make sure you're ready.

When the worst-case scenario strikes and a malicious insider does damage to an organization, be it by theft or sabotage, legal recourse may be in order. But if IT doesn't prepare in advance to cooperate with human resources and legal, the civil or criminal case against a bad former employee may be doomed from the start.

According to security and legal experts, failing to cover your legal bases before presenting your case to judge and jury can effectively give the defendant that proverbial "get-out-of-jail-free card" and leave your organization without much leverage at all.

Here are some of the most common ways that enterprises tend to blow their cases against malicious insiders.

1. Don't Make Employees Sign A Contract or Policy
According to Damon Petraglia of Chartstone, one of the most common civil cases he's brought in to help forensically investigate is when employees steal information from their employers or do something inappropriate with technology. In order to make a case against such an employee, it is important to not only prove they stole or did something wrong, but that they had intent.

"If you want to fire someone or you want to sue someone, you have to prove that they had intent to do something malicious. Just because I installed something on my computer, it doesn't really prove I did something malicious," said Petraglia, director of forensic and information security services for Chartstone. "A lot of times, when I'm looking at something forensically, a company will not have any policy in place that says you cannot do something. That makes it very difficult to prosecute or to fire someone."

This is where signed acceptable use policies and confidentiality agreements are key. While signing such a document might seem like a mere formality when employees or contractors are brought in, their existence can make or break a case when things go wrong.

"If I were advising someone that has confidential information, data, or technology, I'd say the most important thing to do is have agreements with your employees that make it clear that there is confidential information that limit the employees' ability to use that information, and to prevent the employees from taking it or disclosing it to anyone else," said Jim Davis, partner at Dallas, Tex.-based law firm Klemchuck Kubasta.

Read the rest of this article on Dark Reading.

Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3341
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

CVE-2014-3464
Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

CVE-2014-3472
Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVE-2014-3490
Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

CVE-2014-3504
Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.