Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10 Signs an Employee Is About to Go Bad

Worried that you might have an insider threat? Here are some warning signs

Three years ago next month, Roger Duronio, a systems administrator at UBS PaineWebber, planted a logic bomb in his company's systems that brought down nearly 2,000 servers on the company's nationwide trading network. Duronio, who had worked at UBS as a systems administrator for about three years, had become disgruntled when he found out that his annual bonus was going to be smaller than he'd expected.

Since that time, the UBS PaineWebber incident has become a case study in how unauthorized "insider" activity -- both malicious and accidental -- can lead to corporate disaster.

How can your company avoid becoming the next UBS PaineWebber? How can you ensure that employees aren't knowingly or unknowingly giving out the company jewels -- or planning to sabotage them? How can you secure your company's systems and data from those who are most likely to steal or damage them: your own employees?

The answer, of course, is you can't. There are no sure ways to prevent insider threats, and (short of locking every user out of the network) there is no foolproof way to eliminate the possibility of damage or theft from the inside.

That's the bad news. The good news is, after observing insider attacks for years, experts have developed some pretty good ways to help you spot such exploits in progress, or even before the damage is done. The following is a list of those hints and tipoffs, along with some recommendations on what to do if you see them. Keep an eye out for these warning signs among your user base -- you might just keep your company from becoming another UBS PaineWebber.

1. Frequent absences from work

It's counterintuitive, but one of the first indications that an employee is about to attack your on-premises systems is an increasing tendency to be off the premises.

Frequent absences -- unplanned vacations, frequent requests for medical leave, unexplained disappearances from a desk -- can indicate that the employee is distracted, disgruntled, or actively interviewing for another job. Disgruntled employees are the most likely to sabotage systems from the inside; workers who have accepted other employment are the most likely to sell or give data to a competitor.

Managers should have the guts to challenge absences that seem suspicious, according to Braun Consulting, a human resources adviser.

"When an employer obtains sufficient information to confront a suspicious leave request, it can have an important positive impact in more ways than one," Braun says in an online report. "In addition to an employee possibly being dissuaded from taking unnecessary leave, other employees will know that their employer will not permit unsubstantiated leave requests. Word will get around, and it may stop future attempts to abuse the system."

2. Changes in employee temperament

Strong emotions are often an indicator that an employee is under stress, experts say. A normally even-tempered employee who is overheard yelling, or becoming violent, may be a walking logic bomb. Similarly, a normally outgoing employee who isolates himself may be plotting an exploit -- or attempting to hide theft or other criminal activity.

Anger and depression are two of the chief reasons why employees seek to take action against their own companies, experts say. In many cases, the revenge requires some time and planning, and the employee may display abnormal, observable attitudes during this period.

IT people should report attitudes or mood swings that might indicate a problem with an employee, and they should keep an eye on the activities of such an employee as well. "There is a very real danger that if security is not careful, the employee can exhibit violent behavior," says Rob Enderle, principal analyst at the Enderle Group. "If hostility is the cause, escalation should be anticipated."

3. Unusual behavior in the office

"Humans are creatures of habit," notes RSnake, founder of ha.ckers.org. "Look for things that aren't in their day-to-day nature."

For example, if an employee habitually leaves the office at 5 p.m., then suddenly starts working late into the night, there's a good chance he may be doing something he doesn't want his colleagues to see, experts say. Similarly, if an employee routinely works late, then begins to leave at 5 p.m. on the dot, it may indicate that he has become disenchanted or is counting the days until he can land another job.

Employees who suddenly seem to be exploring unauthorized areas, or other users' offices, should also raise a red flag, observers say. These employees may be seeking out ways to access unauthorized data or bypass building security systems.

4. Frequent efforts to access unauthorized systems

While an increase in failed password attempts by an external user would typically be flagged by the security department, such an increase by an internal user might not even be noticed. Yet such trends could indicate potentially dangerous insider activity.

"If your security software is tracking an increase in failed password attempts, or sudden increase in requests for access to systems they haven’t needed before, take notice," Enderle says.

RSnake agrees. "If you see users looking at a large number of files or folders on shared drives -- especially outside of their own department -- that could be a big sign," he says. "If you see many queries from CRM systems attempting to dump data -- especially from customers that don't belong to that user -- they are probably trying to steal customer lists."

To Page 2

5. Changes in computer behavior or configuration

Insiders often engage in atypical computer behavior as they seek to share or sabotage sensitive information, and that behavior can sometimes be detected in routine scans of PC activity or configuration, experts say.

"If you see outbound FTP, it's highly likely that the user is uploading files somewhere," notes RSnake. "If you see the free space on the user's computer dramatically increase or dramatically decrease, it means they are either deleting personal information to cover their tracks, or they are downloading corporate information to take home."

Even if they don't routinely monitor end-user activity, IT organizations can spot these types of configuration changes with a simple PC audit, experts say.

6. Employee receives a bad performance review

IT people and HR people generally don't communicate on a regular basis, but in the case of a bad review, they probably should, experts say. Negative job feedback can be a "trigger event" that sends an employee off in the direction of revenge, says Enderle.

"Prudential Insurance Co. had an employee merely frustrated with his sense that he was underpaid," notes Sensei Enterprises Inc., a computer forensics and legal firm, in a recent report. "His revenge consisted of purloining electronic personnel files for more than 60,000 Prudential employees. He not only sold the information over the Internet, but incriminated his former supervisor in the theft."

IT organizations should observe the online behavior of an employee who has received a bad review, just as a supervisor should observe that employee's overall behavior in the office, experts say.

7. Employee exhibits signs of financial distress

You don't necessarily have to see a user's bankbook to see that he's worried about money, experts say. While some users may attempt to access gambling sites from work, others may simply talk excessively about money, or receive calls from collection agencies while in the office. A radical change in the car they drive or their place of residence could also be tipoffs.

Financially-distressed employees are the most likely to be recruited to steal data or sabotage company systems, experts say. And don't count on ethics to prevent theft: According to a study published in October by Prefix Security, about 37 percent of the males surveyed said they believe it is acceptable to take database information and sales leads. The majority of the 1,000 respondents in the Prefix study admitted to stealing data or confidential documents, but many of those respondents do not perceive their actions as "wrong." (See Security's Rotten Apples.)

8. Office romance goes south

In a study conducted a few years ago by the American Management Association, 30 percent of the 391 managers interviewed admitted to dating a co-worker. Like it or not, office romance happens -- and hell hath no fury like a lover scorned.

There have been numerous instances in which an employee launched an email attack on another employee following a bad breakup, experts observe. Employees may also seek to access personnel files or other personal information in an effort to find out more about a love interest. Either way, IT should pay attention to any information it receives about employees who may be at odds with each other.

"Love won't seem to go away in the workplace, so our best alternative is to keep its negative consequences under control by having a policy that encourages a harassed employee to come forward," says Braun Consulting. "When they do, give prompt and appropriate responses to these situations as they arise."

9. Employee is terminated

It's not surprising that recently-fired or laid-off employees constitute a large part of the insider threat. Terminated employees often have an emotional axe to grind against their former companies, and with no paycheck in sight, they have few disincentives to prevent them from taking their revenge.

What might surprise you is how many of these terminated attackers come from the IT department. In a recent survey conducted by the U.S. Secret Service and Carnegie Mellon University’s Software Engineering Institute CERT Program, enterprises reported that 86 percent of people who carried out insider sabotage held technical positions, and 90 percent had system administrator or privileged system access.

Only 41 percent of those who sabotaged IT systems were employed at the time -- the majority of the insider attacks took place after termination. In these cases, perpetrators kept their super-user and privileged access rights after being terminated. Once they were out the door, they often used their privileged system access to set up their attack, taking advantage of a lack of security controls and gaps in their organization’s access controls.

10. Employee voluntarily resigns

Employees who leave a company of their own accord sometimes have an axe to grind, too. An employee who leaves voluntarily might not be able to resist the temptation to leave a "surprise" for a disliked supervisor or co-worker. Or he may choose to impress his new employer by bringing a bit of intellectual property from his old shop.

"Employees like to take tidbits to their new employer," Enderle says.

In the case of any terminated employee -- both those who have resigned and those who have been terminated unwillingly -- it makes sense to void all passwords and privileges, as well as user accounts that the departed may be able to hack, experts say. Companies may want to rethink their processes and technologies for handling privileged passwords, which often account for the insider threat coming from terminated employees, they say.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...