Instances of theft and malicious attack are rising with employee discontent. What can your organization do to stop them?

Tim Wilson, Editor in Chief, Dark Reading, Contributor

December 4, 2008

8 Min Read

Rene Rebollo was strapped for cash. One day, while working in his office at the Pasadena branch of Countrywide Home Loan, he noticed one computer in the building whose USB port hadn't been disabled by the company's IT department. Then, according to FBI affidavits, Rebollo got an idea.

Every Sunday night for approximately two years, Rebollo went over to that workstation and downloaded confidential data on as many as 20,000 Countrywide customers to a small USB drive that he could carry out of the office in his pocket. He then sold the valuable data for as little as $500 to an accomplice, who fenced it. Over the two-year period, Rebollo may have sold as many as 2 million records, according to some estimates.

Rebollo's case, which caused a nationwide stir and a huge black eye to Countrywide, was highly publicized but hardly unique, experts say. In fact, as the global economy worsens and employees become more fearful of layoffs and financial distress, there already is an increasing incidence of insider sabotage, espionage, and theft.

In a report scheduled for release later today, IBM's ISS X-Force research team will reveal that it has detected a 30 percent increase in network and Web-based security events in the past 120 days, with the total number rising from 1.8 billion per day to more than 2.5 billion worldwide. The researchers attribute a significant portion of the uptick to insider activity motivated by economic fear.

"Unlike a 'quick firing,' tens of thousands of employees are readying themselves for the eventuality of losing their jobs -- and no doubt a high percentage of them [will be] 'disgruntled,'" said IBM security expert Gunter Ollmann in a blog earlier this year. "In today's computer-based work environment, with a little planning and forethought, a disgruntled employee can do a lot of damage with little fear of being caught and prosecuted."

And employees are becoming more and more willing to do just that, according to a study released earlier this week by Cyber-Ark Software. According to the study, 56 percent of workers surveyed admit to being worried about losing their jobs. "Alarmingly, in preparation, more than half have already downloaded competitive corporate data and plan to use the information as a negotiating tool to secure their next post," the study says. In Holland, 71 percent of workers confessed to having already downloaded data; 58 percent of U.S. workers say they have done so.

When confronted with the prospect of layoffs, 71 percent of the employees surveyed declared they would definitely take company data with them to their next employer, Cyber-Ark says. "Top of the list of desirable information is the customer and contact databases, with plans and proposals, product information, and access/password codes all proving popular choices," the study says.

Such surveys offer a frightening view of what's going through employees' minds in the face of economic strife. But are these insider attacks really happening? "Absolutely," says Kevin Rowney, founder of the data loss prevention (DLP) unit at Symantec, formerly known as Vontu. "Every day we're stopping more and more of these sorts of events -- many more than we saw before the downturn. It's a sad fact that rates of employee fraud rise in a down economy."

Most of the economically motivated insider attacks are not particularly sophisticated or even well-thought-out, Rowney says. "In general, these are crimes of passion committed by employees who are angry or scared," he explains. "These are not people who are sophisticated in IT, developing super-sneaky ways of stealing or sabotaging data without being detected. They're people who are under pressure, or who are mad and seeking vengeance, and they make a large cluster of bad decisions. In most cases, these are fairly obvious activities that can easily be detected if you have the right tools in place."

But what are the right tools for mitigating the growing insider threat? The most obvious answer is DLP, which has become synonymous with insider threat prevention in the past year or so. Virtually every major security vendor -- including EMC/RSA, IBM, McAfee, and Symantec -- has developed a DLP strategy, mostly through technologies they've acquired from smaller vendors. The strength of DLP is its ability to discover user-defined sensitive data, and then apply policies for protecting it.

"The biggest problem for most companies is that they don't know where all of their sensitive data might be," says Katie Curtin-Mestre, director of product marketing at RSA. "We've seen clients that think they have only one instance of a database, and then through the discovery process, they find that there are 18 unauthorized copies of the data spread around the enterprise. These companies are in no position to leverage policies and controls because they don't know where the data is."

"What DLP allows you to do is to set high-level policies that can be applied quickly and uniformly across the enterprise," adds Rich Mogull, founder and principal analyst at Securosis, a security consulting firm. "It lets you take sensitive accounting data and say, 'If you're not in accounting, you can't access this data.' It's a simple concept, but it's something that companies really haven't been able to do before."

Most companies implement DLP by identifying their most sensitive information -- the kind of data that could damage the business if it leaked out -- and then using DLP to discover that data and build controls around it, Rowney says. By constructing policies and defenses that are based on data content -- rather than infrastructure, such as servers or applications " companies have a better chance of keeping their most valuable data out of the hands of disgruntled or newly-terminated employees.

"In times like these, no large enterprise should go through a RIF without some sort of content-aware technology in place," Rowney says.

But even most DLP vendors concede that DLP technology alone may not catch all of the potential threats posed by angry or avaricious employees. DLP systems can't detect employees who photocopy sensitive documents, for example, or use their cell phones to take pictures of documents or computer screens. "There's no silver bullet for this stuff," says Curtin-Mestre. "The super-devious are probably going to get away with it."

But Rowney argues that most disgruntled employees aren't thinking that clearly. "In most cases, they're going to use the systems they know, and the ones that are most efficient," he says. "Photocopiers and cameras aren't a high-bandwidth means of theft."

DLP may help protect the company's most sensitive data, but it doesn't necessarily close off all avenues of access, some experts noted. Kurt Johnson, vice president of corporate development at identity management technology vendor Courion, pointed out that many companies suffer from poor access administration, leaving themselves open to insider theft or sabotage by failing to terminate accounts and passwords that are no longer needed.

"In a recent engagement we did, we discovered about 50,000 user IDs, but 15,000 of them were orphaned accounts that belonged to business partners and ex-employees," Johnson recalled. "We've seen instances where temporary seasonal employees were brought back the next year, and they were immediately able to get back into the system " their accounts had never been turned off."

Such lax account administration can wreak havoc in a mass layoff, such as those seen recently at large financial institutions, where employees may have access privileges to many systems and applications that all need to be turned off simultaneously, Johnson observed. "It's a nightmare for the IT organization, particularly if they don't have a comprehensive system that tracks all of their IDs and accounts," he says. "They may think they've shut down all the accounts, but they haven't."

To eliminate these vulnerabilities, enterprises may need a combination of identity management tools and DLP, experts said. The joining of these two technologies may be accelerated significantly with the integration of Microsoft's identity management tools and RSA's DLP technology, which is being announced today.

Aside from identity management and DLP, many enterprises are taking a renewed interest in employee monitoring technologies, such as NetVizor, StaffCop, and St. Bernard, as well as log analysis, anomaly detection, and behaviour monitoring tools that detect unusual patterns of system usage or large volumes of data downloads.

"Realistically, it's going to take a combination of DLP with other defense in-depth tools to really get a handle on the insider threat," says Curtin-Mestre. "[At RSA], we're combining DLP with security information and event management, which can alert the security team of anomalies and unusual behaviour while it's happening."

Companies are making some progress in reducing the insider threat, according to the Cyber-Ark survey. Seventy-one percent of users in the UK believe it's becoming harder to take sensitive information out of the company, and 46 percent of respondents in Holland agreed. Yet in the US, the message still isn't getting through -- only 38 percent of respondents said they find it difficult to sneak information away from the company.

"The damage that insiders can do should not be underestimated," says Adam Bosnian, vice president of products, strategy and sales at Cyber-Ark. "With a faltering economy resulting in increased jobs cuts, deferred promotions and additional stress, companies need to be especially vigilant about protecting their most sensitive data against nervous or disgruntled employees."

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading


Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights