10 Signs an Employee Is About to Go Bad

Worried that you might have an insider threat? Here are some warning signs

Tim Wilson, Editor in Chief, Dark Reading, Contributor

February 13, 2007

10 Min Read

Three years ago next month, Roger Duronio, a systems administrator at UBS PaineWebber, planted a logic bomb in his company's systems that brought down nearly 2,000 servers on the company's nationwide trading network. Duronio, who had worked at UBS as a systems administrator for about three years, had become disgruntled when he found out that his annual bonus was going to be smaller than he'd expected.

Since that time, the UBS PaineWebber incident has become a case study in how unauthorized "insider" activity -- both malicious and accidental -- can lead to corporate disaster.

How can your company avoid becoming the next UBS PaineWebber? How can you ensure that employees aren't knowingly or unknowingly giving out the company jewels -- or planning to sabotage them? How can you secure your company's systems and data from those who are most likely to steal or damage them: your own employees?

The answer, of course, is you can't. There are no sure ways to prevent insider threats, and (short of locking every user out of the network) there is no foolproof way to eliminate the possibility of damage or theft from the inside.

That's the bad news. The good news is, after observing insider attacks for years, experts have developed some pretty good ways to help you spot such exploits in progress, or even before the damage is done. The following is a list of those hints and tipoffs, along with some recommendations on what to do if you see them. Keep an eye out for these warning signs among your user base -- you might just keep your company from becoming another UBS PaineWebber.

1. Frequent absences from work

It's counterintuitive, but one of the first indications that an employee is about to attack your on-premises systems is an increasing tendency to be off the premises.

Frequent absences -- unplanned vacations, frequent requests for medical leave, unexplained disappearances from a desk -- can indicate that the employee is distracted, disgruntled, or actively interviewing for another job. Disgruntled employees are the most likely to sabotage systems from the inside; workers who have accepted other employment are the most likely to sell or give data to a competitor.

Managers should have the guts to challenge absences that seem suspicious, according to Braun Consulting, a human resources adviser.

"When an employer obtains sufficient information to confront a suspicious leave request, it can have an important positive impact in more ways than one," Braun says in an online report. "In addition to an employee possibly being dissuaded from taking unnecessary leave, other employees will know that their employer will not permit unsubstantiated leave requests. Word will get around, and it may stop future attempts to abuse the system."

2. Changes in employee temperament

Strong emotions are often an indicator that an employee is under stress, experts say. A normally even-tempered employee who is overheard yelling, or becoming violent, may be a walking logic bomb. Similarly, a normally outgoing employee who isolates himself may be plotting an exploit -- or attempting to hide theft or other criminal activity.

Anger and depression are two of the chief reasons why employees seek to take action against their own companies, experts say. In many cases, the revenge requires some time and planning, and the employee may display abnormal, observable attitudes during this period.

IT people should report attitudes or mood swings that might indicate a problem with an employee, and they should keep an eye on the activities of such an employee as well. "There is a very real danger that if security is not careful, the employee can exhibit violent behavior," says Rob Enderle, principal analyst at the Enderle Group. "If hostility is the cause, escalation should be anticipated."

3. Unusual behavior in the office

"Humans are creatures of habit," notes RSnake, founder of ha.ckers.org. "Look for things that aren't in their day-to-day nature."

For example, if an employee habitually leaves the office at 5 p.m., then suddenly starts working late into the night, there's a good chance he may be doing something he doesn't want his colleagues to see, experts say. Similarly, if an employee routinely works late, then begins to leave at 5 p.m. on the dot, it may indicate that he has become disenchanted or is counting the days until he can land another job.

Employees who suddenly seem to be exploring unauthorized areas, or other users' offices, should also raise a red flag, observers say. These employees may be seeking out ways to access unauthorized data or bypass building security systems.

4. Frequent efforts to access unauthorized systems

While an increase in failed password attempts by an external user would typically be flagged by the security department, such an increase by an internal user might not even be noticed. Yet such trends could indicate potentially dangerous insider activity.

"If your security software is tracking an increase in failed password attempts, or sudden increase in requests for access to systems they haven’t needed before, take notice," Enderle says.

RSnake agrees. "If you see users looking at a large number of files or folders on shared drives -- especially outside of their own department -- that could be a big sign," he says. "If you see many queries from CRM systems attempting to dump data -- especially from customers that don't belong to that user -- they are probably trying to steal customer lists."

To Page 2

5. Changes in computer behavior or configuration

Insiders often engage in atypical computer behavior as they seek to share or sabotage sensitive information, and that behavior can sometimes be detected in routine scans of PC activity or configuration, experts say.

"If you see outbound FTP, it's highly likely that the user is uploading files somewhere," notes RSnake. "If you see the free space on the user's computer dramatically increase or dramatically decrease, it means they are either deleting personal information to cover their tracks, or they are downloading corporate information to take home."

Even if they don't routinely monitor end-user activity, IT organizations can spot these types of configuration changes with a simple PC audit, experts say.

6. Employee receives a bad performance review

IT people and HR people generally don't communicate on a regular basis, but in the case of a bad review, they probably should, experts say. Negative job feedback can be a "trigger event" that sends an employee off in the direction of revenge, says Enderle.

"Prudential Insurance Co. had an employee merely frustrated with his sense that he was underpaid," notes Sensei Enterprises Inc., a computer forensics and legal firm, in a recent report. "His revenge consisted of purloining electronic personnel files for more than 60,000 Prudential employees. He not only sold the information over the Internet, but incriminated his former supervisor in the theft."

IT organizations should observe the online behavior of an employee who has received a bad review, just as a supervisor should observe that employee's overall behavior in the office, experts say.

7. Employee exhibits signs of financial distress

You don't necessarily have to see a user's bankbook to see that he's worried about money, experts say. While some users may attempt to access gambling sites from work, others may simply talk excessively about money, or receive calls from collection agencies while in the office. A radical change in the car they drive or their place of residence could also be tipoffs.

Financially-distressed employees are the most likely to be recruited to steal data or sabotage company systems, experts say. And don't count on ethics to prevent theft: According to a study published in October by Prefix Security, about 37 percent of the males surveyed said they believe it is acceptable to take database information and sales leads. The majority of the 1,000 respondents in the Prefix study admitted to stealing data or confidential documents, but many of those respondents do not perceive their actions as "wrong." (See Security's Rotten Apples.)

8. Office romance goes south

In a study conducted a few years ago by the American Management Association, 30 percent of the 391 managers interviewed admitted to dating a co-worker. Like it or not, office romance happens -- and hell hath no fury like a lover scorned.

There have been numerous instances in which an employee launched an email attack on another employee following a bad breakup, experts observe. Employees may also seek to access personnel files or other personal information in an effort to find out more about a love interest. Either way, IT should pay attention to any information it receives about employees who may be at odds with each other.

"Love won't seem to go away in the workplace, so our best alternative is to keep its negative consequences under control by having a policy that encourages a harassed employee to come forward," says Braun Consulting. "When they do, give prompt and appropriate responses to these situations as they arise."

9. Employee is terminated

It's not surprising that recently-fired or laid-off employees constitute a large part of the insider threat. Terminated employees often have an emotional axe to grind against their former companies, and with no paycheck in sight, they have few disincentives to prevent them from taking their revenge.

What might surprise you is how many of these terminated attackers come from the IT department. In a recent survey conducted by the U.S. Secret Service and Carnegie Mellon University’s Software Engineering Institute CERT Program, enterprises reported that 86 percent of people who carried out insider sabotage held technical positions, and 90 percent had system administrator or privileged system access.

Only 41 percent of those who sabotaged IT systems were employed at the time -- the majority of the insider attacks took place after termination. In these cases, perpetrators kept their super-user and privileged access rights after being terminated. Once they were out the door, they often used their privileged system access to set up their attack, taking advantage of a lack of security controls and gaps in their organization’s access controls.

10. Employee voluntarily resigns

Employees who leave a company of their own accord sometimes have an axe to grind, too. An employee who leaves voluntarily might not be able to resist the temptation to leave a "surprise" for a disliked supervisor or co-worker. Or he may choose to impress his new employer by bringing a bit of intellectual property from his old shop.

"Employees like to take tidbits to their new employer," Enderle says.

In the case of any terminated employee -- both those who have resigned and those who have been terminated unwillingly -- it makes sense to void all passwords and privileges, as well as user accounts that the departed may be able to hack, experts say. Companies may want to rethink their processes and technologies for handling privileged passwords, which often account for the insider threat coming from terminated employees, they say.

— Tim Wilson, Site Editor, Dark Reading

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading


Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights