When most people think of computer security, they think of malware, viruses, and malicious outsiders trying to break into networks. Unfortunately, there's just as much danger on the inside of the company firewall as from outside. Unconvinced? We have five examples of damaging and embarrassing insider attacks from the past decade that should change your mind.
Not all attackers steal data — some just want to do damage. The UBS PainWebber case is one example of an attack designed to disable the company rather than gain information.
Roger Duronio was sentenced to 97 months for planting a "logic bomb" that took down as many as 2,000 servers around the country in UBS PaineWebber offices. This meant that the company was unable to make trades for up to several weeks in some offices and the company reported a cost of $3.1 million to recover from the attacks. It's unknown how much the company lost in business during the time its networks were disabled.
Insider from Outside
Sometimes an insider attack isn't committed inside the company at all — but by contractors given access to the company network. Consider the case of leaked British bank accounts from call centers in India.
According to the report, as many as 200,000 bank accounts were compromised by a call center in Pune, India. Officials were quick to note that "offshoring" was not the issue, but the way that the company handled security. At any rate — companies should be very careful in allowing access to sensitive data by contractors.
If you haven't been hiding from the news for the past few years, you've no doubt heard of Terry Childs. Childs was a system administrator for the city of San Francisco. According to reports, Childs changed network passwords to the FiberWAN system that carried the majority of network traffic for the San Francisco city government.
In 2008, Childs refused to provide the passwords to his supervisor saying he was "unqualified" to have access. The incident didn't end well for Childs, who has been sentenced to four years in state prison for the hack. It didn't do much for the city of San Francisco, either — which claimed it cost $900,000 to try to regain control of the network over the 12 days that it was locked out. Not to mention the black eye the city received in the press over its lax security.
The Athens Affair
Not all insider attacks are solved, but what IEEE Spectrum has dubbed "The Athens Affair seems likely to have been an insider attack. According to reports, more than 100 government officials, dignitaries, and employees of the U.S. embassy in Greece were caught out by an insider attack.
How? Cell phone tapping carried out by a subversion of the Vodafone Greece telephone network. It's unknown what, exactly, was learned by the attack — but it was clear that the attack gave access to quite a few government officials' conversations, and possibly access to government secrets. This was discovered in March of 2005, and was considered one of the biggest insider attacks on a government — until Wikileaks.
Wikileaks: Bradley Manning
Some people are big fans of Wikileaks, others not so much — but there should be little disagreement that it was a major illustration of how not to secure sensitive documents.
Bradley Manning had access to the Department of Defense's Secret Internet Protocol Router Network (SIPRNet), and accessed material from the network and passed it to Wikileaks. How much material? According to Wired about 260,000 classified diplomatic cables. What's scarier? Manning had access to the networks and managed to smuggle the data out on CD-RWs that he brought into his post. If the physical and network security for the Department of Defense is that weak, it should make businesses think about their security.
Much of the press coverage given to computer security is focused on external attackers — for a number of reasons. Internal attacks may never be discovered, or reported if they are. Unless a company is required to disclose a breach, it may choose to deal with the attacker by firing, disciplining, or tightening up security to keep former employees out.
Many external attacks are wider scale and draw more attention. And, unlike insider attacks, are probably more likely to be reported to the authorities — which also draws the attention of the press.
Most employees are not out to harm their employer. However, there's no way to ensure that's the case with all of an organization's employees — so the best practice is to be cautious and take the appropriate steps (see SANS Protecting Against Insider Attacks (PDF) to mitigate and detect insider attacks).