Secret Service: Inside Attacks Generally Launched By Problem Employees

Brian Robak, a network security analyst at National Cooperative Bank, used to manage the company's help desk workers back when he was the LAN manager. Being a manager is never an easy chore, but there was one employee who generally made his job a nightmare.

Robak says he was reluctant to take the management position in the first place because of this one woman who was hired to lead the help desk. Far from being a leader, she was the epitome of the problem employee. She had a bad attitude, he says, and apparently felt no qualms about displaying it. Assigned the task of being a liaison with the users at the bank, Robak frequently had to deal with complaints that she would end a conversation with a user by cursing about them and slamming the phone down. The cursing part came while the user was still on the line.

Robak says the problems started about six months into her tenure at National Cooperative and she continued to work there for about another three years.

"She was a beast," he says. "And she was even worse to other technical people when she'd have to talk to them on the phone." Robak says she got into a screaming match with him over summer hours, loudly informing him that he wasn't the boss of her. The help desk manager's own boss had to come running to deal with the situation.

This behavior didn't get her fired, however. The bank had a policy of working with employees and trying really hard to iron out bad situations. They offered her free conflict-management counseling.Ultimately, she was caught giving her friends in the bank higher levels of access than they were supposed to have. A domain administrator, the woman had full access to all of the bank's workstations and servers. She changed access rights for her pals, allowing them to bypass the Web proxy used to restrict access to objectionable Web sites. Ignoring company security policies, she even allowed her friends to download prohibited software, potentially opening the network up to virus and hacker attack.

The woman eventually left to take another job. "As her manager, I was genuinely concerned that she was putting our network in danger," says Robak, adding that late in her time at the bank he restricted her server access.

Robert Sica, special agent in charge at the U.S. Secret Service, would contend that the bank got off easy. It could have wound up going very badly, as it has in other situations, where a disgruntled insider has caused major systems or network damage.A full 80% of people who launch a computer-related attack on their own company's system had been problem employees, according to the Secret Service, which divides its time between protecting state officials and investigating financial crimes. A study of insider attacks shows that the people behind the schemes had previously exhibited what Sica calls concerning patterns of behavior--aggression in the workplace, insubordination, and hostile speech with coworkers and supervisors. (See related story, "Study Highlights Insider Threats.")

"These people are generally not your best employees," says Sica. "What we're finding is that there are behavioral markers being laid down that management and coworkers might be able to pick up on and potentially prevent an insider from acting."

And there's been anecdotal evidence to back up what Sica is saying.This summer, a former systems administrator was found guilty in U.S. District Court for planting a software time bomb back in 2002 that took down about 2,000 servers inside UBS PaineWebber. Months before the attack was launched, Roger Duronio's supervisor told him that the company was struggling after Sept. 11 and none of the employees should expect big bonuses that year. His manager testified that Duronio was upset at the news and complained loudly and often about his money troubles and the fact that his anticipated $50,000 bonus was going to fall short.

As part of what prosecutors called a vengeful, money-making scheme, Duronio built the destructive code and pushed it out to UBS servers across the country. Before he set off the attack, he bought put options against the company which would only pay out if the UBS stock dropped in price. His plan centered around the security incident driving down the company's stock price " so he could cash out.

Duronio wasn't the first disgruntled employee to plant a time bomb to take down his company's network.

Six years ago, Tim Lloyd was tried in the first federal criminal computer sabotage case. Lloyd, a former network administrator at Omega Engineering Corp.'s Bridgeport, N.J. manufacturing plant, was convicted of launching a very similar attack on that company. Lloyd had been with Omega Engineering for 11 years, even building the company's computer network. But as the company grew into a global corporation, Lloyd saw his clout diminish. He was no longer the big fish in the little pond. And it made him angry. He began causing problems, bottlenecking projects and even elbowing a coworker.

Lloyd ultimately planted malicious code that wiped out Omega's key manufacturing programs, a serious problem for a company that builds measurement and instrumentation devices for NASA and the U.S. Navy. The attack cost the company more than $10 million and led to 80 layoffs.

Kevin O'Dowd, an Assistant U.S. Attorney, sees these kinds of corporate attacks becoming more common."It's fair to say that as companies become more dependent on technology and computers are more part of our daily lives, the growth of computer crime is inevitable," says O'Dowd, who is chief of the commercial crimes unit in Newark, N.J. "To think otherwise is nave. It's a question of how we're going to fight it."

Sica says the first step to countering inside attacks is to recognize the problem when it's coming head-on toward you.

"It's surprising the amount of companies where these behaviors are noticed and not dealt with," he says. "People say that's just the way someone is. He has a quirky side to him, and that quirkiness goes unaddressed. But that behavior maybe one of those markers we're talking about." And with 62% of attacks being planned in advance, managers shouldn't ignore clues that trouble might be brewing.

Sica says managers should keep an eye on employees who complain of financial trouble, or are consistently late for work or absent altogether. Managers also should closely monitor employees who fight with coworkers or supervisors, and are insubordinate. Also beware of employees who are aggressive either verbally or physically.

The real markers are not one-shot deals, Sica emphasizes. If an employee is late to work one day and complains about being short in his checking account, it might not necessarily be time to shut down his network access. But if any of these behaviors become a pattern, then it's time to go to HR, address the concerns with the worker, begin to monitor his movements on the system, and consider pulling back on his network access."Companies need to really hold managers accountable to doing exactly that," says Sica. "Processes need to be in place and managers need to have training in how to pursue this It has to be cultural. It's something you nurture. Awareness is the answer."

Back at the National Cooperative Bank, Robak says he's more alert for employees who could go from bothersome complainers to people capable of causing real damage to the system, and to the business.

"I would try to rein someone in earlier," he says. "I follow the bank's policy of giving the benefit of the doubt and working hard with the problem employee to solve their issues, but now I'm working security and it's my job to trust no one."