Site Security Planning

The Danger from Within

Outsiders do not pose the only threats to corporate resources on your intranet.

When developing plans for protecting new Web applications, there is a tendency to focus exclusively on securing data that will be transmitted past the firewall and across the Internet. However, evidence continues to show that security threats from inside organizations are most significant. While this may change somewhat with the advent of e-commerce and business-to-business applications, potential threats from inside your organization will require continuous attention if they are to be minimized. See the sidebar, “Information Systems Employee Seeks, Gets Revenge,” for an example of how one disgruntled employee caused long-term damage to a company’s vital intellectual property.

Information Systems Employee Seeks, Gets Revenge

In 1996, a disgruntled Information Systems employee of a U.S. manufacturer of measurement and control instruments planted a logic bomb on a company LAN. The bomb detonated ten days after the man had been terminated, wiping out the company’s research, development, and production software, including its backup systems. The company estimated the cost to recover the damage at $12 million (over the several years that would be required to redevelop the software).

The employee had been notified that he was to be terminated, but his network accounts had not been disabled until his termination date. He had ample time to plant the bomb before leaving the company. Had he wanted to do so, he could have opened a back door to the systems he used, which would have allowed him to commit further damaging acts.

This incident shows the need for creating and enforcing realistic security practices, in order to combat internal threats to assets. There is no way to guarantee that employees will not commit destructive acts. However, some policies and practices that could have helped minimize the risk of incurring damages (such as those just cited) include disabling employee access before termination, running antivirus software on each computer on the network, and monitoring the network to detect intrusive traffic. Because the employee, in this case, had root privileges to the systems on the network, the Information Technology team should have locked down all the systems he administered.

At a minimum, the following security policies should be in place, in order to avoid this kind of catastrophe:

Disable the accounts of employees upon their notification of termination. Do not wait until their termination date. In this case, the logic bomb had been planted before the employee was actually terminated, but after he knew termination was imminent.
Reinitialize security for systems that were under the terminated employees’ control. Continuously monitor these systems for security violations, such as back doors that are left open. Terminated employees often use these as reentry points.
Install and run antivirus software on each computer on the intranet.
Back up systems, applications, and data; deploy off-site storage for archival backups.