Revenge of the nerds

Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors

Hell hath no fury like a computer geek scorned. So warn the U.S. Secret Service and the U.S. Computer Emergency Readiness Team (CERT) in their Insider Threat Study, released this month.

Current or former employees or contractors with administrator-level access and a grudge can wreak havoc on companies' networks, the study found.

"The power of system administrators should not be underestimated: Almost all of the insiders in this study were granted system administrator or privileged access when they were hired," the report states. "Because of their elevated access level, they have the ability to cause catastrophic system failure or gradually compromise system or data confidentiality, integrity or availability over time."

The report aims to enhance agencies' and companies' ability to identify would-be assailants before they attack. It also discusses ways to enable network administrators to defend their databases and other programs when attacks occur.

The study looked at 49 insider attacks in critical infrastructure sectors from 1995 to 2002. The report states that 59 percent of attackers were former employees or contractors, and that 86 percent of them had been fired or resigned from their positions.

A negative event at work, such as a firing, demotion or dispute with a co-worker, instigated 92 percent of the attacks, the study found. Revenge was a primary motive in more than four out of five incidents.

A telling statistic from the report is that 61 percent of the attacks did not use high-tech means but instead exploited existing vulnerabilities in the systems or physical attacks, said Matt Doherty, special agent in charge of the Secret Service's National Threat Assessment Center. "It doesn't take a lot of tech savvy to do a lot of damage to a system," he said.

Organizations need a comprehensive security framework, including policies, procedures, hardware and software, to prevent attacks and analyze their aftermath when they occur, the report states.

The authors recommend that managers know when employees have negative incidents. They also advise managers to set up grievance procedures and other policies that foster constructive conversations with employees and help defuse potential attacks.

They also recommend offering security awareness training that teaches employees to recognize malicious insiders by their behavior. The authors conclude that organizations should:

Barring computer access to angry departees is easier said than done, said Dawn Cappelli, one of CERT's principal contributors to the study. Organizations must be vigilant at all times, not just when a problem employee leaves, she said.