Some say a San Francisco network administrator charged with holding the city's FiberWAN hostage underscores the threat insiders can pose. But is the damage done by rogue employees more myth than reality?
When reports of a disgruntled network administrator locking his
co-workers out of San Francisco's
new FiberWAN first touched my ears, the first thought that raced through my
the word "wow"-was that this was a clear example of how an insider can
potentially bring IT operations to a screeching halt.
Childs, 43, pleaded not guilty
today, July 17, to four counts of
computer tampering. His arrest earlier this week set off both an explosion
of media coverage and discussions about the importance of keeping an eye on the
people keeping an eye on corporate networks.
But the difficult thing about discussing insider
is getting a grasp on just how much of a threat they actually are.
For example, a CA-sponsored study conducted by The Strategic Counsel and
released today reported that 44 percent of the 500 respondents identified
internal breaches as a key security challenge over the 12 months preceding the
from 42 percent in 2006 and just 15 percent in 2003.
Conversely, the number of respondents reporting virus attacks in the 2006
and 2008 surveys decreased from 68 percent to 59 percent, network attacks from
50 percent to 40 percent, and denial-of-service attacks from 40 percent to 26
"The potential aftershocks of an internal breach have the attention of
both the business and the IT organization. And for enterprise
organizations the priority has now shifted from reactive to proactive security
strategies to deal with this threat," Lina Liberti, vice president of CA
Security Management, said in a statement.
However, The Strategic Counsel study flies in the face of a report released in
June by Verizon. According
to the study (PDF),
only about 18 percent of the more than 500 forensics
engagements handled by the Verizon Business Investigative Response team from
2004 to 2007 were due to insider breaches. Some 73 percent were due to external
threats, and the rest came from business partners.
Still, the median size of confidential records revealed in insider
breaches was roughly 10 times larger than in the case of external breaches
covered by the Verizon study.
"We have an old tradition in the IT industry of using trust in the
administration of systems," said Jeff Nielsen, senior product manager at
Symark International. "It most likely developed over the years from
operating systems like Unix where there is an all-powerful super user account
root and there may not have been tools available to manage access to
[the] root. So we had to trust our administrators to do the right thing.
In most cases they do, but it's the one guy that goes amok that creates huge
"Mr. Childs, if he did what he is accused of doing, is
just the latest in a series," Nielsen continued. "We tend to forget
the Societe General, Tenet Healthcare and Barings Bank incidents when they
become old news."
True enough. A look at the chronology of data breaches
provided by the Privacy
does show a number of incidents of employees
stealing or improperly exposing confidential information-as well a litany
of lost laptops and other devices. And of course, there are also numerous
mentions of hacks.
"The best practice is to trust but verify,"
said Yama Habibzai, senior director at Netcordia, a provider of network
management tools. "There needs to be some level of trust within the
organization, but the organization needs to have the tools in place to verify
that employees touching the network are making accurate and approved