Network Admin Arrest Puts Spotlight on Insider Threats

Some say a San Francisco network administrator charged with holding the city's FiberWAN hostage underscores the threat insiders can pose. But is the damage done by rogue employees more myth than reality?

When reports of a disgruntled network administrator locking his co-workers out of San Francisco's new FiberWAN first touched my ears, the first thought that raced through my head-besides the word "wow"-was that this was a clear example of how an insider can potentially bring IT operations to a screeching halt.

Terry Childs, 43, pleaded not guilty today, July 17, to four counts of computer tampering. His arrest earlier this week set off both an explosion of media coverage and discussions about the importance of keeping an eye on the people keeping an eye on corporate networks.

But the difficult thing about discussing insider breaches is getting a grasp on just how much of a threat they actually are. For example, a CA-sponsored study conducted by The Strategic Counsel and released today reported that 44 percent of the 500 respondents identified internal breaches as a key security challenge over the 12 months preceding the survey-up from 42 percent in 2006 and just 15 percent in 2003.

Conversely, the number of respondents reporting virus attacks in the 2006 and 2008 surveys decreased from 68 percent to 59 percent, network attacks from 50 percent to 40 percent, and denial-of-service attacks from 40 percent to 26 percent.

"The potential aftershocks of an internal breach have the attention of both the business and the IT organization. And for enterprise organizations the priority has now shifted from reactive to proactive security strategies to deal with this threat," Lina Liberti, vice president of CA Security Management, said in a statement.

However, The Strategic Counsel study flies in the face of a report released in June by Verizon. According to the study (PDF), only about 18 percent of the more than 500 forensics engagements handled by the Verizon Business Investigative Response team from 2004 to 2007 were due to insider breaches. Some 73 percent were due to external threats, and the rest came from business partners.

Still, the median size of confidential records revealed in insider breaches was roughly 10 times larger than in the case of external breaches covered by the Verizon study.

"We have an old tradition in the IT industry of using trust in the administration of systems," said Jeff Nielsen, senior product manager at Symark International. "It most likely developed over the years from operating systems like Unix where there is an all-powerful super user account root and there may not have been tools available to manage access to [the] root. So we had to trust our administrators to do the right thing. In most cases they do, but it's the one guy that goes amok that creates huge problems.

"Mr. Childs, if he did what he is accused of doing, is just the latest in a series," Nielsen continued. "We tend to forget the Societe General, Tenet Healthcare and Barings Bank incidents when they become old news."

True enough. A look at the chronology of data breaches provided by the Privacy Rights Clearinghouse does show a number of incidents of employees stealing or improperly exposing confidential information-as well a litany of lost laptops and other devices. And of course, there are also numerous mentions of hacks.

"The best practice is to trust but verify," said Yama Habibzai, senior director at Netcordia, a provider of network management tools. "There needs to be some level of trust within the organization, but the organization needs to have the tools in place to verify that employees touching the network are making accurate and approved changes."