CERT Says: Insider Threats Come From Angry Employees
Carnegie Mellon University spent five years and millions of tax payer dollars to produce a report that common sense could have answered for free- And that is the fact that most insider threats to an IT network originate from angry employees with high levels of network access. No Doy.
From the Register here:
The vast majority of insider IT sabotage is carried out by employees – or ex-employees – who have already showed signs of concerning behaviour such as tardiness, truancy, arguing with colleagues, and poor job performance, according to CERT.
The findings come from a five-year insider threat study by researchers from Carnegie-Mellon University’s CERT Coordination Centre and the US Secret Service, and recently published as updated advice for the wary.
According to the CERT team, 92 per cent of insider attacks followed “a negative work-related event”, such as a dispute, demotion or transfer, or being fired – 59 per cent of the saboteurs had already been sacked, and either got into their former employer’s systems remotely, using passwords that hadn’t been deleted, or had already used their privileged system access to set up the attack before they were thrown out.
I guess we finally have hard numbers to prove to systems administrators and IT managers what they should have known all along- limit access to network resources and keep your people happy. The article also goes on to advise that managers need to audit frequently to discern the extent of access and to also demonstrate to IT professionals that they are indeed under the scope being watched for bad behavior.
I have left many jobs in the IT field with zero notice to management. I have declared myself a security risk to my fellow employees and have left my building access badge with the guard or manager. I leave jobs that way to limit my own liability, especially if I have insider knowlege of where networks are weak or vulnerable. If I were to stay for the final two weeks and something were to happen to the network, I do not want to be under any suspicion that I had tampered with or damaged the network during that time.
And if you are in the position to monitor activity on an enterprise network, be on the constant lookout for people surfing resume posting sites. It is the people updating their resumes that are likely the biggest threat to damage your network and steal intellectual property.
