Hacking from the inside

Rene Hamel loves to tell the story of his favourite insider hacking job. In fact, his exuberance is unmistakable as he describes what can only be considered a bizarre story of internal deceit.

It started when an employee stole some very important source code, bolted and started his own company. The lawsuit that followed had little impact, since the thief changed the source code enough to avoid paying damages. But then the tale took an unusual turn. Though the thief was not a skilled developer, he was one great marketer. His new product gained market share even though it was still inferior to the original. So the thief bought the company he used to work for and hired his ex-boss to fix the code.

Long story short, this is an unlikely occurrence. But the short story? You and your company may have already lost important proprietary information and not even know it.

Today, in this post-9/11 world, there is more of a focus on all that is unknown, foreign and external. But the fact is, regardless of whose statistics you believe, at a very minimum, 40 per cent of all computer hacks are internal. Exact numbers aside, these internal hacks inflict the most economic damage. After all, who knows how to wreak havoc at an organization better than its employees? They know where the bodies are buried and where the treasure lies, and they can often slip under the radar to get to them.

But many companies want to live in a world where employees would never think of causing intentional damage. “We’re a happy family,” to quote ’70s punk rockers the Ramones, is often the corporate thinking. Problem is, few companies really are.

Very few people join companies with the intention to steal. Like it or not, the disgruntled employee is a product of the environment.

Hamel, KPMG Toronto’s vice-president of forensic technology services and an ex-RCMP investigator, knows a few things about the criminal mind. He said corporate Canada, for the most part, does not spend enough time trying to understand IT culture. And though he does not condone the actions of internal hackers, he understands how they can be created and, more importantly, how dangerous they can be if they turn on a company.

“IT employees – you’ve got to treat them well,” Hamel said.

Although he doesn’t blame the victim, Simon Perry, vice-president of security solutions with Islandia, N.Y.-based Computer Associates International, said he is not about to let corporations completely off the hook. “Organizations are happy to paint themselves as victims of us versus them, but they don’t want…to admit that, due to their core governance, they have turned one of us into one of them,” he said.

Often a company’s only recourse is to fire the employee, since going to the courts means media scrutiny and the acknowledgement that there was a bad apple within and internal security was an afterthought. So it is necessary to create an environment where motive and IT access has been reduced to help minimize the possibility of an internal hack.

policy, policy, policy

“Policy is important because without policy there is no establishment of repercussion,” said Adel Melek, partner with Deloitte & Touche in Toronto and national leader of the security services practice. Often employees don’t know exactly what is and isn’t acceptable corporate policy, he said.

Ches Somers, another Toronto-based ex-RCMP officer and associate managing director of investigations with risk consulting company Kroll Inc., likes the idea of an annual review of corporate policy so it is not forgotten.

Policies vary from company to company. Some will put the kibosh on any personal Web and e-mail use while others will go so far as to outline what exactly constitutes a “crime.” Sometime it is even necessary to spell out what should be obvious, such as no hacking password files or sending corporate takeover strategies to friends.

It is important to be specific so employees can’t use the “I didn’t know” defence, Melek said.

Admittedly, corporate policy will probably only stop the fence-sitter, but it is necessary to have one as a starting point. Also, the more employees know and understand the repercussions of their actions, the less likely it is they will go ahead with them.

Even before companies look to anti-hacking technology, they must first change their corporate strategies to reflect the need to compartmentalize data. Companies often have too many people with access to too much information. It can prove to be a motivating factor for illicit activities – if a product developer learns the true value of an invention from marketing, will he or she be more or less prone to bolt with the information as a result? The answer is often the former. This is backed by the fact that the number-one insider job is the theft of proprietary information.

“You have multi-billion-dollar companies that are still being run like mom and pop shops,” said Peter Vakof, vice-president with dispute analysis and investigations at PricewaterhouseCoopers in Toronto. “There is no person at any company who needs access to everything,” Perry said.

The Royal Bank follows this thinking. Though Peter Cullen is the bank’s chief privacy officer, a c-level executive, he has no access to customer information.

The military learned long ago that requiring two people to launch nuclear missiles dramatically reduces the possibility of a rogue launch. To date this thinking has proven successful. At companies which require a lot of people to be kept in the loop, requiring multiple users to change, copy or delete certain corporate data increases security.

Chrysalis-ITS has technology that allows companies to tether important corporate data. Dave Longbottom, CEO of the Ottawa-based company, said a company could require as many as 16 people to sign off on the change or deletion of certain data. “You make it so multiple people are needed to defraud a company,” he said.

“I think that is a great idea, (but) I don’t see too many companies doing it,” Perry responded.

Longbottom also likes the idea of outsourcing certain data processes. In this case those controlling the data, the outsourcer, would have no knowledge of the importance or value of the data, and those who would know – the employees – would have no direct access to it. Access to the system, one of the weapons of the inside attacker, has been taken away, he said.

Regardless of how a company decides to store its data, change-management guru Peter de Jager said it is important to categorize data’s importance so that companies can focus their defence to protect specific valuable data instead of trying to place one defence around everything.

Internal intrusion detection and firewall systems, placed next to important data servers, is one way to do this.

Important data should also be moved more securely, said Anthony Santilli, director of marketing with Soltrus Inc. in Toronto. He is a fan of encrypting important corporate e-mail. IT administrators have access to e-mail and can easily read the contents if it is not encrypted, he said. Though encryption seems like a no-brainer, few companies do it.

Something as simple as better user name and password policies can reduce the likelihood that an insider will gain access using someone else’s account. One very simple solution is for users to be able to define their own user name instead of going with the corporate standard – first name underscore last name – which means everyone, by default, knows everyone else’s user name and thus has only the password to crack.

catching the thief

Everyone agrees that the motivated, extremely knowledgeable insider with enough time is essentially unstoppable and that to invest millions to try to stop this type of hacker is not money well spent. Each company needs to do risk analysis to figure out where to spend its money. For some it may be as cheap and easy as good, sound corporate education tied into a strong user name and password policy. For others, millions will need to be spent to monitor, detect and audit internal abuse real-time, 24/7.

Bruce Schneier, CTO of Counterpane, likes to recount one of his company’s internal hacker war stories. A disgruntled employee with a major American airline was attempting to access the corporate Human Resources system. Schneier admits that it is difficult to catch a one-time insider job that’s mistake-free, but this individual was not a pro. Within minutes of detecting the hack, Counterpane was on the phone with the airline, giving them the exact geographic location of the penetration attempt. They caught the hacker red-handed in front of the keyboard at an office in Mexico City.

For companies with the money and the need, 24/7 internal network monitoring is essential. But to do so, the monitors (actual people, not machines) need to really understand the network and its peculiarities. Technology probably won’t catch something suspicious unless those monitoring the system understand it well enough to pick out vague abnormalities. The problem? The average company doesn’t pay any attention to their networks, Schneier said.

Though Schneier’s story seems like the actions of IT secret agents, had the airline not been able to catch the hacker in the act, dealing with the intrusion may have been problematic. In fact, for a company to dismiss an employee, unless there is a confession, the hacker has to be caught in the act. There are too many stolen user names and passwords for guilt to be established solely on the basis of who the system said penetrated the network.

Were a defence lawyer able to prove the corporate password file was insecure, or that a sniffer could be placed on the internal network (to monitor keystrokes and steal passwords), a company might find itself apologizing and paying compensation to someone of uncertain innocence.

This is one of the reasons Hamel always wants the hacker placed in front of the keyboard committing the crime before he suggests a company go further with its investigation.

“For an investigator, at the end of the day, it doesn’t matter which file you have recovered, it doesn’t matter what electronic evidence you’ve got, you have to put that person behind the keyboard.”

Hamel’s years with the RCMP taught him that, despite their best efforts, criminals eventually become complacent. But for one-time hacks by skilled hackers, don’t expect to catch them in the act.

Since not every company can afford to monitor all systems 24/7, it is necessary, as an absolute minimum, that all companies audit their system access on a regular basis.

There are those who push the biometrics solution so that employees cannot disavow access gained using their name. But this is overkill, Perry said. “Internally, user IDs and passwords are just as strong as digital certificates and biometrics for 99 per cent of the company.”

Whatever approach your company chooses to take, everyone agrees with Hamel that companies shouldn’t start spending after something happens; they should start before.