It is 9am on Monday and a new call centre employee logs in at his workstation. He doesn’t waste time opening his e-mail account or checking web access as other employees might. Instead, he probes the computer for weaknesses.
Human resources have assigned him a username and password with very low-level access to the computer network, but, exploiting a couple of common security weaknesses on the PC, within a minute he has discovered other user identities on the machine that give him higher privileges.
The passwords are easy to crack with hacking tools he has downloaded from the internet and it is not long before he can log in as the company’s chief executive – or as its chief systems administrator – and access highly protected areas. Because the attack is from inside the perimeter, the company’s expensive firewall detects none of this.
The hack takes less than 10 minutes According to NCC Group, an IT security company that often simulates insider attacks during security audits of company systems, more than 80 per cent of internal networks can be compromised at the first attempt.
Well before the first coffee break of the day the new employee – who is actually a hacker employed by a rival organisation – walks out of the building and disappears, taking with him a copy of the company’s client account database on a tiny USB drive. Worse, he has doctored the system to allow him to access it again from outside any time he likes.
It is a chief information security officer’s worst nightmare, and much more common than many companies imagine.
Last year the UK’s Financial Services Authority highlighted the issue, warning that it was seeing instances of organised criminal groups planting staff at banks to commit financial crime, particularly identity theft.
A recent report by Deloitte showed that insider hacking had, in fact, become one of the fastest-growing threats to financial institutions, accounting for 35 per cent of security breaches in the past 12 months, compared with 14 per cent a year ago.
“Financial institutions have dramatically reduced the number of external attacks by protecting themselves with anti-virus software and content filtering, particularly at the perimeter of their networks,” says Mike Maddison, director of security services at Deloitte.
“There has been an emphasis for some time on the never-ending battle to secure the corporate perimeter. As a result technological loopholes are being closed, but the hackers’ tactics have now shifted towards manipulating human behaviour.”
There has been much focus on financial institutions, as they are seen as having the most to lose from computer fraud, but they are by no means the only companies affected.
“Its not limited to financial institutions. A vast majority of all the attacks we investigate have some form of insider involvement,” says Rob Cotton, chief executive of NCC Group.
“Any company has data that is seen as valuable – intellectual property, customer information, pricing information. Any company has a vast number of identities on file that can be stolen,” he points out.
According to Simon Janes, a former Scotland Yard detective who works at Ibas, the computer forensics company, insider hacking is involved in around 90 per cent of cases he investigates.
“Five years ago, organisations had tightly controlled fortress-type IT systems, and tight controls on their database administrators. Now those organisations have been opening up with online services and access for third parties such as suppliers,” says Alistair MacWilson, head of the security practice at Accenture. “It has extended the enterprise outwards and the line between an external and internal hack is becoming blurred. Organisations are finding it hard to control the plethora of users on their systems.”
Hacking has also become a lot easier thanks to the availability of tools online. “Ten years ago it needed a huge amount of expertise – it was computer scientists who did it. But there has been a flurry of tools to automate coding and it is now a schoolboy exercise,” says Mr MacWilson.
It is also easier to sneak data out. Thirty years ago, stealing vast quantities of information would have meant trying to sneak a filing cabinet out of the building. Now the same data can be stored on a tiny USB key.
Thanks to these improvements in technology, internal hackers are no longer the people you would expect. It is no longer the spotty computer technician, it is more likely to be the cleaner – or a senior executive.
“Internal hackers tend to be middle and senior management, who recognise the value of the information such as invitations to tender, copies of proposals and databases,” says Mr Janes.
One of the most dangerous times is when an employee is leaving a company. Mr Janes estimates 70 per cent of staff have stolen some kind of data upon departure.
A few high-profile attacks have highlighted the insider threat in the past year. In August, a former America Online employee was sentenced to 15 months in prison after being convicted of selling 92m AOL e-mail addresses to spammers. In June, the Sun newspaper alleged that one of its undercover reporters had been sold bank account details of 1,000 UK customers by an Indian call centre worker.
These, however, are the exceptions. Much more often companies hush up incidents to avoid reputational damage.
More disclosures may be forthcoming as legislation requiring companies to notify customers when data is compromised spreads. California has had such laws since 2003, and many other states as well as the US federal government are looking to adopt something similar.
Business may, however, be unaware that an internal breach has even taken place.
“Big frauds are only discovered by chance,” says Mr Janes. Many security breaches go undetected for years, and the bigger the fraud, the longer it can take to spot.
In one case he investigated, an employee had been defrauding a company of £3,000 a week by making changes to one of the corporate databases. When he was finally caught the company discovered this had been going on for at least three and a half years.
But, as the insider hacking threat grows, a number of new technologies are emerging that can help companies combat the issue.
Rich Mogull, researcher at Gartner, highlights three that are beginning to move from the early adopter market to the mainstream.
Content monitoring systems, for example, can keep an eye on what employees are sending out in e-mails and other communications.
There is also software to monitor activity on databases. It will watch the kind of queries people are running and alert managers if someone who normally looks at a single bank account number at a time suddenly accesses 1,000 at once. There are also types of encryption. Back-up tapes – often stolen in internal security breaches – can be encrypted, as can laptops.
“Much of security is not about being clever, it is about the application of common sense,” says Mr Cotton. “Restrictions on internet access, monitoring new employees, making sure passwords are being changed regularly and not being put on Post-it notes stuck to the side of the computer. It is a lot of the basic, basic stuff that stops opportunistic attacks.”
In part it is a cultural issue, say many of the security experts. Companies need to create a culture in which employees are encouraged to be vigilant and report suspicious activity.
Companies also need to break their silence and publicly prosecute more of their inside hackers.
As Mr Janes puts it: “None of us would do anything if we thought we’d get caught. Companies have to take away the perception of success from the insider hacker.”