VideoDespite its name, the Deloitte & Touche computer forensics laboratory looks less like a cybercrime research facility than a clandestine Internet café. A single counter of perhaps two dozen PCs lines one wall of a narrow, windowless room. Two young men, casually dressed, stare at monitors and tap away at keyboards, occasionally exchanging a few words. Boxes of hard drives and miscellaneous equipment sit stacked against the opposite wall. A manager comes by and asks whether anyone wants coffee.
The similarities end there. None of the computers, neither the PCs nor the two refrigerator-size servers that sit in an adjoining room, are connected to the Internet. The hard drives are not replacement parts, but rather exact copies of the hard drives of employees that Deloitte clients suspect have committed financial fraud. (The copies are captured by a "night team" that arrives at an employee's office after hours and is so careful to leave no trace of their presence that they take a digital photo of the desktop, allowing them to perfectly reposition everything from the mouse pad to the ballpoint pen.) The two young men are not playing games, but running special software that can rifle through thousands of electronic documents, E-mail messages, and any other computer files that might constitute a paperless trail of wrongdoing. There are few secrets here: even when erased by their creators, those documents and messages almost always leave an image behind that can be found and captured by forensics experts.
The company operates 10 labs around the country. Business is booming, which is not good news. Accustomed to spending more on computer security year over year, usually with the aim of keeping data safe from outsiders, companies may be dismayed to realize how often the threat lurks from within. The 2002 Computer Security Institute/FBI joint survey on computer crime and security found that theft of proprietary information and financial fraud were the two most significant problems as measured by dollar loss. While hackers can and do engage in both types of abuse, in most cases employees are better positioned to do so.
And they do. Last November, two former accountants at Cisco Systems Inc. received 34-month jail terms for using their access privileges to Cisco's computer systems to credit themselves with nearly $8 million in company stock. This past March, a former database administrator at Prudential Insurance Co. was charged with money laundering, credit card fraud, and identity theft amid allegations that he copied personal information on 60,000 employees and attempted to sell the data over the Internet.
At Deloitte & Touche, evidence uncovered by its forensics experts helped to convict a purchasing manager at the Giant Food supermarket company in Landover, Maryland, of taking more than $600,000 in kickbacks from suppliers. He awaits sentencing pending the completion of another trial involving a co-conspirator. John O'Connor, a partner at Deloitte & Touche whose law enforcement experience includes a stint at the U.S. Attorney's Office in Boston, says such cases, known as "procurement fraud," are becoming more common; in fact, Deloitte recently launched a specialized service to help companies prevent such abuse.
Most of the company's investigations focus on financial fraud, not breaches of computer security per se; sometimes crimes have been uncovered simply by reading an employee's E-mail, which can provide a smoking gun in the form of, believe it or not, thank-you notes to business partners whose lavish gifts have clearly been provided in return for special treatment.
But most cases of insider computer security abuse are similar to those at Cisco and Prudential: employees with computer access and some technical proficiency seek to exploit flaws in internal systems. "Controls haven't kept up with the risk," says O'Connor. "With decentralization, employees now have access from anywhere. Today everything can be done by computer, which constantly creates new vulnerabilities."
Companies aren't blind to this, nor are they indifferent. Last year midsize and large companies spent in excess of $2 million on average to address computer security. They spent an estimated $1.1 billion in aggregate simply to patch the software "holes" that hackers might use to gain entry to systems.
Insiders, of course, already have entry. What to do about them? A survey of 2,500 information security officers, managers, administrators, consultants, and others in similar positions conducted by Information Security magazine (published by TruSecure Corp., which sells computer security services) found that insider attacks occur more often than external breaches, yet the top priority among respondents was securing the "network perimeter" against external threats.
Is that a willful misreading of the true danger? Sammy Migues, principal scientist at TruSecure, says that companies often have "a crunchy exterior and a soft, chewy center" because there are a vast number of shrink-wrapped products available to keep outsiders out, but guarding against the insider threat requires policies, training, and inconvenience. TruSecure's Larry Bridwell adds that "inside threats are just plain difficult to defend against, because these are people you hired and want to trust, and because the process of sorting through corporate information assets and deciding who can see them, who can edit them, who can move them, and so on can be difficult to negotiate."
Reader Comments» Post a comment