Despite its name, the Deloitte & Touche computer forensics laboratory looks less like a cybercrime research facility than a clandestine Internet café. A single counter of perhaps two dozen PCs lines one wall of a narrow, windowless room. Two young men, casually dressed, stare at monitors and tap away at keyboards, occasionally exchanging a few words. Boxes of hard drives and miscellaneous equipment sit stacked against the opposite wall. A manager comes by and asks whether anyone wants coffee.
The similarities end there. None of the computers, neither the PCs nor the two refrigerator-size servers that sit in an adjoining room, are connected to the Internet. The hard drives are not replacement parts, but rather exact copies of the hard drives of employees that Deloitte clients suspect have committed financial fraud. (The copies are captured by a “night team” that arrives at an employee’s office after hours and is so careful to leave no trace of their presence that they take a digital photo of the desktop, allowing them to perfectly reposition everything from the mouse pad to the ballpoint pen.) The two young men are not playing games, but running special software that can rifle through thousands of electronic documents, E-mail messages, and any other computer files that might constitute a paperless trail of wrongdoing. There are few secrets here: even when erased by their creators, those documents and messages almost always leave an image behind that can be found and captured by forensics experts.
The company operates 10 labs around the country. Business is booming, which is not good news. Accustomed to spending more on computer security year over year, usually with the aim of keeping data safe from outsiders, companies may be dismayed to realize how often the threat lurks from within. The 2002 Computer Security Institute/FBI joint survey on computer crime and security found that theft of proprietary information and financial fraud were the two most significant problems as measured by dollar loss. While hackers can and do engage in both types of abuse, in most cases employees are better positioned to do so.
And they do. Last November, two former accountants at Cisco Systems Inc. received 34-month jail terms for using their access privileges to Cisco’s computer systems to credit themselves with nearly $8 million in company stock. This past March, a former database administrator at Prudential Insurance Co. was charged with money laundering, credit card fraud, and identity theft amid allegations that he copied personal information on 60,000 employees and attempted to sell the data over the Internet.
At Deloitte & Touche, evidence uncovered by its forensics experts helped to convict a purchasing manager at the Giant Food supermarket company in Landover, Maryland, of taking more than $600,000 in kickbacks from suppliers. He awaits sentencing pending the completion of another trial involving a co-conspirator. John O’Connor, a partner at Deloitte & Touche whose law enforcement experience includes a stint at the U.S. Attorney’s Office in Boston, says such cases, known as “procurement fraud,” are becoming more common; in fact, Deloitte recently launched a specialized service to help companies prevent such abuse.
Most of the company’s investigations focus on financial fraud, not breaches of computer security per se; sometimes crimes have been uncovered simply by reading an employee’s E-mail, which can provide a smoking gun in the form of, believe it or not, thank-you notes to business partners whose lavish gifts have clearly been provided in return for special treatment.
But most cases of insider computer security abuse are similar to those at Cisco and Prudential: employees with computer access and some technical proficiency seek to exploit flaws in internal systems. “Controls haven’t kept up with the risk,” says O’Connor. “With decentralization, employees now have access from anywhere. Today everything can be done by computer, which constantly creates new vulnerabilities.”
Companies aren’t blind to this, nor are they indifferent. Last year midsize and large companies spent in excess of $2 million on average to address computer security. They spent an estimated $1.1 billion in aggregate simply to patch the software “holes” that hackers might use to gain entry to systems.
Insiders, of course, already have entry. What to do about them? A survey of 2,500 information security officers, managers, administrators, consultants, and others in similar positions conducted by Information Security magazine (published by TruSecure Corp., which sells computer security services) found that insider attacks occur more often than external breaches, yet the top priority among respondents was securing the “network perimeter” against external threats.
Is that a willful misreading of the true danger? Sammy Migues, principal scientist at TruSecure, says that companies often have “a crunchy exterior and a soft, chewy center” because there are a vast number of shrink-wrapped products available to keep outsiders out, but guarding against the insider threat requires policies, training, and inconvenience. TruSecure’s Larry Bridwell adds that “inside threats are just plain difficult to defend against, because these are people you hired and want to trust, and because the process of sorting through corporate information assets and deciding who can see them, who can edit them, who can move them, and so on can be difficult to negotiate.”
Experts generally agree that an important first step is to approach computer security from a risk-management standpoint, forgoing the fruitless quest for flawless security in favor of security that is simply good enough. TruSecure’s chief technologist, Peter Tippett, has even worked out a formula, Risk = Threat x Vulnerability x Cost, in which threat is measured by the frequency of potentially damaging attacks, vulnerability is the likelihood of success, and cost is the total cost of a successful attack.
Running various threats through this formula produces some interesting results. For example, since anything multiplied by zero is zero, if a given threat doesn’t apply to a company, or if the company feels invulnerable, or if the cost to fix or repair the damage is minimal, then the risk is zero. Conversely, if any of those three components of risk are underestimated, so too is the risk itself. When TruSecure surveyed the employees most responsible for virus security at large corporations and asked about the financial impact of the Melissa virus, the typical respondent put the price tag at a mere $1,700. TruSecure says that in fact it was seven times that when various costs not directly related to IT expenses (lost business or transaction time, a drop in employee productivity, detrimental public relations, inadequate customer service, and so on) were factored in.
“This is why senior-level involvement in computer security is essential,” says Tippett. “CFOs and CEOs understand how to analyze risk.”
They are also highly receptive to Tippett’s other message: security can be substantially improved without spending additional money, simply by focusing on a handful of basic policies and practices. Consider, for example, a major area of vulnerability: the lunch hour. Employees walk away from their desks with their PCs logged on, allowing any passerby to quickly sit down and gain access to sensitive data and transaction systems. But if the password-protect feature of the screen saver (standard on Windows and other operating systems) is used, this hole is effectively plugged.
Deloitte’s O’Connor says that other policies come into play as well. For example, the creation of vendor accounts is a process that senior executives should reexamine, since it’s often a key element in fraud cases. Behind the scenes, companies can run “smart reports” that scan procurement (and other financial) activity and look for irregularities. Such reports don’t just uncover abuse, but expose inefficiency as well. One client, for example, had been paying 200 utility bills a month because each facility was treated as a separate account. Once discovered, the company rolled all those bills into one.
Similarly, “identity management” software not only helps companies determine and track who has access to what systems, but also often provides a more efficient way to “provision” new employees with computers, passwords, phone service, and the like so that they can become more productive more quickly. The systems also withdraw access privileges and related services (such as cell-phone accounts) when employees leave or are terminated, which can save companies money while also making sure that an ex-employee’s presence doesn’t linger.
Scott Leibs is a senior editor (technology) at CFO.
The Threat from Within
Percent of respondents experiencing insider security breaches, 2000-2001. “Insider” refers to full-time or part-time employees, contracted workers, consultants, company partners, or suppliers.
Source: Information Security/TruSecure Corp., 2001
2000 | 2001 | |
Installation/use of unauthorized software | 76% | 78% |
Use of company computing resources for illegal or illicit communication or activities (e.g., porn surfing, E-mail harassment) | 63% | 60% |
Use of company computing resources for personal profit (e.g., gambling, spam, managing personal E-commerce site, online investing) | 50% | 60% |
Abuse of computer access controls | 58% | 56% |
Physical theft, sabotage, or intentional destruction of computing equipment | 42% | 49% |
Installation/use of unauthorized hardware/peripherals | 54% | 47% |
Electronic theft, sabotage, or intentional destruction/disclosure of proprietary data or information | 24% | 22% |
Fraud | 13% | 9% |
A Too-Close Second
Most likely sources of computer attacks.
Source: CSI/FBI 2002 Computer Crime and Security Survey
1997 | 2002 | |
Independent Hackers | 73% | 82% |
Disgruntled Employees | 87% | 75% |
U.S. Competitors | 51% | 38% |
Foreign Corporations | 23% | 26% |
Foreign Governments | 22% | 26% |
Thou Shalt Not Hack
Developing a computer security policy is not arduous. In fact, software from a firm called PoliVec Inc. can walk a manager through the process in less than two hours, and will automatically scan systems to make sure the policy is being enforced. Devin Brown, CFO at Denver Community Federal Credit Union, says the product opened his eyes to the risks of internal abuse. “With the advent of Internet banking,” he says, “most of my attention was on hackers and similar threats, but when you develop a formal policy, you suddenly see the many ways that you’re vulnerable internally.”
Once he had a policy, Brown made sure employees knew about it. Communicating the details and overall importance not only ensures compliance, but also sends a signal that a company takes computer security seriously. At Moen Inc., a pop-up screen walks employees through what vice president of IT Tim Baker describes as “The Ten Commandments of Security” every time they log on. —S.L.