Inside threats often imperil data security

Keystroke logging and other monitoring to avert misuse are increasing.
WASHINGTON POST
WASHINGTON -- For the public, it was jaw-dropping: an America Online software engineer accused of entering his company's data banks and stealing 92 million e-mail addresses that reportedly were sold by a middleman to spammers.
But for many on the front lines of computer security, the reaction was a knowing nod. They live daily with the uncomfortable truth that although outside hackers often steal the headlines, it's the insider gone bad who can more easily make off with the jewels.
"The AOL case is one more example of the risks of misuse by insiders, which are largely ignored by the popular focus on hackers, spammers and others," said Peter Neumann, principal computer scientist at SRI International, a risk analysis research institute.
Compounding the problem for companies and organizations is that computers are so pervasive that almost any employee is a potential threat.
Jeffrey Bedser, chief operating officer of ICG Inc., a computer security company, said his company has had clients that "have had consultants and contractors, including janitors, all the way up to senior executives stealing the data, trading the data or selling the data."
Extent of problem
Measuring the problem is difficult, because many companies never report breaches of their systems for fear that their reputations for securing data would be harmed. But in a survey of more than 500 security officers conducted last year by the FBI and the Computer Security Institute, 45 percent reported abuse by insiders.
"It isn't necessarily the motivation that makes insiders dangerous, but the fact that they may have unfiltered access to sensitive computer systems that can place public safety at risk," Keith Lourdeau, deputy assistant director of the FBI's cyber-crime division, said at a Senate hearing in February.
At some level, experts say, there is little defense against the trusted employee who decides to turn against his organization, especially if he is in charge of the computer systems.
But with more valuable information housed on computers, some companies and organizations are taking aggressive new steps to limit risk by focusing on both technology and human behavior.
Sensitive information, such as proprietary formulas or other trade secrets, is being segregated and more tightly controlled. AOL kept credit-card numbers of its members separate from the stolen e-mail address database, for example, saving the company from greater disaster.
Closely monitored
But credit-card numbers and other sensitive information are routinely available to call-center employees and other workers at many companies, prompting a move toward increased monitoring of workers.
Some companies are installing software packages that monitor employees' e-mail to ensure that no trade secrets, or even embarrassing internal memos, are sent outside the companies. The software looks for potentially valuable information and can also note what Web sites employees visit.
Other systems monitor the entire company's network, watching for employees' logging in at odd hours, or for unusual amounts of time, or looking in databases at which they don't normally look. If an employee is suspect, programs that track a user's typing, known as keyloggers, also are available.
"The entire enterprise [can be] a leaking sieve of information," said Gary Steele, chief executive of Proofpoint Inc., an e-mail software provider.
Security experts also recommend cultural changes at the workplace. Employees should be encouraged to report suspicious behavior of colleagues, they say. They also urge more sophisticated background checks of employees.
"There has to be more thorough investigation of who you are bringing onboard when it relates to critical data," said Ron Moritz, chief security strategist for Computer Associates Inc., a software company.