Organizations spend a lot of time worrying about hackers and cybercriminals breaking into their networks, but sometimes the biggest threat they face is sitting right inside their offices.
In a presentation Thursday at RSA Conference 2013, Dawn Cappelli, technical manager of the CERT Insider Threat Center at Carnegie Mellon University, described several cases in which current and former employees sabotaged companies by planting malware, stole confidential corporate data or colluded with outsiders to commit fraud. The center has tracked 800 insider threat cases since 2001.
In cases involving theft of intellectual property such as business plans or source code, the culprit is often the person who worked on the project, Cappelli said. "They can throw it [the information] on a USB drive, and chances are they won't be caught," she said.
Most insider fraud cases involve lower-level support employees such as help desk personnel or bank tellers who conspire with outsiders, she said. "It starts with financial need and turns into financial greed."
Cases involving sabotage often involve highly technical employees such as system administrators who become disgruntled and are either fired or quit and set up an attack before they leave the company, she said.
Organizations should pay careful attention to secure share file services such as Dropbox and virtual machines, which employees can use to exfiltrate information, Cappelli said.
One actual insider threat case involved a product development manager at a networking products company who had access to clients' trade secrets in order to provide services, Cappelli said. That manager had access to information belonging to two clients in the semiconductor industry and downloaded 80 documents before he left the company and took a job with one of the semiconductor clients. Eighteen of those documents belonged to the competitor of his new employer, who ended up turning him into authorities
"That's a scary case, and it could happen to just about anybody," she said.
The incident underscores the need to ensure business partners protect information, she said. "You need to audit their controls and build it into contracts," she said.
NEXT: Mitigation Measures