Insider monitoring seen as next wave in IT security

"Ramon" was an intellectual of sorts, highly educated, conservative in his politics, painfully introverted, somewhat arrogant and, according to some who knew him, kind of a geek.

He was an expert programmer who preferred communicating with associates through e-mail rather than in person. He even hacked into his employer's computer system without permission to show management that there were serious security gaps that needed to be fixed.

But somewhere along the line, Ramon's career faltered, and he became frustrated and contemptuous of his employer. And since his arrest on Feb. 18 for selling classified information, Ramon, also known as Robert Philip Hanssen, has been at the center of the worst insider spy case in FBI history.

However, the Hanssen case isn't unique to the government, say experts. The private sector is at risk from similar perpetrators. And there are characteristics shared by disgruntled insiders that, combined with circumstances like pending layoffs, can send those with trusted access to the dark side of IT.

A study conducted by psychologists at Political Psychology Associates Ltd. in Bethesda, Md., found that most cases of insider abuse can be traced to individuals who are introverted, incapable of dealing with stress or conflict, and frustrated with their jobs, among other factors.

The behavioral research firm also pointed out, however, that many honest people share these traits. Experts, therefore, recommend tight controls on information access and monitoring tools that can catch insiders in the act.

"Often, there are feelings of betrayal and grudges," particularly during times of financial hardship at companies, said Eugene Schultz, an engineer at Lawrence Berkeley National Laboratory and an adjunct professor at the University of California, Berkeley. "There's no question that there is a link between insider activity and bad times at organizations."

For example, FBI agents at the New York field office had complained prior to Hanssen's arrival about the high cost of living, which led them to express concern about spying for financial gain. They may have been correct, as Hanssen is alleged to have asked his Russian handlers for diamonds to provide for his children's futures.

Schultz, who has written a study on the corporate use of "honey pots" - phony servers populated with false data designed to attract hackers - for Recourse Technologies Inc., a security software firm in Palo Alto, Calif., also said there's a clear link between job roles and insider activity. Surprisingly, systems administrators, network security personnel and senior executives are often the culprits.

Recourse Technologies CEO Frank Huerta recently conducted a live demonstration of his company's Mantrap honey pot software during a sales call at a major computer manufacturer. Within 30 seconds, a member of the company's network security team attempted to hack the honey pot server.

Caught in the 'Honey Pot'

In another case, a very large financial firm discovered it was losing money from its payroll systems. So it set up two dozen honey pots and gave each server an interesting name, such as "payroll server." The next morning, the company's chief operating officer was caught trying to jury-rig another executive's payroll account.

Eric Friedberg, formerly a computer and telecommunications crime coordinator at the US Attorney's Office in New York, said companies should consider the new breed of software tools now emerging that could help detect unusual internal network activity. The new crop of tools includes Recourse's Manhunt suite and Lexington, Mass.-based Raytheon Co.'s SilentRunner network discovery tools.

Had the FBI used such a product, it could have discovered that Hanssen was searching for his own name in FBI databases, according to Friedberg. Hanssen's searches for his name "would have been totally out of the ordinary. There's no legitimate reason for that," Friedberg said.

Join the newsletter!

Error: Please check your email address.

More about FBIRaytheon AustraliaRecourse Technologies

Show Comments