When ex-employees strike back

Stephen
Phillips reports from San Francisco on the measures US employers are having to
take to guard against sabotage by disgruntled ex-workers.

Job
lay-offs driven by the deepening economic downturn are leaving many companies open
to an increased threat of computer sabotage from resentful former employees.

The
rising toll of corporate muggings highlights the importance of strict exit
procedures for departing staff, including speedy withdrawal of access to
information systems as well as repossession of physical property.

Send
in the FBI

In
San Francisco and Silicon Valley, ground zero for the recession now hitting UK
shores, mass lay-offs have made electronic vengeance by fired employees one of the
biggest single types of case on the books of the FBI’s local Computer Intrusion
Squad.

Such
cases account for 12-24 per cent of the crimes under investigation by the
nine-man California-based team, the largest of its kind in the US. "We
have seen a definite increase in the past six months in the number of
complaints from companies where former staff have retaliated through computer
systems," says supervisory special agent Peter Trahon.

Extensive
knowledge of internal systems, including passwords, make former IT workers the
most likely perpetrators.

Hacking
headaches

Hacking
by current and former staff is an ongoing headache for companies. A recent poll
of 538 corporations by San Francisco’s Computer Security Institute (CSI) and
the FBI found that 49 per cent had experienced "unauthorised [computer
systems] access by insiders".

But
the threat is heightened when economic conditions force companies to cut jobs.
"There is renewed importance to the threat from disgruntled employees,
because more people are pissed off at losing their jobs," says Richard
Power, editorial director of the CSI.

Typical
attacks include erasing data, launching denial of service attacks to knock out
e-mail systems and sending defamatory e-mail purporting to be from management.

HR-IT
co-operation

To
put their company on a more secure footing, HR professionals must collaborate
with their counterparts in the IT department, experts advise.

For
a start, IT officials need to be in the loop when redundancy decisions are
made. "Typically, the last person to be notified that a person has been
fired is the system administrator and they are the gatekeeper to the crown
jewels of the corporation," notes Trahon.

Meanwhile,
although companies uniformly escort dismissed staff from their premises to protect
physical assets, such vigilance needs to be extended to the digital domain to
counter the threat of electronic parting shots. This entails immediately
revoking access to corporate systems, including e-mail and Internet accounts,
which offer open doors for malicious attacks.

"[Laid-off]
staff need to have their access to the system cut off even while [exit]
interviews are taking place," counsels Eric Rolfe Greenberg, director of
management studies at the American Management Association.

The
FBI’s Trahon recommends appointing a dedicated IT security manager.
"Sometimes when an organisation gets intruded upon, we end up talking to a
physical security person who know nothing about IT," he says.

Start
with recruitment

Risk
reduction starts with recruitment, according to Power of the CSI. "Who
companies hire makes the other end of the process easier."

Explicitly
laying down the law to existing staff on unauthorised systems access is another
deterrent. "Disgruntled ex-employees [who hack into internal systems] are
usually otherwise law-abiding citizens who just think they are sticking it to
the company," says Lynda Ford, senior director of HR consultancy The Ford
Group. "HR departments need to ensure employees understand that such
intrusion is a criminal act – this needs to be more than just an obscure
paragraph in the staff handbook."

The
importance of prevention is underscored by the fact that electronic vandalism
by former staff is no less devastating for its innocence. "Because they
are angry, they cause more damage than the average hacker," says Trahon.

Because
of their lack of a criminal mindset, estranged employees "tend to leave a
trail" that makes their crimes easy to crack, adds Trahon. But this offers
little comfort to victims.

Former
computer administrator-turned hacker Nicholas Middleton left footprints all
over the place that quickly led to his capture in 1998 (see Typical recent
cases, below). But this was only after he had inflicted more than $40,000 worth
of damage on his former employer, San Francisco-based Internet service provider
Slip.net.

Intellectual
property theft

Some
security loopholes are particularly difficult to close. Theft of intellectual
property makes up 90 per cent of the workload of consultancy Deloitte &
Touche’s San Francisco computer forensics laboratory. The crime is particularly
rampant because of the ease with which staff can download extensive
competitive, confidential data onto disk that can be sold to rival companies.

Meanwhile,
complicating matters for HR professionals is the threat posed by external IT
contractors (see Recent cases, below). Such temporary workers may lash
out if they feel they have not been properly reimbursed or feel otherwise
wronged, says Trahon.

Ultimately,
companies cannot eliminate all vulnerabilities. "When you lay off hundreds
of people, somewhere along the line the door is left open," says Kris
Hawarth, manager of the Deloitte computer forensics laboratory.

But
the personnel function can do a lot to reduce the organisation’s exposure to
disaffected ex-employees bent on digital retribution.

HR
measures play a key role in ensuring firms achieve the cost-cutting goal of
downsizing rather than leaving themselves open to unanticipated costs plus
damaging operational and public relations fall-out.

RISK
REDUCTION CHECKLIST

*
Revoke all IT systems access as soon as staff are notified of termination

*
Appoint a dedicated IT security manager

*
Carefully vet applicants for IT posts

*
Raise employee awareness of the criminality of unauthorised systems access

*
Be aware of risks posed by external IT contractors

RECENT
CASES

May
1999:
Disgruntled former computer administrator Nicholas Middleton was
sentenced to three years probation for hacking into ex-employer Slip.net’s
computer system. Middleton tampered with customers’ accounts and deleted
important databases costing the San Francisco ISP more than $40,000 in
investigation and recovery costs.

September
2000:
Disaffected former Federal Aviation Administration software engineer
Thomas Varlotta was convicted of stealing the only copy of the source code for
a vital program he co-developed for Chicago’s O’Hare airport. US authorities
recovered the code, vital to fix glitches in software used to transmit data
between onsite and offsite air traffic controllers, from Garlotta’s house but
needed eight months to unscramble the 14-digit password the ex-IT worker had
used to encrypted it.

December
2000:
Joseph Durnal was ordered to pay Peak Technologies, where he had
worked as an IT contractor, more than $48,000 after being convicted of hacking
its computer systems. Durnal sent e-mails with pornographic attachments,
supposedly from management, telling workers that the Columbia, Maryland-based
logistics firm was going out of business.

Comments are closed.