Three weeks after losing his job as a help-desk employee, David Ernest Everett Jr. launched an attack against his former employer, Wand Corporation, which designs and manages back-office and point-of-sale systems for fast-food franchises. Without even entering the company's headquarters in Eden Prairie, Minnesota, Everett was able to wreak havoc on the family business and its clients. His weapon? A so-called logic bomb, malicious software code designed to disrupt a company's IT infrastructure or destroy its data.
Companies have long been on guard against the threat of outside hackers, but recent attacks from insiders have some business owners nervously eyeing their own IT workers. An IT contractor who had been fired from Fannie Mae was indicted in January. He allegedly used his company-issued laptop to insert bad code into one of the company's programs on the day he was let go. According to FBI investigators, the logic bomb would have wiped out all of Fannie Mae's servers had it not been discovered in time. "These types of insider attacks happen to businesses of all sizes, from small companies to very large corporations," says Dawn Cappelli, an insider-threat expert at the Carnegie Mellon Software Engineering Institute.
For Wand Corporation, the warnings about insider threats came too late. Using his old employee login, Everett got access to Wand's computer system and uploaded malicious files to about 1,000 of the company's restaurant management systems across the country. The files, which Everett set to launch when a computer was restarted, were designed to corrupt a restaurant computer's operating system until it was unusable. "When we saw so many systems going down with the same set of circumstances in such a short period of time, we knew it was too big to be a coincidence," says Dave Perrill, Wand's vice president.
Perrill contacted the FBI. "They were at our facility within hours," he says. The bureau helped Wand repair its systems and preserve evidence for a criminal prosecution. All told, Everett's attack destroyed 25 computers. Fixing the mess, including sending new computers to customers via overnight delivery, cost about $49,000. Everett pleaded guilty in federal court in January and faces up to 10 years in prison.
How can companies reduce the likelihood of such inside jobs? "Password management is critical," says Cappelli. After layoffs, companies should immediately eliminate password access for ex-employees and have all remaining employees change their passwords, she says. Cappelli also recommends changing passwords created for training sessions or test accounts. "We've seen disgruntled employees use those kinds of accounts to get back at a company," she says.
At least one person typically needs full access to a company's systems. But experts recommend separating duties when possible. Instead of giving the entire IT staff free rein, clearly define and limit who has access to each system. For example, an engineer who has been hired to maintain your e-mail servers should not have access to the accounting systems.
Given that many insider attacks are a response to what the employee feels is unfair treatment, such as being passed over for a promotion, keep an eye out for behavioral changes, suggests Arnette Heintze, principal of Hillard Heintze, a Chicago-based security advisory firm. Tip-offs might include frequent arguing with co-workers, making hostile statements about the company's owner, or even eating lunch alone after previously preferring to eat with the group.
Tech-heavy companies that work with sensitive information may find it worthwhile to invest in software designed to detect logic bombs. Applications from companies such as Solidcore Systems and Tripwire will monitor a company's IT systems and flag any suspicious changes. Prices start at about $75 per license for Solidcore and $2,000 per license for Tripwire.
If an employee discovers what appears to be a logic bomb, contact the FBI right away, says Cappelli. Unless your business has a computer forensics specialist on board, company staff members trying to investigate insider sabotage could damage key evidence needed to identify and prosecute the culprit.
After its bad experience, Wand Corporation has gotten more savvy. Now, for instance, passwords of ex-employees are deleted immediately, and several of the company's employees perform periodic system audits to look for vulnerabilities. "We've undergone a bit of a paradigm shift in terms of focusing on internal threats," says Perrill. "Obviously, we've learned from this experience."
For more research on IT sabotage and a detailed guide to preventing and detecting insider threats, visit Carnegie Mellon's Software Engineering Institute on the Web at cert.org/insider_threat.