An employee of a company who performs exploits within the company’s networks. Hackers are authorized to find vulnerabilities in a company’s networks and to fix them, whereas crackers exploit the flaws without having the authorization to do so—usually for some personal gain.
Insiders who crack the system to cause damage are often angered employees who have been fired from their jobs and have the computer skills to cause damage. They can, for example, plant logic bombs that do damage after the employees leave. One of the most discussed “insider” crack attacks happened in 1996 at Omega Engineering, where an employee, Timothy Lloyd, sabotaged the company’s network with a logic bomb. He apparently did this as an act of revenge for being fired. That exploit cost the company $12 million in network damages and forced the eventual layoff of about 80 employees. Because of all the money it took to recover from this incident, Omega Engineering said it lost its lead in the marketplace.
More recently, on March 11, 2005, Kaiser Permanente notified 140 patients that an angry former employee put on her Weblog confidential information from the firm’s electronic files. The ex-employee, Elisa D. Cooper, calling herself the “Diva of Disgruntled,” said in her defense that the company included private patient information on its Website. All she was doing, she said, was informing the company of its self-created problem. Under the HIPAA legislation, the Diva of Disgruntled, if found guilty, could be made to pay $250,000 in fines and spend 10 years behind bars for unauthorized disclosure of clients’ personal data. To date, a fine of $200,000 was imposed on the company by California State Regulators for illegally disclosing patient’s personal information on the Internet. The case against Cooper has not been finalized.
Another way that insiders may take revenge on a company is not to exploit the company’s network but to send over the Internet proprietary information to competitors. One such example was reported in 2005 when Shin-Guo Tsai, a permanent resident in the United States and an employee of Volterra Semiconductor Corporation in San Francisco, emailed computer chip design data from his company’s computers to a potential rival company in Taiwan. Though Tsai announced to his employer that he was returning to Taiwan to get married, when FBI agents appeared at his door in February 2005, he admitted that he had sent proprietary information to CMSC, Inc., a Taiwanese start-up company involved in a business line similar to Volterra’s. If convicted of the charges, Tsai could find himself behind bars for 10 years. He pleaded guilty and is awaiting sentencing.
Given these incidents, it is not surprising that even back in 1998, the CSI/FBI survey findings disclosed that the average cost of successful computer cracks by outsiders was $56,000, whereas the average cost of malicious acts perpetrated by insiders was $2.7 million. While the average cost has gone down to $24,000 in the 2005 CSI/FBI survey, the number of incidents has risen sharply. Three-quarters of the surveyed organizations reported a financial loss. Insider crackers appear to do far more damage to companies’ computers than do outsider crackers.
So what personal traits do these damage-causing insiders have? After analyzing a pool of more than 100 cracking cases provided by computer crime investigators, prosecutors, and security specialists over the 1997–1999 time period, researchers Eric D. Shaw, Jerrold M. Post, and Kevin G. Ruby said that insider computer criminals tend to be:
• Troubled by family problems in their childhoods
• Introverted individuals who admit to being more comfortable solving cognitive problems than interacting with others in the workplace
• More dependent on online interactions than on face-to-face interactions
• Ethically flexible individuals who can easily justify ethical violations
• Of the opinion that they are somehow special and thus deserving of special privileges
• Lacking in empathy and thus seeming not to reflect on the impact their behaviors have on others or on the company
• Less likely to seek assistance from supervisors or from workplace support groups such as Employee Assistance Programs (EAPs) when they have personal issues
Ostrov, B.F. 140 Kaiser Patients’ Private Data Put Online. [Online, March 11, 2005.] Knight Ridder Website. http://www.siliconvalley.com/mld/siliconvalley/ 11110907.htm; Rogers, M. The Insider Threat: Debunking the ‘Wagon Wheel’ Approach to Information Security. [Online, March 3, 2005.] TechTarget Website. http://searchsecurity .techtarget.com/columnItem/0,294698,sid14_gci1064080,00.html?track=NL-358&ad=506624; Schell, B.H., Dodge, J.L., with S.S. Moutsatsos. The Hacking of America: Who’s Doing It, Why, and How. Westport, CT: Quorum Books, 2002; Tanner, A. Man Charged with Passing Chip Design Information. [Online, March 1, 2005.] Reuters Website. http://www.reuters.com/audi/ newsArticle.jhtml?type=technologyNews&storyID=7766193.