03 January 2007

Insider Threat: Web 2.0 Wild West...

The Insider Threat is an Operational Risk that will never go away. It is without a doubt going to be a continuous issue for the Board of Directors, Corporate Management and shareholders for years to come. Fortunately, justice has recently sent a clear message about the implications of unleashing malicious code on a network.

The former systems administrator convicted this past summer of launching an attack on UBS PaineWebber four years ago was sentenced to 97 months in jail in U.S. District Court in Newark, N.J., on Wednesday.

Roger Duronio, 63, of Bogota, N.J., stood quietly and didn't react as Judge Joseph Greenaway Jr. handed down the sentence. "This is a sophisticated crime," said the judge. "This wasn't an instance when an individual argues that 'I had a bad day and I made a mistake.' Its undoubtedly that Mr. Duronio, having felt wronged, came up with an elaborate, sophisticated scheme to take down a company." Judge Greeaway added that he was struck by Duronio's attempt to not only disrupt the company but to derive financial benefit from it.

Duronio was found guilty of computer sabotage and securities fraud for writing, planting, and disseminating malicious code -- a so-called logic bomb -- that took down up to 2,000 servers in both UBS PaineWebber's central data center in Weehawken, N.J., and in branch offices around the country. The attack left the financial giant's traders unable to make trades, the lifeblood of the company, for a day in some offices and for several weeks in others.

Executives at UBS, which was renamed UBS Wealth Management USA in 2003, never reported the cost of lost business, but did say the attack cost the company more than $3.1 million to get the system back up and running.

"If it doesn't send a message, people aren't listening," said Assistant U.S. Attorney V. Grady O'Malley, a prosecutor on the case. "If giving the maximum for this crime doesn't send a message to people with the ability to commit a crime and to the people who employ them, they're not paying attention. The potential for the impact of an insider is uncalculable."

Whether you have an unknown system admin working against you because they didn't get a raise last year or the corporate espionage ring selling secrets or identities it will continue to increase over time. This has to do with the new generation of employees who have grown up using the Internet and downloading intellectual property or open source software. It's the wild wild West and the policies and ethics workshops are nothing more than a compliance officers single strategy of justifying their existence.

The Web 2.0 is changing these employees attitudes about sharing everything. Many of them come to the organization with a profile on Facebook and don't have any qualms about sharing their own private information. The leaks to the press on major M & A deals should be enough evidence that good old fashioned ethics are in jeopardy.

The Insider Threat in a Web 2.0 world is not only here to stay. It is just getting started.

No comments:

Post a Comment