Categories
Latest
Popular
rssfacebooktwittergoogleplus
As seen on:
forbes the new york times smallbiztrends alltop bizsugar

The Main Online Security Risks: People

You can keep your firewall up to date, the operating systems patched, applications updated and security protocols documented but users are always an Achilles heel to every system.

A company’s customer data is an asset in need of protection. Sky experienced a whole scale plundering of its customer data by an employee who was in cahoots with a former employee. This person had founded a new business, Digital Satellite Warranty Cover Limited (Digital), repairing and servicing Sky satellite dishes. The accessing of Sky’s confidential customer data was an intrinsic part of the business plan at Digital Satellite Warranty Cover, and is an example of a “purchase key” attack. This is where rather than gain access to a system by say brute force attack over the wire, the attacker simply pays an employee to hand over the data held behind a secure system. In this case the employee was caught by Sky by seeding the data with entries that were only provided to the employee in question.

Back in 2008 the city of San Francisco faced the major issue of a systems administrator going rogue. Terry Childs a disgruntled network systems administrator at the city’s Department of Technology decided that it would be a good idea to lock out all the other administrators from the new FiberWAN Wide Area Network and hold on to his passwords even after police pressure to reveal them. The system was essential to the city’s payroll, justice system including data for the police, courts and city jails. It took a staggering $900,000 attempting to regain control of the network, presumably in consulting fees and brute force computing power to try and crack Child’s passwords. The stand-off only ended after eight days when Childs eventually revealed the passwords to the Mayor of San Francisco. In court, it was identified that Childs had subversively avoided audit checks.

Yung-Hsun Lin a former systems administrator for Medco Health Solutions chose sabotage as his weapon against his employers. Fearing being laid off in a round of job cuts he programmed and planted a script to run after he assumed he would have been made redundant. The script known as a “logic bomb” virus was aimed at wiping out drug trial records, employee payroll information and billing information spread across over seventy servers. It was only through good fortune that another systems administrator identified the code and the system was cleaned before any damage could be done.

Current employees are not the only source of danger, Gucci, the Italian Luxury goods maker experienced an attack six months after it sacked a network administrator. The administrator gained access via an old unauthorised VPN access he had setup whilst still in Gucci’s employment.

Background checks are essential when recruiting IT staff that will have the keys to the kingdom. Continual security audits to identify the systems that administrators have been accessing is essential. Password protocols for who ultimately controls a system must be implemented and reviewed to make sure one individual cannot wrestle control of an entire system from his or her employer. Often outsourcing much of your IT to a cloud provider with experience in these matters is a cheaper option than implementing your own systems.

About the Author: Ben Jones is a technology writer, particularly interested in how technology can help businesses large and small. He's been assisting businesses in setting up cloud based IT services to a number of businesses around the south of England. Follow him on Twitter or .
More posts from Ben Jones »

featured video

Please buzz this post:

Shares
Subscribe - get a free biz idea book:
How to Turn Business Ideas Into Real Income?
Learn from Jeet Banerjee, serial entrepreneur
$10 OFF - CODE: NOOBPRENEUR
udemy TAKE COURSE
  • http://www.noobpreneur.com/ Ivan Widjaya

    Hugh,

    Indeed – he is one popular example… at a different level, though :)

  • http://www.noobpreneur.com/ Ivan Widjaya

    Julie,

    Ah yes- that typically happens. Perhaps a legally binding agreement can prevent such things to happen?

  • http://www.callboxinc.com/ Julie Dawn Harris

    These types of cases usually occur to employees that are about to get fired and feel bitter that they mess up with the systems for “revenge”. They may not be able to avoid these kinds of behavior because people are people, but only advanced security measures can prevent them from imposing risks on the company. I believe your suggestions will lessen these criminal acts in the near future.

  • Hugh Tyzack

    A mention of Edward Snowden would also be worth it, same story, different background – and hopefully a different outcome as well!