Security: Business Policies Put on Trial Along with Hackers

What do you do when you suspect that an employee you have entrusted to keep your network running has sabotaged it for revenge or financial gain?

Brokerage UBS is the latest company to find itself in the spotlight as a result of that dilemma. In June, former UBS systems administrator Roger Duronio went on trial in Newark, N.J., for allegedly infecting UBS’s network with malicious code that cost the company millions of dollars. (A verdict on federal charges of securities fraud, computer sabotage and mail fraud was pending at press time.)

During the trial, prosecutors painted Duronio as having been so irate about his less-than-desired bonus that he developed malicious code in order to cause a major disruption on UBS’s network. Lawyers defending Duronio, who pled not guilty, claimed that vulnerabilities in UBS’s security procedures and systems left the network open to attack.

Prosecutors alleged that after Duronio created the code in late 2001, he quit his job and banked thousands of dollars in put options on UBS, from which he would have profited if the company’s stock price declined as a result of the attack that was set to launch on March 4, 2002.

The damage caused by the malicious code impaired trading at the firm that day, hampering more than 1,000 servers and 17,000 workstations, and cost UBS about $3 million to assess and repair.

Such cases are becoming increasingly common, according to Kristen Mathews, an attorney with Brown Raysman Millstein Felder and Steiner in New York.

While laws are maturing to handle these types of suits, she says, businesses still face challenges gathering evidence to support their cases. Another obstacle to litigation is that many companies are reluctant to enter into public lawsuits that may attract negative media attention. Before the trial began, UBS petitioned the court unsuccessfully to close the proceedings.

“It’s common for a company to have to defend its own security policies and procedures at the same time they’re prosecuting against a person who managed to get by those policies and procedures,” Mathews says.

So, how can a company defend against insider attacks? To begin, companies should make an effort to protect themselves against insiders as well as external attacks, says Erik Hart, VP and information security officer for Cole Taylor Bank. “At many businesses, things put in place to protect from Internet attacks haven’t been applied to internal threats,” he says. And insiders have more targets, such as payroll applications.

At Cole Taylor, Hart is employing security information and event management tools from Network Intelligence to help defend against internal threats, including monitoring systems that IT administrators can’t access. But Hart notes that the best prevention is to understand how information flows in your business and to continually monitor that flow. “You have to be proactive about monitoring the network on a daily basis,” Hart says.