Verdict's In: No One's Ever Completely Safe From The Inside Threat

The trial of a systems administrator found guilty last week of attacking the network he was supposed to protect sent a clear message: No matter what security you have in place, it's probably not enough to protect your network from one of your own.

That was the case for UBS PaineWebber, which was hit by a logic bomb in March 2004. A jury found Roger Duronio guilty of computer sabotage for building, planting, and distributing the malicious code that brought down nearly 2,000 servers. Prosecutors maintained that Duronio, who had worked at UBS for about three years, was unhappy because his annual bonus was lower than he'd expected.

The jury also found Duronio guilty of securities fraud because he bought nearly $25,000 worth of put options on UBS stock in the weeks before the attack. Put options pay only if the stock takes a dive. Duronio was counting on the attack pushing UBS's stock price down, giving him a windfall that would make up for his bonus shortfall and fix his reported financial problems, prosecutors said.

Duronio was acquitted on two charges of mail fraud.

Assistant U.S. Attorney Mauro Wolfe, the lead prosecutor on the case, says he will push for the maximum sentence of six and a half to eight years in federal prison because of the "egregiousness" of the crime. Duronio is set to be sentenced on Oct. 30.

It isn't known if Duronio will appeal. Chris Adams, Duronio's defense attorney, didn't return calls.

Victim Under Attack
During the seven-week trial, Adams painted an ugly picture of UBS's security infrastructure and practices. He hammered on the fact that all the root users on the Unix-based system had the same password and that UBS logs weren't able to track which root user was giving commands on the system. He also focused on a back door found on a server in the main data center the year before the attack. UBS security was so riddled with holes, Adams said, it was impossible to tell who might have "masqueraded" as his client and planted the logic bomb.

But a forensics investigator who spent more than three years analyzing backup tapes, logs, and source code from UBS's network says the company's security setup was solid. "It was strong," says Keith Jones, the government's star witness and director of computer forensics and incident response at Mandiant, an information security company. "They knew where their weaknesses were, and they were trying to address them. UBS did a lot of things right."

Alan Paller, director of research at the SANS Institute, says it's easy to identify a few problems and make them look like a security fiasco. "You can do 5,000 things right and only one thing wrong, and that's what they'll rake you over the coals with," Paller says. The real issue here, he adds, is the insider.The Insidious Insider
An employee is already inside the perimeter, past the majority of protective technologies, like firewalls. That employee also knows what information is most vital to the company, has knowledge of passwords, and probably knows which kinds of computers and operating systems the company runs.

If that employee works in IT, he has access to the inner workings of the infrastructure, and he possibly even has root-level access, which would give him wide-ranging control over the system. Companies must be mindful of employees who have that much power over the well-being of the network, says Assistant U.S. Attorney V. Grady O'Malley, a prosecutor on the Duronio case.

"You have to be incredibly vigilant when you're talking about trusting a system to people," O'Malley says. "Who is the person working on our network? Has he exhibited problems we should be worried about? Is he in a position to do damage if he wants to do damage?"

O'Malley also says it's not fair to focus on security problems that UBS might have had at the time of the attack. "Whether their system was flawed or not, they still had the Duronio factor," he says. "Regardless of the security measures you have in place, if the guy you're tasking to make sure the system is protected wants to hit you, then it doesn't make any difference what you've done."

IT professionals need high-level system access to do their jobs. That means technologies and processes need to be put in place to prevent them from ever doing damage, says Ken van Wyk, principal consultant with KRvW Associates. Even with those, a company won't be fully protected from an insider attack, but it won't have any soft underbellies.

First, put checks and balances in place. One administrator can build code, but a second administrator must approve it before it can go live. Van Wyk also recommends limiting the number of root users and putting role-based privileges in place.

High-level access should be limited to as few people as possible, and everyone should have his or her own user ID and unique password to help keep a granular log of which users are making changes and issuing commands on the network, says Andi Mann, an analyst with Enterprise Management Associates.

Sending a clear message that people are watching also is a good deterrent, Paller says. "You need granular logging and log monitoring that gives people the feeling that somebody omniscient is out there watching them all the time," he says. "And you have to demonstrate that omniscience a few times. Somebody visits a porn site and you walk in and say, 'Do you really want to visit those sites from work?' Somebody else downloads something to a thumb drive and you ask them where the thumb drive is. Let these stories spread through the system."

UBS isn't an isolated case, prosecutor O'Malley says. "Sure it will happen again. And in all likelihood it will happen because of an insider. ... They always say, 'Oh, he was a trusted insider.' Bingo! That's the problem. He was a trusted insider."