Organizations across the globe face serious threat against hacking. I must admit that the word “Hacker” is predominantly misused. According to the Internet User’s Glossary RFC1392, hacker is “A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where "cracker" would be the correct term has replaced the rightful meaning” Cracker is the rightful term to be used for a person who gains unauthorized access to any network/system.

As we expand our business horizon, the complexity of technology that we depend increases. Increase in dependency on technology has made organizations across the globe more vulnerable against digital attacks. Even the best line of defense may fail if there is one malicious employee within the organization.

I have listed three scenarios. Each of them showcases different ways of possible insider attacks.

Scenario 1: Spying the way to success Your business competitor sends a spy into your organization, to leak confidential information related to your business. An attempt to sabotage a business organization’s operation by leaking secrets is termed as Corporate Espionage. Your business competitor can send an accomplice disguised as a candidate to attend the interview for the post of system administrator (for example). The competitor will make sure that his spy is selected in the interview.

The spy will have the best skills, great experience that will just suit your requirement. He will be intelligent in answering questions during the interview but will act ignorant of his real intentions. It is quite possible that the competitor would send more than one probable spy for the interview so that there is a high probability of one of them getting selected.

There have been instances in the past where organizations were unaware of the business secrets being leaked out to the competitor by the probable spy. By the time you realize, the spy would have already completed his assigned task and left the job.

Scenario 2: It’s payback time

One of your employees is not happy with the current performance appraisal. He feels that his work is never recognized by your organization. I am sure there is no organization in this globe that does not have such employees working for them. These employees are termed as “disgruntled employee”.

Such employees are easy target of your competitor. Competitors can lure them with ease; promising them extra money and probably a better post in their company (competitor’s) if they (disgruntled employee) get sensitive information leaked.

Scenario 3: Need for extra income There are employees who are happy with their work and organizational culture. With flamboyant lifestyles, young professionals find it difficult to make their ends meet. A sting operation conducted by Channel4 in October 2006 exposed a scam involving a Call Centre employee from India. The call centre employee was caught while trying to sell credit card details of 200,000 people.

Most of the organizations in India do not have their employees sign “Accepted Usage Policy” guidelines. This policy lists the dos and don’ts that each employee should follow while handling computer systems within the office, accessibility of websites, use of media etc. Organizations should also make their employees sign “Non-Disclosure Agreement” or the NDA. This agreement makes the employee agree to the Organization’s terms and conditions. The employee can be held guilty in the Court of Law if he/she defaults the agreement.

We can curtail data theft by following a policy of “NO MEDIA IN, NO MEDIA OUT”. This will make sure that USB drives, Media Discs, PDAs and other storage devices are not allowed within the organization.

Insider threats cannot be avoided, but one can prevent any untoward incidents that might take place if we act ignorant.

Ignorance is no longer Bliss!

Source :
http://www.faqs.org/rfcs/rfc1392.html
http://www.theregister.co.uk/2006/10/05/india_exposed/