Shanghai Daily reports that a securities company’s IT administrator (Mr. Liang) stole sensitive information and sent it to a stock trader (Mr. Cai):

Cai was found buying large amount of stocks of a listed company on July 14, last year, one day before the company announced positive news. Cai then sold all the shares he bought two days later earning 38,000 yuan (US$5,100), the report said.

Authorities discovered the database had been hacked last November, the newspaper said.

38,000RMB in four months? Well the Shanghai Stock Exchange Composite Index (SSECI) only went up about 100 points over that period. They got caught right before the SSECI started going berserk in December ‘06. Even criminals can be the victim of bad timing.

The article lacks detail, but Mr. Liang apparently (er, allegedly) installed some “remote control” software on a server and used it to cull information. The nature of the information is not clear, but evidently it was enough to provide an advantage. Then it seems he decided to automate the process:

Liang also allegedly set up several blogs last July and August that could automatically invade his company’s database and publish confidential information on the Websites. Liang then released the information to some overseas Websites via his blogs, according to the newspaper.

I can only speculate as to what tools were used. But it would seem that Mr. Liang remotely accessed the server that stored the information. For an IT administrator this is both a simple and common practice. Why go in to the office, or even walk to the server room, when it be done remotely?

The publishing of data to the blogs is different. My guess is that the blogs weren’t “invaded” from the outside, more likely a script was written to query the database, copy the information, and then post to a blog via an email. The blogs themselves could be private, requiring authentication to see their contents.

The technical details are irrelevant, the real story is every manager’s nightmare: the IT guy who has access to everything is stealing information. PC World follows up on this, reporting on the Computer Security Institute (CSI) and the FBI’s 2006 Computer Crime and Security Survey:

Both insider and virus incidents have been falling since a high in the year 2000, but this is the first time insider incidents have been more reported than viruses. The CSI defines such incidents in a very general way, covering abuses such as leaking or stealing company information, using pirated software, or accessing pornography.

The CSI steers away from drawing hard conclusions from the survey figures, noting more than once that security vendors have a vested interest in promoting their own particular area of business, including insider threats- as the most pressing one for companies to protect themselves against. This makes it hard to judge the seriousness– as opposed to the incidence- of specific threats.

The CSI is right to look at vendor reports with a grain of salt. However, there’s enough smoke to indicate a fire. The takeaway from the chart to the left, according to the summary paragraph in the report:

…even though most respondents do not see insiders as accounting for most of their organization’s cyber losses, a significant number of respondents believe that insiders still account for a substantial portion of losses.

536 respondents can hardly be characterized as a true representative sample. Nevertheless, the respondents are all security professionals working in both the public and private sectors and work for small to enterprise-sized organizations. The CSI has been doing this for eleven years and are a pretty level-headed bunch. This is a serious problem, albeit with limited actual evidence, that no one really likes to talk about.

So how do companies and managers protect themselves from people like Mr. Liang? It’s not easy. Security eventually boils down to trust. Someone has to be able to maintain computer systems, and this requires access. The best thing to do is to treat the hiring of an IT administrator (or contracting an IT service vendor) with the same level of seriousness as would taken with a senior manager. Effective interviews, contacting previous employers, digging deep into references, all are important.

And after that?

- Understand the value of your data, that indicates what would be targeted
- Write policies and procedures for its protection, so that employees understand and are held accountable for IT asset security
- Deploy the right security technology in the right way, security only works when it’s used correctly and in reference to policies
- Log, log, log and review logs, it’s the simplest way to understand who is getting at what

And after that? I think of one of Ronald Reagan’s favorite little aphorisms: “trust, but verify”. If you’re really worried, get an outside opinion from a reputable security services consultant - and don’t tell the IT guy.

Further Reading
The original story, in Chinese, can be read at Sina.com here

The Computer Security Institute. Access to the report requires registration.

Share This