Thales Blog

From Terry Childs To Edward Snowden – The Evolution Of The Insider Threat

September 12, 2013

Insider ThreatThe threat from within is a topic that I find myself increasingly having more and more conversations with people about.  The concept is by no means a new one in our industry, but over the past few months I think you’ll all agree that the topic has had somewhat of a resurgence – attributable mostly to a certain Edward Snowden.  To that end, we’re going to dedicate some more time on this blog over the coming weeks to talking about this very topic – running through the various factors that make up the Insider Threat and sharing our own thoughts and research on the issue.

So when did Insider Threats first start making headlines? One of the first major incidents in recent history occurred in the US and centered on a former network administrator in San Francisco's Department of Telecommunications and Information Services (DTIS) named Terry Childs. Childs was arrested in July 2008 after locking down the entire San Francisco city network and refusing to hand over the passwords of which he was the sole proprietor.  It was only after a visit from the San Francisco mayor — nine days following his initial arrest — that Childs handed over the passwords and enabled the system to come back online. He was sentenced to four years in prison.

It seems unfathomable today that one person could have such control over an entire system – having the power to bring it to a complete standstill – but that is the danger of the Insider Threat. Fail to have the correct policies and procedures in place, and you run the risk of leaving your company wide open and susceptible to attack.

There have been numerous other incidents along the way. Take Jason Cornish, the IT administrator from Georgia who accessed the network of his former employer, a US subsidiary of Japanese pharmaceutical company Shionogi, via public Wi-Fi at a McDonald’s restaurant by using an old account. Cornish managed to delete 15 VMWare hosts, used to run the equivalent of 88 servers that supported business critical services, including company BlackBerrys, email and order tracking, causing an estimated $300,000 worth of damage. In 2011, he was sentenced to 41 months in prison and fined $812,567.

Then there was the disgruntled former Manhattan-based Gucci employee. Sacked for abusing his employee discount and selling the goods in Asia for a profit, he sought revenge on the company by remotely hacking into Gucci’s network. Using his knowledge of administrator passwords, he then proceeded to shut down servers and deleted emails – bringing the network to a standstill for more than a day and causing hundreds of thousands of dollars of damage due to lost productivity and remediation costs. He was sentenced to up to six years in state prison in 2012. Hardly the Gucci lifestyle he seemed to crave!

Jump forward to today and where are we now?  As you’ll have undoubtedly read on this blog, the Edward Snowden incident revealed even more about the sinister nature of the insider threat than ever before. Sure, the aforementioned incidents brought companies to a complete standstill causing hundreds and thousands of dollars worth of damage – and that is not to be sniffed at.  But the Snowden incident brought a whole new dimension to the threat and opened everyone’s eyes to the far-reaching scale of the problem.

I won’t go into the details again, as former CISO of the CIA Bob Bigman ran us through the salient points perfectly only recently. Suffice it to say that this is a growing problem but one not without a solution.

And this is what we are going to look to explore over the coming weeks in our special "Insider Threat" blog series. You can expect to hear more about the true threat to organisations today and the steps that can be taken to mitigate risk.  So make sure you stay tuned!

We’d also love to hear more from you on this theme, so please continue to share your thoughts with us here.