EMPLOYEE HACKING: THE NEW INSIDE JOB

Joseph KummerTerri BerryBrad White

Summary

1. Specific instances of employee hacking

and the consequences which resulted

therefrom.

2. How employees utilize their positions

within an organization to obtain sensitive

information and then briefly discuss their

various motivations for doing so.

Summary

3. Various methods and techniques for

preventing employee hacking and potential

modifications to accounting laws and

regulations relating to internal controls

and IT security that would assist in

ensuring that businesses allocate

sufficient resources for the protection

sensitive information from their own

employees.

Specific Incidents

1. Gucci America Inc.

2. U.S. State Department

3. Education Logistics

4. Akimbo Systems (f/k/a Blue Falcon Networks),

The How and Why

Extensive knowledge of the system and the company

Possess necessary access credentials Understand the security systems in place

and related control mechanisms and know how to avoid controls and detection

TRUST!!!

Intentionally cause damage to the company

Recklessly cause damage to the company Personal financial gain

Sale of trade secrets Sale of financial or other insider information Sale of authorization/access codes and/or

knowledge of the system

Prevention

Promote information security as an organizational goal

Obtain top level support for making information security a priority

Implement proper access and authorization controls

Change access and authorization controls on a regularly scheduled basis

Monitor employee access records Deprovision user access as appropriate

Federal and state governments protect 3rd parties

Require implementation of security and confidentiality procedures and technology

Require strict access control policies, including deprovisioning policies

Require monitoring of employee access Require reporting of unauthorized

disclosures, access and/or breach