Skip to content

When Insiders Attack

A study based on interviews with insiders who had been apprehended after attacks on company networks found that systems were vulnerable to the simplest exploits.

The study, conducted by the U.S. Secret Service and Carnegie Mellon University’s CERT/CC, found that more than 60 percent of the 49 attacks examined in the study were carried out with “relatively unsophisticated methods of attack,” such as social engineering; only 39 percent used a toolkit or other program designed to cause havoc.

More than a quarter of the insiders had been terminated or already resigned when the attacks took place, but their employers did not disable their access to the network. And more than half of the attacks were conducted remotely, with a similar percentage taking place after hours or on weekends.

Who were these attackers? Most were former employees or contractors who had been fired (48 percent); and while most (86 percent) had technical positions such as system administrator or programmers, 10 percent had professional positions such as editor, manager, or auditor. Almost a third of those insiders had an arrest history, typically for nonviolent, alcohol-related, or drug-related offenses.

The study found that 90 percent of these insiders faced criminal charges, most often federal charges; 83 percent were found guilty by trial or by plea. Forty-two percent of the offenders went to prison from 2 to 41 months, and 59 percent were ordered to pay restitution ranging from $100 to $2 million.

Who did victims call when they discovered a problem? Victimized organizations contacted local police departments or local prosecutor’s offices at about the same rate as they did federal law enforcement agencies or U.S. attorney’s offices.