I read this great story by Sharon Gaudin titled Laid-off sysadmin arrested for threatening company's servers:
A systems administrator was arrested in New Jersey today for allegedly trying to extort money and even good job references out of a New York-based mutual fund company that had just laid him off...
Viktor Savtyrev, of Old Bridge, N.J., was arrested at his home Monday morning. He faces two charges under the federal cyberextortion statute...
Late in the morning of Thursday, Nov. 6, Savtyrev allegedly used a Gmail account to e-mail the company's general counsel and three other employees, saying he was "not satisfied with the terms" of his severance, according to FBI Special Agent Gerald Cotellesse in the complaint. Savtyrev allegedly threatened to cause extensive damage to the company's computer servers if it would not increase his severance pay, extend his medical coverage and provide "excellent" job references.
The sysadmin also threatened to alert the media after attacking the server.
Now, I know many of you are saying "See! The insider threat is so terrible!" I look at this story and think the opposite. This story exemplifies the point I made in Of Course Insiders Cause Fewer Security Incidents. If the potential intruder in this case had been an adversary in East Slobovia, the victim company would have no recourse. The bad guy could take whatever action he wants because no on can touch him.
Because the potential intruder was an insider, the victim company knew who he was, where he lived, and could enlist law enforcement help to arrest him.
Like I also said in the previous post:
However, as I've said elsewhere, insiders will always be better informed and positioned to cause the most damage to their victims. They know where to hurt, how to hurt, and may already have all the access they need to hurt, their victim.
This is another strike against those who believe in vulnerability-centric security. No company has air-tight defenses, so even if you do a good job revoking access from ex-employees they still can strike back. At least when they are former insiders you have a chance of putting them out of commission by striking at the threat, not patching more holes.
Richard Bejtlich is teaching in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.