In-Depth
IT to the Rescue: IT Pros Save the Day
When someone inside an organization steps across legal or ethical boundaries, an IT professional is often the first -- and sometimes last -- line of defense. These are the stories of IT people who have thwarted malfeasance in their organizations -- and there's advice for aspiring IT heroes, too.
Congratulations, IT professionals. You are the modern superheroes.
OK, sure, you might not look the part. After all, old-school superheroes wore capes, skin-tight suits and sometimes masks.
As effective as all of that stuff was in comic books of yore, though, it wouldn't do much good in today's real world. Much of the crime Superman prevented with his bare hands is now a stark reality online. As IT pros with the keys to the corporate kingdom, you are on the front line of sniffing out and putting a stop to unethical and illegal activity in your organizations. User-monitoring software, a sharp eye for network anomalies and some plain-old business savvy are your best weapons.
We're passing on the sagas of you, the IT heroes: tech pros who have used their powers to rid workplaces of fraud, crime and corruption. And while you've made plenty of internal busts inside your organizations, your tales aren't just about catching the bad guy in the next office. You've also exonerated the innocent within your company walls and blocked criminals trying to victimize fellow employees or break into your network from the outside.
Stand tall, IT heroes. These are your stories. (In some cases, we've changed the real names of people mentioned in this story because of the sensitivity of the tales they were willing to share with us.) And for those readers who are still aspiring heroes, we'll tell you how you, too, can fight crime like a modern-day tech superhero.
Sex, Lies and the Double Whammy
While many observers might think of IT heroes as nabbing wrongdoers for stealing money from an organization or selling critical IP to a competitor -- and there are certainly examples of those activities -- sometimes alert IT pros can detect and help put an end to darker, more disturbing activity. Andrew Walls, research director at Gartner Inc. and former IT security pro, tells the story of how he and his team put a stop to some disquieting activity at a university.
"A faculty member was preying on young female students and coercing them into sexual liaisons," Walls says. "The evidence used to prosecute this person and put [him] in prison for some time was e-mail exchanges.
"We were able to determine that the [faculty member's] e-mails were all forgeries," Walls continues. "He was using them as evidence to say that everything was willing and informed consent. The evidence had all been faked. We were able to demonstrate that the time stamps on the e-mails were all wrong; the content didn't match. He had no evidence to defend his case. Skilled insider agents will use IT to justify their actions and support their claims of innocence. Sometimes the job of an investigator is not only to find evidence that damns the person but to refute evidence offered by the person."
Pornography remains a major problem for many organizations, with employees wasting time viewing inappropriate Web sites. But porn problems rarely sink to the level of the actual sex crimes that Walls describes; most of the time, employees are fired or disciplined internally without any legal action involved. That's not the case, though, when an employee is caught at work surfing illegal porn sites that exploit underage models.
When that same person is also involved in insidious internal competition with his employer, it's a double whammy. That's just what Sylvia -- who runs a multimedia company in the South, and had to take IT matters into her own hands when an employee got out of control -- experienced. She asked that we not use her real name.
Sylvia wondered why one particular employee was taking a long time to finish projects. She noticed that he was behaving oddly; he would minimize his screen when she walked into his office, and he turned his monitors so that their screens wouldn't be visible from the office door. She tasked a tech-savvy employee with watching SpectorSoft Spector 360 monitoring software, but Sylvia never heard much back from her. All employees at the company knew their activities were being monitored. So, Sylvia pursued her suspicions and looked at Spector 360 herself. The tech worker tasked with monitoring users would ultimately leave the company before Sylvia made a terrible discovery.
What Sylvia found with Spector 360 was 14,000 clicks by the shady employee on a particular Web site. She clicked the site with the most visits and saw what she didn't want to see -- not just porn, but porn involving people who were underage. The smut was apparently a big preoccupation for the employee who wasn't getting projects done on time.
"He would go to his car and look at his computer," Sylvia says. "We found out he was downloading to a thumb drive. It was 75 to 80 percent of the day. It was that bad."
Furious, Sylvia called the police, who investigated but didn't arrest the employee. Police told her that no judge would take the case, despite it being obvious that the people in the pornographic images were young teenagers. "[Judges] have been burned so many times with child pornographers that the judge wants [people in porn images] to look like they're 10," Sylvia says. In her state, Sylvia says, "[police] cannot monitor businesses' Web site traffic the way they can monitor people at home."
But Sylvia could monitor it, and Spector 360 turned up more than just porn. Apparently, the same employee -- along with another employee, who didn't know about the porn -- had started a business within Sylvia's company and were competing with her, selling to her clients and undercutting her on prices while using her offices, equipment and competitive data.
"He and another graphics guy had started a business," Sylvia says. "The terrible thing about it is he was checking his e-mails and doing his work on my time. Our non-compete clearly states that you do not moonlight or do any work on the side. He took food off the table of my employees. He was doing it because he could do it at a reduced cost. I have overhead. He had a free computer, free office space and he was getting paid. They were going to leave because they were raising money."
Sylvia took control of the situation -- but, briefly, it actually got worse. "I fired both of them," she continues. "I called the porn guy in the next morning. He goes, 'Why do you think this?' I said, 'Don't you know we have a [monitoring] program?' He started coming over the table."
Ultimately escorted from the premises, the "porn guy" began texting Sylvia -- and wouldn't stop. "I forwarded the texts to my attorney," she says. "I finally said, 'If you text me or anyone in the company again, I will call the police and file charges against you for harassment.'"
That finally ended the nightmare, Sylvia concludes.
"He doesn't want any contact with the law," she says.
Revealing the Secrets of Data Leakage
The rogue employee's side business was almost surely a greater threat to Sylvia's company than his unfortunate taste for highly inappropriate pictures. In fact, it's data leakage that companies tend to worry about most when it comes to controlling criminal or fraudulent activities within their organizations. Employees, whether seeking revenge, financial gain or both, leak competitive data to outsiders and often get away with it because their colleagues won't report suspicious activity.
Sylvia suspects that the tech employee who was supposed to be monitoring user activity and ultimately left the company failed to report on the "porn guy's" activities because the employee was protecting and siding with the wrongdoers.
Other reasons for hiding or trying to conceal data breaches are fairly obvious. Public companies don't want shareholders knowing that data has been compromised. Even private companies would rather not have customers know that their data might be at risk. Credit-card numbers, after all, are one of the most-leaked categories of data.
"Credit-card information leaving the organization is extremely common," says Erik Yunghans, security engineer at Check Point Software Technologies Ltd., which makes user activity-monitoring software as well as other security products. "Five out of six incidents have had credit-card information."
But the culture of secrecy surrounding data breaches can get out of control. Sometimes the desire to hide a breach is so strong that even internal employees are afraid to discuss or investigate it. Mark Goudie, managing principal, investigative response for Verizon Business in Australia, is an IT pro and data-breach investigator. Goudie says that clamming up about a data breach can -- and usually does -- cause companies to suffer more than they would if upper management, IT and any other party that needs to be involved simply discussed the breach openly and rationally.
"The big data breaches have all been the organizations denying that there's anything wrong despite the fact that there's overwhelming evidence to the contrary," Goudie says. "All the big data breaches have been going on for six months where data's being stolen and sold. Certainly from the ones of the last five years, all of those have had that long, long extended period where data's being infiltrated.
"More than 70 percent of the time," Goudie continues, "It's weeks to months before the hacker's discovered; 50 percent of the time after the discovery, it's weeks before the hacker is kicked out. If you've had a hacker in your organization for six months, you're paying the bill for the hacker's computers. He knows that infrastructure better than the guys who sign the checks."
True IT heroes, though, are willing to sniff out data leakage and put a stop to it. Tim Matthews, senior director of product marketing at Symantec Corp., relates a story one of his customers shared with him: "A large energy company caught an employee who was stealing design documents and PowerPoint maintenance documents," Matthews says.
"They found he was planning on leaving for a competitor," he says. "This employee had access rights to look at these documents. Companies fingerprint these sensitive documents, and they watch for them being moved around their network, including down to [an] endpoint." In this case, the Symantec Endpoint DLP product let IT trace the fingerprints and collar the rogue employee.
Walls, from Gartner, recalls a data-leakage case that involved serious legal ramifications. In this case, unfortunately, IT staffers were both the cops and the crooks. "I was doing work for a government entity that was the equivalent of an attorney general," Walls begins. "Staff was illicitly reading e-mail regarding cases. That corrupts the case for the attorney. That stuff is extremely private.
"I went in and installed surveillance software in various forms," he continues. "It involved going in at 2 a.m. and installing monitoring agents. The equivalent of the CIO was routinely accessing the e-mail of the senior attorneys of the organization and reading through all of their traffic just for interest. We also found that the CIO was conducting two personal businesses using the infrastructure of the attorney general. To use government resources for personal gain violates several laws. I don't know that it resulted in jail time, but it resulted in [the CIO's] loss of employment with the government."
For his part, Goudie recalls nabbing a rogue employee who unsuccessfully tried to steal and sell sensitive IP from his company -- and set up another employee to take the fall in the process. "This guy was logging in using a remote-access product," Goudie says. "He was doing this stuff after hours. He was setting the clock back so all the logs would be in the past. He was stealing company data and selling it."
But there was a twist. The employee made a clumsy effort to make someone else look guilty, and not just anybody else. "He was not using his computer," Goudie says. "He was using his boss's computer."
The ploy didn't work, though, and the boss was easily proven innocent, while the rogue employee got caught.
One of the more famous cases of IP theft occurred in 2009 at Wall Street goliath Goldman Sachs. Sergey Aleynikov, a Goldman programmer, stole critical IP related to a high-frequency trading system from the company and tried to take it to a new employer, a Chicago-based startup.
Aleynikov, on his last day at Goldman, transferred proprietary code from his desk at the company to an outside server. He then put the code on a laptop and storage devices and flew to Chicago to meet with his new colleagues, stolen IP in tow. Authorities arrested him upon his return to the New York area, and in March he received an eight-year prison sentence.
Once Goldman discovered Aleynikov's shenanigans, the company began -- almost assuredly in the IT department, although Goldman has offered few details -- monitoring and reviewing large uploads from its network. Company officials found that Aleynikov had stolen 32MB of critical data. They provided that information to the FBI, which used the data to build its case.
Another well-known data-tampering incident involved national security and an unlikely IT hero. An outside contractor working at the Transportation Security Administration (TSA), Douglas James Duchak, was responsible for uploading information into a TSA database that vetted travelers.
Duchak found out in August 2009 that his role with the TSA would be changing, and he trained a replacement to do his job. In October of that year, Duchak's employer told him that his employment with the TSA would be terminated within two weeks. Duchak responded by tampering with a TSA database. In an odd turn of events, the replacement he trained turned out to be an IT hero.
The disgruntled Duchak tried to compromise the database by removing instructional code from a software program. The code was important; it allowed for the formatting of dates of birth in the database so that birth-date data could correlate with information on arrest warrants. Just a few days after Duchak committed his crime, his replacement noticed some code he thought looked odd. He determined it was unauthorized and could disrupt the TSA's screening function.
The TSA shut down the system and fixed it -- and told Duchak not to show up for the remainder of his contract. The replacement's sharp eye and willingness to speak up helped put a criminal behind bars. In January, Duchak received a two-year federal prison sentence.
Graft and Corruption
Sometimes, employees turn to more established criminal methods, such as stealing money and accepting bribes. IT heroes, however, have put the kibosh on this kind of activity as well. And they don't always need technology in order to do it. Matthews, of Symantec, passes on a story a CSO at a Las Vegas hotel told him about employees stealing guests' credit-card numbers in a remarkably simple, but effective, way. It didn't take monitoring software or any particular tech savvy for this CSO to ferret out and end this problem; it just took good powers of observation.
"Hotels have a lot of transient, not-very-well-paid workers who are handling credit card numbers," Matthews says. "[The CSO] said they actually caught a couple of employees who were doing just this. Employees faked that their computer wasn't working and simply wrote down guests' credit-card information," Matthews says. Once the problem came to his attention, the CSO enacted a simple policy. "[The hotel] stopped the practice of employees ever writing down credit-card numbers." Problem solved.
Taking bribes is also a temptation some rogue employees have trouble resisting. One such case occurred at a technology company with lots of sensitive IP. The HR department at this company flagged an employee as possibly participating in suspicious activity. A forensics compliance manager took over from there.
At first, the employee's activity looked normal. Looking more closely, however, the compliance manager noticed that the employee had set up a Web proxy and had been using an e-mail anonymizer. A more significant investigation followed, and a week later the IT pro discovered that the employee had taken a bribe of thousands of dollars in exchange for passing sensitive IP to a competitor.
Accidents and Exonerations
IT heroes aren't just in the business of catching criminals. It's also part of their jobs to come to the aid of colleagues who have been victimized or falsely accused in cases of data leakage and criminal activity. Sometimes what looks like sketchy activity is simply the result of an accident or error.
In one particular case, Goudie says, a network admin's activity looked suspicious when a major data breach occurred on his watch. But the admin was really only responsible for making a big mistake. The data breach was his fault, but his activity wasn't malicious, Goudie concludes.
"The network guy accidentally [messed up] the entire remote-access solution," Goudie says. "He accidentally [messed up] the whole box outside the firewall. You had all the Microsoft networking ports open to the Internet. The logs were filling up every day or two. It's all on this one box, the remote-access solution. That was the start of the whole data breach."
Mistakes and bad decisions don't necessarily indicate guilt, even if they are sometimes colossally stupid. Walls remembers a case of a university professor who had his students work on a very ill-advised project and got into some hot water with the U.S. government.
"I found computer science students who were doing port scans and probes of routers now covered under the Department of Homeland Security," Walls says. "We were able to show that they were being told to do this as a good learning experience by their faculty members. They were being told to do this by a faculty member who exercised extremely poor judgment. That was an internal disciplinary matter. Some allowance was made because they were students. The Secret Service cut them some slack as long as the faculty member would stop doing that. It's very galvanizing when the Secret Service shows up at your office door to have a chat about what you're having your students do," Walls concludes.
And then there are those accusations that simply turn out to be false. Mike Hewitt, information security officer for the Sacramento Municipal Utility District, relates in a SpectorSoft case study one such incident in which IT heroes were able to clear an innocent person.
"We had a case where it was alleged that confidential information was being used by one of our employees to harass another individual, a customer," Hewitt says in the study. "We needed to watch everything a certain person did to substantiate the allegation, or determine it was unfounded."
Hewitt used monitoring software and found that the allegations were false. What's more, he made another discovery. "There was nothing to substantiate the allegations," Hewitt relates. "The other person actually was the culprit."
Innocent Bystanders
According to the Verizon Business 2011 Data Breach Investigation Report, a whopping 92 percent of data breaches "stemmed from external agents" in 2010. Sometimes those external agents can bring suspicion upon -- or at least cause some discomfort for -- internal employees who are, in fact, only victims. Goudie remembers once such instance.
Goudie was investigating a breach when he ran across a non-IT employee at random in the company's cafeteria. The employee was concerned about a few strange occurrences. For instance, she would walk into her office to find programs open on her computer that she hadn't opened. She also found Web sites in her browsing history she hadn't visited. Afraid to talk to her boss or colleagues about any of this, she spilled everything to Goudie, whom she had never met before.
"I just chatted to her a bit, and she unloaded the whole story on me," Goudie says. "By the time lunch was over, I had it all sorted out."
The employee's computer was the point of entry for an outside attack. "That was an external party that was stealing data and did get some control of her computer." Goudie was ultimately able to thwart the attack and ease the employee's mind.
How to Be an IT Hero
The stories here show that IT heroes have done excellent work in cleaning up their organizations. Unfortunately, though, those heroes are still few and far between. Goudie says that stories of IT people sniffing out crime in their organizations are "depressingly rare." Most of the time, customers or partners tip companies off to data breaches long after those breaches have begun doing damage.
"Internal people discover data breaches in 11 percent of the cases that we look at," Goudie says. Only 6 percent of the time, he adds, does proactive monitoring catch a breach. The conclusion is that companies must monitor network activity much more aggressively and make monitoring a higher priority.
But with IT pros among the most important people in any organization for controlling security and protecting data, there's no reason why technology workers shouldn't be racking up the scalps of wrongdoers. Although the Verizon data-breach report says that only 17 percent of data breaches "implicated insiders" in 2010, there's still plenty of sketchy employee activity to look out for.
One first step to take is to develop and distribute to employees a clear policy on security and the use of monitoring technology. Experts and observers agree on that pretty much unanimously. Across the board, participants in this article informed employees that they were being monitored.
That policy should extend to the IT department and to executives, too, Walls says. Specifically, he says, it should enumerate how and for how long a company stores its data. This is where meeting with legal counsel becomes extremely important.
Another way IT pros can set themselves up to be heroes is to monitor their networks for unusual activity. Large amounts of data moving around, employees e-mailing files to themselves and the use of e-mail anonymizer programs are all red flags. Strange employee behavior, too, such as the type Sylvia encountered with the "porn guy" at her company, should also raise IT eyebrows.
Skilled IT pros should be able to sort the guilty from the merely unusual. Of course, that's not always easy, especially given how often other IT pros are involved in shady activity. "There have been heaps of cases where IT people have been stealing data," Goudie says.
That means that IT pros with integrity -- the vast majority of IT pros -- sometimes have to patrol their own colleagues. And they have to balance being "cops" in the organization with serving users and boosting the bottom line. It's a tricky combination, but strong relationships with business management and the legal department can help ease some tension. If IT pros let non-IT managers know what they're policing and why they're doing it, they'll likely find more support from their colleagues than they otherwise would.
"A lot of companies are not aware of the financial penalties involved with data breaches," Matthews, of Symantec, says. "Have a conversation with your legal counsel and make them aware of some of these laws. Consult with outside counsel. Have proactive conversations with the legal team about risk."
Monitoring software helps IT play the good-cop role as well. Experts recommend investing in some sort of software to log activity and gain deep visibility into a network.
"There's a lot of good software out there," Goudie says. "A good piece of software that's well configured, well maintained and well monitored will defeat most data breaches."
Companies shouldn't be afraid to use the software they have, Matthews adds. "A lot of times, people don't want to turn on [monitoring applications] because they're afraid they'll slow their e-mail system down," he explains. "It's better to do that than be responding to a breach. It's a matter of managing your risk."
Knowing how to properly deploy and use monitoring software is also critical, Matthews says.
Above all, companies need to be preventative in their approach to computer fraud, and create an atmosphere in which open and honest communication is encouraged. It's in that metaphorical phone booth that IT pros can transform themselves into IT heroes.
"If you're conducting business in a way that would be disastrous if the world found out about it, maybe you shouldn't be doing that," Walls says. "You shouldn't ignore culture within the company. Foster a positive culture that helps detect problems early and nip them in the bud."