By Jonathan Krim Washington Post Staff Writer
Saturday, June 26, 2004; Page E01
For the public, it was jaw-dropping: an America Online software engineer accused of entering his company's data banks and stealing 92 million e-mail addresses that allegedly were sold by a middleman to spammers.
But for many on the front lines of computer security, the reaction was a knowing nod. They live daily with the uncomfortable truth that while outside hackers often steal the headlines, it's the insider gone bad who can more easily make off with the jewels.
"The AOL case is one more example of the risks of misuse by insiders, which are largely ignored by the popular focus on hackers, spammers and others," said Peter Neumann, principal computer scientist at SRI International, a risk analysis research institute.
Compounding the problem for companies and organizations is that computers are so pervasive that almost any employee is a potential threat.
Jeffrey Bedser, chief operating officer of ICG Inc., a computer security company, said his firm has had clients that "have had consultants and contractors, including janitors, all the way up to senior executives stealing the data, trading the data or selling the data."
Measuring the problem is difficult, because many companies never report breaches of their systems for fear that their reputations for securing data would be harmed. But in a survey of more than 500 security officers conducted last year by the FBI and the Computer Security Institute, 45 percent reported abuse by insiders.
"It isn't necessarily the motivation that makes insiders dangerous, but the fact that they may have unfiltered access to sensitive computer systems that can place public safety at risk," Keith Lourdeau, deputy assistant director of the FBI's cyber-crime division, said at a Senate hearing in February.
At some level, experts say, there is little defense against the trusted employee who decides to turn against his organization, especially if he is in charge of the computer systems.
But with more and more valuable information housed on computers, some companies and organizations are taking aggressive new steps to limit risk by focusing on both technology and human behavior.
Sensitive information, such as proprietary formulas or other trade secrets, is being segregated and more tightly controlled. AOL kept credit card numbers of its members separate from the stolen e-mail address database, for example, saving the company from greater disaster.