当美国公众对听到美国在线公司(America Online)的软件工程师闯入公司数据库,盗走9200万个电子邮箱地址,并通过中间人售给垃圾邮件发送者的消息后惊讶万分。
风险分析研究机构SRI International首席电脑科学家Peter Neumann称,AOL的案子是公司内部人滥用信息的风险例子之一。但公众对黑客、垃圾邮件和其他问题的关注而忽略了类似ALO案子中的问题。电脑在公司和其他组织应用如此广泛,以此看来几乎每一个员工都可能是一个潜在的威胁。经营电脑安全业务公司ICG Inc.的首席运营官Jeffrey Bedser称,公司真有这样的客户,上至企业高管人员、下至看门守卫都在设法从公司数据库找到数据与他人交换,或出售给第三方。
认真核查这类问题危害程度相当困难,因许多企业从不公开这类自己数据系统被盗的消息;它们担心这类丑事一旦传出将有损于公司形象。但FBI和全美电脑安全协会(Computer Security Institute)去年对企业的500多个系统安全官员的调查发现,其中被访的45%称公司曾发生内部人滥用数据的事件。FBI在2003年的研究报告中称,一些被访企业甚至麻木到还不了解企业网络内部究竟发生什麽问题。
For the public, it was jaw-dropping: an America Online software engineer accused of entering his company's data banks and stealing 92 million e-mail addresses that allegedly were sold by a middleman to spammers.
But for many on the front lines of computer security, the reaction was a knowing nod. They live daily with the uncomfortable truth that while outside hackers often steal the headlines, it's the insider gone bad who can more easily make off with the jewels.
"The AOL case is one more example of the risks of misuse by insiders, which are largely ignored by the popular focus on hackers, spammers and others," said Peter Neumann, principal computer scientist at SRI International, a risk analysis research institute.
Compounding the problem for companies and organizations is that computers are so pervasive that almost any employee is a potential threat.
Jeffrey Bedser, chief operating officer of ICG Inc., a computer security company, said his firm has had clients that "have had consultants and contractors, including janitors, all the way up to senior executives stealing the data, trading the data or selling the data."
Measuring the problem is difficult, because many companies never report breaches of their systems for fear that their reputations for securing data would be harmed. But in a survey of more than 500 security officers conducted last year by the FBI and the Computer Security Institute, 45 percent reported abuse by insiders.
"It isn't necessarily the motivation that makes insiders dangerous, but the fact that they may have unfiltered access to sensitive computer systems that can place public safety at risk," Keith Lourdeau, deputy assistant director of the FBI's cyber-crime division, said at a Senate hearing in February.
At some level, experts say, there is little defense against the trusted employee who decides to turn against his organization, especially if he is in charge of the computer systems.
But with more and more valuable information housed on computers, some companies and organizations are taking aggressive new steps to limit risk by focusing on both technology and human behavior.
Sensitive information, such as proprietary formulas or other trade secrets, is being segregated and more tightly controlled. AOL kept credit card numbers of its members separate from the stolen e-mail address database, for example, saving the company from greater disaster.
But credit card numbers and other sensitive information are routinely available to call-center employees and other workers at many companies, prompting a move toward increased monitoring of workers.
Some companies are installing software packages that monitor employees' e-mail to ensure that no trade secrets, or even embarrassing internal memos, are sent outside the firms. The software looks for potentially valuable information and can also note what Web sites employees visit.
Other systems monitor the entire company's network, watching for employees logging in at odd hours, or for unusual amounts of time, or looking in databases they don't normally look at. If an employees are suspect, programs that track what they type, known as keyloggers, also are available.
"The entire enterprise [can be] a leaking sieve of information," said Gary Steele, chief executive of Proofpoint Inc., an e-mail software provider.
Security experts also recommend cultural changes at the workplace. Employees should be encouraged to report suspicious behavior of colleagues, they say. They also urge more sophisticated background checks of employees.
"There has to be more thorough investigation of who you are bringing onboard when it relates to critical data," said Ron Moritz, chief security strategist for Computer Associates Inc., a software firm.
The U.S. Secret Service, meanwhile, has for 18 months been researching whether the same kind of psychological profiling techniques used to spot a potential assassin of public officials, or a troubled teenager who might go berserk at a school, could be applied to tech workers who might be inclined to commit computer crime.
The Secret Service, which led the AOL investigation, hopes to finish its research by early next year, said Bruce A. Townsend, deputy assistant director for investigations.
Despite all of the new measures available, security experts say that companies remain woefully inattentive.
"Multilayered security is not something we've generally deployed in enterprises," Moritz said.
In the 2003 FBI study, the researchers found that "it is still the case that many respondents do not know what's going on within their networks."