What do you do when you discover that a long-time, trusted systems administrator has been secretly selling you pirated software while running a porn site on one of your servers and downloading customer credit card numbers from another server? For one large retailer in Pennsylvania, this wasn't a rhetorical question, reports Tam Harbert at Computerworld.

Rogue IT employees don't often make headlines because companies don't wish to flaunt their vulnerabilities. However, the Insider Threat Center at CERT has examined data from 400 cases of insider exploits since 2001. Most typically, organizations end up victimized by insiders because they don't sufficiently vet their applicants, they do a poor job of monitoring the way in which access privileges are granted, and they miss the signs of rogue behavior, CERT found.

It can be very hard to detect misbehavior by IT pros with privileges, however. They know where the vulnerabilities are, and their legitimate work is hard to distinguish from illegitimate activity, including editing code and writing programs.

Computerworld talked with three security consultants who have worked with companies that were victims of insider attacks. The troubles for the retailer in Pennsylvania were compounded because the systems administrator in question was the only person in the company who had passwords for network switches, VPN, email server administration, Windows desktop administration, Windows Active Director administration, HR system and core network router. It took a complex, highly orchestrated campaign to remove the admin without risking further damage.

For more:
- see Tam Harbert's article at Computerworld

Related Articles:
70 percent of financial institutions attacked by insiders
Insider hacking is serious business