Insider Threat: Protecting the Enterprise from Sabotage, Spying and Theft
reviewed by Robert Pritchett
Authors: Dr. Eric Cole, http://www.oreillynet.com/cs/catalog/view/au/2038 Sandra Ring, http://www.oreillynet.com/cs/catalog/view/au/2040 Syngress Publishing Booksites: http://www.syngress.com/catalog/?pid=3410 http://www.oreilly.com/catalog/1597490482/index.html Published: December 2005 Pages: 424 $35 USD, $49 CND, £20 GBP, 31€ EUR ISBN: 1597490482 Strengths: Empirical evidence of where the “real” security threat lies. Weaknesses: Some print formatting issues. |
|
Insider Threat: Protecting the Enterprise from Sabotage, Spying and Theft by Dr. Eric Cole and Sandra Ring is an empirical evidence book that tells stories of “for-instances” regarding inside threats to private and public “business” environments. It isn’t just a “tell-all” book that is designed to put you in “trust no one” mode, but rather it shows what can be done to minimize risk related to such activities. Oh and in this book, IP stands for Intellectual Property, not Internet Protocol.
My only “gripe” with the book began early on with a number of insider threat studies that were page after page of “Conclusion” and “Analysis” headings instead of giving real titles to each of these findings. It struck me as funny that the bolded heading begins; “How Bad Is It –“. Great content, but the editors could have done some serious title-tweaking in Chapter 1. They carried that into the table of contents as well and it ran for two or so pages that way. They did a better job later with case studies following a topic-source-details-analysis format, but even there, they could have separated the subtitles by adding more case study titles between the topic-source-details-analysis format. If these nits don’t bother you, keep reading. I hope they clean that up in the next rev.
Justice department folks seem to drop into a “nobody can be trusted” mind-set where everyone they meet is guilty until proven innocent, because of all the experiences they have had solving crimes. The rest of us shrug it off because we don’t have the bandwidth to devote our attention to this line of thinking. We tend to trust everyone until proven guilty. This book takes the stance of experiential “this is the way it is” mentality so those of us who are in a mental state of denial can see that they “told you so” with a host of bad examples.
The book is divided into 4 parts with the first walking us through how bad the threat really is based on the human tendency of “catch me if you can” since society no longer seems to fear god or feels no shame in breaking commandments. Okay, I’ll say it; we live in a godless society and this book shows the consequences of that mindset without saying that directly. We live in a very cruel unforgiving world.
The 2nd chapter gets into the technology aspects of how high-tech crime is done. Part II discusses the threats at the state and local government levels with instances in chapter 3 while chapter 4 does the same at the federal level. Pat II does this in chapters 5, 6 and 7 for commercial banking and financial sectors and government subcontractors. Part IV finishes the book with profiles in chapter 8, chapter 9 discusses the technologies that can be used to control the threat and the last chapter discusses survivability, risk analysis and education of employees regarding the threats.
The book is kind of a bitter pill to swallow because there are so many “high-profile” instances that are cataloged in all sectors of society regarding what can go wrong that adversely affects the enterprise.
The good part, I guess is that you indeed should feel paranoid and feel that someone is watching over your shoulder at work because they are and the electronic paper-trail will catch up with you if you are doing anything untoward or potentially damaging to your company. The book isn’t Jiminy Cricket (Disney’s Pinocchio) whispering that you should do good things and not bad. It instead shows that bad things were done and folks were caught and suffered the consequences of their unwise actions. If something feels wrong, it probably is – so don’t do it. Let your conscience be your guide. Let this book be an “awareness” book in your organization and perhaps it will act as a deterrent to anyone who might be thinking bad thoughts about either taking advantage or trying to take down a company.
I like the word of wisdom that says that if you find yourself in a hole, stop digging. Fess up and keep the mistakes from getting worse than they already are.
Trust employees, but verify after they have been screened.
