The Consultant Threat
The Consultant Threat
by Jim M. Clark
Consultants are people who do not work under direct control to provide contract services to others. They could be technical consultants, i.e. programmers, or business consultants, e.g. management or project consultants. The use of consultants is on the increase in today's corporate world as businesses leverage skill level and experience against rising employee costs. Consultants are similar to insiders as they have insider access, but are not under the same control. Technical consultants who use client information technology present a technical threat, while management consultants who often have access to more sensitive information in a company presents a human threat. The concepts of consultant and the threat of consultant security breach are examined from the perspective of scope, complexity/motive, common characteristics, and authorized use of information systems.
Consultants can be defined as: "People who work under their own control to provide contract services to others." [1] The key phrase in this definition is "work under their own control". Consultants often are provided wide latitude to complete their assigned work, are given the same authorities and accesses as employees performing similar work functions and the companies which contract their services do not, as a rule, perform background verification. This in itself creates problems as consultants have little loyalty to their contracted company to be worried about protecting the company's technological resources.
"If you hire an outside organization to perform services, they, too, can wage Information Warfare against you". [2] A case in 1978 involving a computer security consultant engaged by a Los Angeles bank was able to steal 10.2 million dollars by violating his position of trust. [3]
Another case involved the Florida State Department of Health Rehabilitative Services (HRS). They claimed that Electronic Data Systems (EDS) intentionally sabotaged its computer systems. It was found through a series of audits that the computer systems had high failure rates. HRS contended that program bugs were left in the software when the contract expired causing the system failures. The contract was subsequently won back by EDS. [4]
Anywhere consultants are working the threat exists. This threat exists due to the nature of the contract for hire process. Consultants are tasked with performing work for a specified price for a specified period of time. A Gartner Group survey [5] found that 60 percent of applications outsourcing contracts have terms less than two years. Fifteen percent extend for six years or more. They may be asked to work with proprietary information only after signing a non-disclosure agreement. This agreement provides the company with legal recourse in the event the proprietary information doesn't stay proprietary. The financial impact to the company's information system by consultant abuse may be devastating.
The use of consultants is on the increase and expected to continue in this fashion. Again from the Gartner Group survey, 51.2 percent of respondents indicated they currently outsource. Twenty-two percent were likely to consider outsourcing, while 26.4 percent were unlikely to outsource.
With 73 percent of those surveyed currently outsourcing or likely to consider outsourcing, the likelihood of threats from consultants will increase.
It is difficult to quantify the threat from consultants. Companies are wary of reporting incidents of abuse because of negative publicity.
A threat is an indication of an impending undesirable event. [6] More narrowly defined from Webster's is 'one that is regarded as a possible danger; a menace'. [7]
As technology advances, development of important supportive functions that protect the technology from intentional losses is lagging behind. [8] Computer security is not primarily a technological subject. It's a subject of psychological and sociological behavior of people. [9] The threat from consultants is not easily overcome due to the nature of the threat...people. There are many motives driving consultants. The following partial list of motives from Parker [10], along with links citing examples of these motives, show the spectrum with which this threat is derived:
Incompetence
Incompetence can be defined as someone who is devoid of those qualities requisite for effective conduct or action.[11] Incompetence does not mean unskilled. I believe there are many people who are skilled at committing computer related crime, but lack the competence to know the ramifications of what they are doing. On September 20, 1999, Network Solutions Inc. (NSI) created a web site and free E-mail service. Nearly anyone, including unauthorized users, could sign up to use a domain registrant's e-mail account due to badly configured default security. Details of this blunder can be found at http://www.cnn.com/TECH/computing/9909/20/nsi.blunder.idg/
Personal Gain
A strong motive in a world of succeeding at any cost is personal gain. Wanting more "stuff", e.g. cars, money, and status are only but a few worldly measuring sticks that motivate people to commit computer crime. A recent incident on August 10, 2000 resulted in an arrest in London, England of two individuals from Kazakhstan for allegedly breaking into Bloomberg L.P.'s computer system in Manhattan in an attempt to extort money from Bloomberg.
http://www.fbi.gov/pressrm/pressrel/pressrel00/vatis08142 000.htm.
Business Gain
Business gain as a motive is similiar as personal gain, except the beneficiary of the crime is a business rather than a person. Business gain could be the motive of stealing another company's proprietary information and use the information to increase marketshare or bring a product to market sooner than a competitor.
http://www.infosecuritymag.com/apr99/cover.htm
Advocacy is the act of pleading or arguing in favor of something, such as a cause, an idea, or a policy. [15] Thus, economic advocacy, as well the as political advocacy, can be inserted into this definition as it relates to advocacy.
Continuing with Parker's list with cited examples:
Economic Advocacy
The recent occurrence of OPEC's web site being defaced to further an economic viewpoint shows that the internet has provided a different forum for those pushing their agenda into the public eye.
http://news.cnet.com/news//0-1005-200-2764903.html?tag= st.cn.sr.ne.1
Political Advocacy
Between Hong Kong and China there is a 'war' waging. A group called Blondie Wong is crusading against communist China and they have turned their collective computer science and engineering skills into a sharp spear. Within a few months, this spear was capable of penetrating the internal affairs of China's military industrial complex, as well as the Western transnational corporations that do business with China.
http://www.infowar.com/hacker/99/hack_122299c_j.shtml
Although not all the above cases involved consultants, it would be impossible to eliminate these motives from the prospect of employing a consultant. As people have moved away from being loyal to a company these motives become more real.
As the Clark-Wison Integrity Model [16] asserts:
"..application systems owners, designers, programmers, users and auditors are left "minding the store" for application security. These individuals are seldom experts in information security, and their positions typically involve other reponsibilities and objectives. In addition, these individuals are likely perpetrators of applications-based crimes."
And as the American Society for Industrial Security (ASIS) 1999 survey [17] of Fortune 1000 companies reveal, "While on-site contractors are considered to be one of the greatest threats to organizational information, most companies did not require these people to undergo background checks. Background investigations represent a level of "diligence" easily available to US-based organizations. The failure to ensure consistency between standards applied to the regular and temporary/contract staffs creates a gap that could expose the organization's key IP and proprietary information to people who have a history of committing illegal acts."
In the company I work it is not uncommon for remote contractors to call for help desk support. One of the most common call types are password resets. A typical scenario is a contractor calls in because they are unable to access a particular system. They do not have the standard system ID (social security number), but have another form of system ID which differentiates them from employees. There is not a mechanism to validate that the ID belongs to the contractor, unlike an employee where there are other pieces of information that can be validated, i.e. phone number, mailstop, cube number, cost center, etc.
Since there are few controls to validate the contractor who calls the help desk, it is not uncommon that the password would be changed without any authentication taking place. It has also been known to happen that a contractor or group of contractors will use a generic system ID provided by their contracted company contact. This occurs because their company contact has not taken the time to follow the process for requesting system access or has encountered delays in the system ID acquisition process, therefore circumventing it.
When the system ID acquisition process if circumvented, not only does the contractor work disguised, their system access level may not be appropriate for the work that was contracted to be performed, thus opening the door for information system abuse.
Typically consultants are engaged for a set duration of time. This short time period can enhance the consultant's lack of loyalty. The consultant will be less likely to forge close personnel relationships, unless doing so will further their wrongdoing. In fact, it would be advantageous for the consultant to have many close personal relationships as this would create a level of trust by those around him, thereby creating a veil of protection. By the nature of their tenure being short, they do not have a stake in the company's long-term success.
Consultants are provided a level of trust that may not be consistent with the company's hiring practices. The consultants that are employed where I work are hired via a third-party vendor. These third-party vendors are not required by my company to conduct background checks or other pre-employment screening methods. Therefore, the company is at risk for an increased threat. It is not uncommon for consultants to go from contracting company to contracting company when the demand for their services is high. Depending on the expertise level of the consultants, thier employers may not have a non-compete clause in their contract or may not have a contract at all.
It was concluded in the ASIS survey (http://www.asisonline.org/spi.pdf) cited above that: "The respondents indicate that contractors and temporary workers may have nearly the same access to sensitive information as regular employees. The same problem arises with the contractors and temporaries that work for other companies such as major suppliers, vendors or sub-contractors that have access to your company sensitive data. When these comments are combined with 17(d) (which indicate few temporary or contract employees receive background investigations) it is possible that a major risk to a typical organization's critical IP and sensitive proprietary information arises from the lack of controls over the hiring and deployment of the 'contingent' workforce."
Typically consultants are given access to information systems for which they require to complete their assigned work. In the environment of which I am familiar, consultants are given "grouped" access privileges. What this means is that they are provided access to systems to be able to work, but may have accesses that are not needed by the consultant. This is done to alleviate the work load of the system administrators. The SA can reduce their work by creating access privileges that can be used by more than one person and doesn't have to become involved in what any particular consultant is working on. This creates an enormous gap in security.
At my place of work, the Help Desk consultants are routinely hired to fill headcount gaps from attrition and employee turnover. These consultants are provided access privileges to be able to provide technical support to the employee base, some 28,000. On average each employee calls the Help Desk 1.5 times per month. With these priviledges, as part of the Help Desk position, the consultant is able to access systems to support company employees. One of the most common support call is password reset. Although most mid-range or web-based systems that are used have a GUI interface that allows the password to be reset, there are times when the Help Desk Analyst or consultant will attempt to log on as the user to duplicate the problem being reported. To do this the user must relinquish his or her password. Most users will do this to be able to continue their work, but this gives the consultant, and for that matter, the Help Desk company employee, additional capability to access information systems that they were not designed to access. Since this support is remote phone support, there are no controls on the consultants or employees that would prevent them from using the user ID and password for dubious purposes.
Another common practice from my company's internal support desk is to reset password access to information systems by logging on to the system as the user. This is done primarily as a result of an unsuccessful attempt to change or reset the password. Some company employees are not technically astute or are able to comprehend instructions over the phone to reset their own password. So the Help Desk Analyst or contractor will ask for the user's ID and password, log onto the system as the user and change the user's password for them. Then they will provide the user the new password. This activity bypasses the safeguard of the user changing the password to something only they know at the initial login after the password was changed via the GUI front-end.
It is also not uncommon for the company user, who has a multitude of systems to access on a daily basis, to standardize their passwords on each system. In the user's eyes this reduces the problem of having to remember each systems ID and password combination, and increases productivity by reducing support calls to the Help Desk. Of course, when it is necessary to change a password, either due to password expiration or the user is unable to remember the password, the user then requests the Help Desk to synchronize the new password on all the systems of which they access. Now the Help Desk or consultant has the ID and password for all the systems the user accesses with an ID and password. This creates a huge security and liability risk for the company.
The consultant as a threat is real, alive and well in today's working environment. As has been discussed, the consultant threat exposes the contracting company to potential security breaches. Given the common characteristics of the consultant threat, it is easy to see how this threat manifests itself. Given that the consultant generally works alone, without direct supervision, and for relatively short durations, this creates an atmosphere of vulnerability of which one can take advantage.
As I mentioned my own company's vulnerability, at it is seen at the Help Desk, the capacity for this threat is high. The consultant doesn't have to be provided accesses as part of his work to exercise a threat. He or she can obtain the access through their interaction with users who rely on them for technical support.
[1] Cohen, Frederic B., "Protection and security on the information superhighway" New York: Wiley, c1995. pg. 12
[2] Schwartau, Winn, "Information warfare: chaos on the electronic superhighway" New York: Thunder's Mouth Press, c1994. pg. 221
[3] Parker, Donn B., "Computer security management" Virginia: Reston Publishing Company, c1981. pg. 23
[4] Schwartau ibid.
[5] Power, Boyd and Pring, Ben, "Application Outsourcing: The user perspective" Gartner Group, c2000. pg. 4
[6] Parker ibid. pg. 43
[7] The American Heritage Dictionary of the English Language, Third Edition Copyright 1996, 1992 Houghton Mifflin Company
[8] Parker idid. pg. 9
[9] Parker ibid. pg. 4
[10] Parker ibid. pg. 136
[11] The American Heritage Dictionary ibid.
[12] The American Heritage Dictionary ibid.
[13] The American Heritage Dictionary ibid.
[14] The American Heritage Dictionary ibid.
[15] The American Heritage Dictionary ibid.
[16] Parker, Donn B., "Fighting computer crime: A new framework for protecting information" New York: Wiley, c1998. pg. 256
[17] Trends in Proprietary Information Loss, American Society for Industrial Security/PricewaterhouseCoopers Survey Report, 1999.