If corporate executives have any doubt that malicious employees are among their greatest potential security threats, they should look at the case of a former DuPont Co. senior scientist as the ultimate cautionary tale, one security expert said Thursday.
"By default you trust insiders," said Ron Ben-Natan, chief technology officer of Waltham, Mass.-based data security firm Guardium, Inc. "The challenge is always in how you balance the trust you give them with the right amount of security so a few bad apples can't get away with this sort of thing."
Gary Min, also known as Yonggang Min, is a former senior chemist for DuPont who faces up to a decade in prison and a $250,000 fine after pleading guilty to stealing trade secrets in November. The case was unsealed by federal prosecutors in Wilmington, Del., Thursday.
Min, 43, was accused of stealing approximately $400 million worth of information from DuPont and attempting to leak it to a third party. He is scheduled to be sentenced March 29.
According to local news reports, a naturalized U.S. citizen from China surrendered his passport and is cooperating with federal authorities. Min's attorney, Michael Mustokoff, said his client accepts responsibility for what he did.
Investigators say Min joined DuPont in 1995 but began exploring a new job opportunity in Asia in 2005 with Victrex PLC, a DuPont competitor. Shortly after opening the dialog with Victrex, Min reportedly proceeded to download approximately 22,000 abstracts from DuPont's data library and accessed about 16,700 documents. After Min gave his notice, DuPont discovered what he was up to and brought in the FBI.
Ben-Natan said there are several lessons in this case for enterprise IT shops to heed. The company must identify its most sensitive information and get a sense of what daily network activity around that information looks like. Then it must build a security policy with specific rules as to how much access employees can have and what they should not be accessing. There also needs to be a copious audit trail of network activity to help administrators uncover sinister doings, he said.
"If you are in healthcare, you know the patient information is important and you need detailed rules around that information," he said. "You may give an administrator some access to that database, but you have to work it into the policy that they're not allowed to read the records. You need to clearly define what they have permission to do, and then have the security in place to monitor when that user is doing what's not allowed."
In the DuPont case, he noted how Min downloaded tens of thousands of documents. "A normal employee wouldn't need to review 16,000 documents. Why would you? In hindsight, they would find that a normal employee wouldn't download more than a couple hundred documents a day," Ben-Natan said. "The key is to know what is normal activity so you can spot the abnormal."
IT professionals have long identified the insider threat as the one that keeps them awake at night. In a SearchSecurity.com series on the merging physical-cyber threat in September 2005, for example, Jason James, vice president of IT for Happy State Bank in Texas, said the internal threat should be anyone's number-one fear.
James said at the time that his team has gotten a better grip on where the network threats are using software from Boston-based Core Security Technologies.
"Before Core, we didn't know what shape we were in," James said. "We had a firewall but no way to know if it was configured properly. Any server with internal or external exposure, we now have a better sense of when abnormal activity happens."
But in the end, he said, there's no magic bullet for stopping insiders with an appetite for destruction.
"Keeping out external attacks is one thing. But when it's from someone with trusted access it's harder to get a handle on, especially as the company grows," he said.