As if Fannie Mae weren't already having enough troubles, it seems that at the height (depth?) of the credit market implosion late last year it was also suffering an insidious threat from within its own ranks: a logic bomb planted by a disgruntled contractor who was in the process of being released.

Information Week has more details on the story. I came upon it by way of the SANS daily handler's diary, which asks "How do you audit your production code?" … an extremely relevant question these days, with tens of thousands of IT jobs on the chopping block and staff loyalty at an all-time low. How many agitated engineers are polishing up their own "deadman" logic bombs right now, either guarding against, or taking vengeance in the event of, their own termination from employers for whom no love is lost?

The SANS discussion comes up with four old standbys for internal security: separation of duties, (minimum) role-based access, mandatory second-party review, and strong versioning/change management systems. None of these are new concepts, either in principle or execution, but it amazes me how many companies implement few or none of them internally. Even worse are those who have designed such systems, but regularly circumvent them with a nod and a wink because the design proved cumbersome or an inexact match for internal requirements. This often happens at the same time the organization is beefing up security against perceived external threats, which statistically represent a far lesser threat.

To be blunt, if you don't have internal controls, design some. If you have them but they aren't being followed, change them. A well-designed system isn't going to significantly impede staff from performing their work. There is a certain innate resistance in IT staff, particularly on the operations side, to being locked out of anything, but it's a cultural problem that it's time to address. If you are heading for a round of layoffs, or even if your staff just think you are, don't rely on serendipity to protect the livelihoods of those who remain.

• Internal security is the most important security
• Psychology of the internal hacker
• Recession means it's time to ramp up internal security