>> position is much better than someone trying to pull off a simple social >> engineering ploy. The trick is detecting a change in their actions or >> routines that will indicate a willingness to abuse the system. Does anyone >> profile known abusers after the fact, to determine some common theme of >> behavior amongst them? > >The common behavior is: they all break into systems. What about before they abused the system? Not every intruder starts out with a plan of compromising the system. Many are formerly trusted employees, that for whatever reason feel a need to misuse a system. These people are the ones who alter data to foul up things after they're gone, or steal client lists to take to the next job. This type of abuse may seem minor to some, but can be quite costly to a business. > >Ya gotta be careful when setting up "cracker profiles"; there's a pretty >high potential for misuse. > I'm not suggesting publishing names and addresses, I'm interested in the patterns of behavior in a group of people. -Eric