CERT: Insider Threats Can Have Costly Security Consequences


Shared computers are another source of potential insider fraud she said. At a university, two students loaded malware onto publicly accessible computers in order to steal credentials and spy on student records and professors' communications. At a hospital, a disgruntled security guard with a background in system administration installed malware on systems. He boasted of his work by videotaping it, which another hacker saw and contacted the FBI.

"If his malware had executed, it probably would have cost lives," CERT's Cappelli said.

At a retail company, a network engineer who knew he was going to be fired created a VPN token for a fake employee before he left. He then called the company's help desk and pretended to be a new employee to activate the credential. Several months later, he deleted corporate email accounts, virtual machines and wreaked havoc in general.

Another case was simply tremendously embarrassing for the CEO of a company. When he was giving a PowerPoint presentation to the board, the presentation shut down and was replaced with pornography. The culprit, who installed a keylogger to sabotage the presentation, was the MIS director the CEO had recently fired.

In another case, three employees at a law firm used Dropbox to transfer 78,000 client files outside the organization before they all abruptly quit. They set up the information sync in both directions, so that their former employer wound up with modified data, which led to unhappy clients.

Organizations can use mitigation measures, such as tuning an intrusion detection system to watch out for Web protocols associated with the service, to protect themselves from such inappropriate use of services like Dropbox, Alex Nicoll, lead of the technical solutions team at CERT. And, organizations can monitor system traffic to track down unauthorized access of file sharing utilities, he said.

Cappelli described an insider threat case in which a financial engineer stole a hedge firm's trading algorithm by using two virtual machines to bypass the firm's security mechanisms. He had plans to set up his own hedge firm in China.

Nicoll said steps organizations can take to prevent misuse of virtual machines include scanning memory files and tying virtual environments into existing security systems.

PUBLISHED FEB. 28, 2013