CERT: Insider Threats Can Have Costly Security Consequences
Organizations spend a lot of time worrying about hackers and cybercriminals breaking into their networks, but sometimes the biggest threat they face is sitting right inside their offices.
In a presentation Thursday at RSA Conference 2013, Dawn Cappelli, technical manager of the CERT Insider Threat Center at Carnegie Mellon University, described several cases in which current and former employees sabotaged companies by planting malware, stole confidential corporate data or colluded with outsiders to commit fraud. The center has tracked 800 insider threat cases since 2001.
In cases involving theft of intellectual property such as business plans or source code, the culprit is often the person who worked on the project, Cappelli said. "They can throw it [the information] on a USB drive, and chances are they won't be caught," she said.
[Related: 20 Examples Of Wacky, Over The Top RSA Signage ]
Most insider fraud cases involve lower-level support employees such as help desk personnel or bank tellers who conspire with outsiders, she said. "It starts with financial need and turns into financial greed."
Cases involving sabotage often involve highly technical employees such as system administrators who become disgruntled and are either fired or quit and set up an attack before they leave the company, she said.
Organizations should pay careful attention to secure share file services such as Dropbox and virtual machines, which employees can use to exfiltrate information, Cappelli said.
One actual insider threat case involved a product development manager at a networking products company who had access to clients' trade secrets in order to provide services, Cappelli said. That manager had access to information belonging to two clients in the semiconductor industry and downloaded 80 documents before he left the company and took a job with one of the semiconductor clients. Eighteen of those documents belonged to the competitor of his new employer, who ended up turning him into authorities
"That's a scary case, and it could happen to just about anybody," she said.
The incident underscores the need to ensure business partners protect information, she said. "You need to audit their controls and build it into contracts," she said.
NEXT: Mitigation Measures
Shared computers are another source of potential insider fraud she said. At a university, two students loaded malware onto publicly accessible computers in order to steal credentials and spy on student records and professors' communications. At a hospital, a disgruntled security guard with a background in system administration installed malware on systems. He boasted of his work by videotaping it, which another hacker saw and contacted the FBI.
"If his malware had executed, it probably would have cost lives," CERT's Cappelli said.
At a retail company, a network engineer who knew he was going to be fired created a VPN token for a fake employee before he left. He then called the company's help desk and pretended to be a new employee to activate the credential. Several months later, he deleted corporate email accounts, virtual machines and wreaked havoc in general.
Another case was simply tremendously embarrassing for the CEO of a company. When he was giving a PowerPoint presentation to the board, the presentation shut down and was replaced with pornography. The culprit, who installed a keylogger to sabotage the presentation, was the MIS director the CEO had recently fired.
In another case, three employees at a law firm used Dropbox to transfer 78,000 client files outside the organization before they all abruptly quit. They set up the information sync in both directions, so that their former employer wound up with modified data, which led to unhappy clients.
Organizations can use mitigation measures, such as tuning an intrusion detection system to watch out for Web protocols associated with the service, to protect themselves from such inappropriate use of services like Dropbox, Alex Nicoll, lead of the technical solutions team at CERT. And, organizations can monitor system traffic to track down unauthorized access of file sharing utilities, he said.
Cappelli described an insider threat case in which a financial engineer stole a hedge firm's trading algorithm by using two virtual machines to bypass the firm's security mechanisms. He had plans to set up his own hedge firm in China.
Nicoll said steps organizations can take to prevent misuse of virtual machines include scanning memory files and tying virtual environments into existing security systems.
PUBLISHED FEB. 28, 2013