In response to a warning from the FBI that said employees with an axe to grind are increasingly using Internet cloud services and other computer tools to hack their current or former companies, the following comments from security experts at ESET and Tripwire have been offered:
Enter, Mark James, security expert at ESET:
“This type of threat is very real indeed. The resources available to ex-employees either secured just prior to leaving, or by still using credentials after they leave is an extremely effective weapon. Installing third party software to gain access at a later date is a relatively simple process especially if you already have a good knowledge of internal systems and, even more so, if you have a hand in managing them. The sheer wealth of software available to download and use is beyond belief and can easily be installed, hidden and accessed later. Far too often internal admin user accounts are rarely changed even after IT staff leave and with all that knowledge it’s all too easy to cause actual harm to web services, servers or even subscribed services that the company uses. Former employees may also use relationships with colleagues to gain access to systems, by still communicating with friends or colleagues that still work at the company either by sending infected emails or supplying them free software for internal use.
What can you do to protect yourself against this type of attack? Firstly, make sure you review the access your staff have from top to bottom. It’s honestly just a simple process of “do you need to access that file, directory or server” and if not, remove it. Secondly, have a good policy in place for using personal outsourced cloud service storage, Dropbox, Apple, Google Drive, etc should all be monitored very carefully as they provide direct access onto your network with all your protection removed! Thirdly, have a good process in place to change passwords periodically, make sure that not only internal staff are aware once someone leaves, but also your external companies that supply services. Often staff have access to admin panels or control portals for web services that could easily cause disaster if tampered with or even cancelled. Immediately disable all accounts associated with former employees, divert all emails to a holding email address and review often. In addition to this, make sure you use two-factor authentication for all remote access, even if passwords and usernames are compromised 2FA will stop access regardless. Fourthly, run regular AV scans with good up-to-date anti-virus software and review network activity on a regular basis, inform someone immediately if ANYTHING looks suspicious. Have the means to monitor all internet usage, even if you don’t enforce it or use it on a daily basis. The ability to go back and check is a lot better than wishing you had done in the first place. Finally, have good external device control, where possible monitor data being copied from and TO external devices like USB sticks and do not forget CD/DVDs. Almost every machine has one and blank media costs pennies.”
Enter, Craig Young, security researcher at Tripwire:
“IT employees often have the knowledge and access to seriously cripple business operations. Shionogi pharmaceutical learned this lesson the hard way a few years back: http://www.fbi.gov/newark/press-releases/2011/former-shionogi-employee-arrested-charged-with-hack-attack-on-company-servers
Employees can also leak sensitive information such as customer lists, manufacturing secrets, and other intellectual property in retribution for grievances. Insider threat is one of the most difficult challenges for the enterprise since businesses must trust employees with access to their systems in order to be productive. Some measures can limit the risk but when someone has legitimate access to some data or systems it is almost impossible to defend against all malicious actions. A mixture of in-house and managed security services can help provide additional oversight by adding checks and balances but this redundancy also adds to operating costs. Revokable 2 factor authentication can also limit exposure but it is crucial that remote access accounts are disabled immediately when employees are terminated. The use of network and host monitoring systems such as data loss prevention and file integrity monitoring can also quickly draw attention to unauthorized actions.”
Enter, Ken Westin, security researcher at Tripwire:
“Tools such as Dropbox make exfiltration of data much easier for non-technical employees and is only one of many methods that can be used. An employee may have Dropbox running on their systems that are connected to shared drives on the network as well, so even if the employee is terminated they will still have access to files through their account. Many times these accounts that are setup are personal accounts and IT administrators do not have access to revoke their credentials or control the data that is shared through these services. Other cloud services like Salesforce are also easy targets as there is generally very little monitoring in place and employees have access to a great deal of customer data that can be downloaded without triggering alerts.”
Enter, Tim Erlin, director of security and risk at Tripwire:
“Insider threats are not a new phenomenon, but they continue to be one of the hardest threats to mitigate. Detecting unauthorized activity is a known art in information security, and while it remains an arms race between attacker and defender, the dynamics are well understood. Determining when an authorized user’s behavior moves from productive to malicious is a wholly different problem to solve. The behavior itself may not change dramatically, and the user may have permissions for each action they take, but the outcome can be devastating. The increase in BYOD and telecommuting within the workforce exacerbates the problem as employers have less and less control over the work environments through which their data may move.”