Disgruntled Staff Pose Insider Threat Risk, FBI Warns

Tom Jowitt,
security hazard

Beware the threat from within, says new warning about the hacking risk from unhappy employees

Companies are once again being warned about the security risks to their systems posed by unhappy employees and former members of staff.

The new warning from the FBI and the Department of Homeland Security (DHS) came in a public service notice issued on Tuesday, warning organisations that there has “been an increase in computer network exploitation and disruption by disgruntled and/or former employees.” It adds that organisations risk the theft of their proprietary information, and staff are opting to facilitate these attacks through the use of cloud storage Web sites, like Dropbox, and personal email accounts.

It warned that in many cases, former staff members continued to have access to the computer networks through the installation of unauthorised remote desktop protocol software prior to them leaving the company.

Cloud Hack

identity deception fraud social engineering security © Pretty much everyone knows that passwords aren't supposed to be shared. Passwords exist to protect your information and your employer's information from being seen by people who shouldn't see it and who could cause serious damage if they do access it. This is why you have a strong password on your banking information (you DO have a strong password on your bank account, don't you?) So how is it that Edward Snowden managed to get the passwords that gave him access to thousands of secret documents? According to a story from Reuters, Snowden did it in the easiest way possible. He asked for it. But of course there's more to it than that. What Snowden did was tell a couple dozen of his coworkers that he needed their passwords because he was a system administrator. Those coworkers, knowing that Snowden was fully cleared, figured it was safe, and gave him the passwords. Snowden used that trust to raid the NSA files of everything he could find. Remote Data Replication: Combat Disasters And Optimize Business Operations Watch It Now Leaving aside the propriety of what Snowden did, the fact that he was able to get the information he did with other people's login information speaks volumes. Perhaps more important, it speaks those volumes directly to you and your employer. Snowden exploited a weakness that exists at nearly every company or organization and which can be overcome only by having the right security policies and the right training. That weakness is trusting the wrong people at the wrong time. The obvious question is how this applies to you and your organization. After all, the chances are pretty good that you're not sitting on a pile of state secrets. But the chances are that your company has plenty of information that has value to your competitors, to criminals, or to people who want to use that information for other dubious purposes. Do you really want the outside world to see your customer list? Your financial statements? Your supply chain or manufacturing details? Probably not. Unfortunately, if you lose control of your organization's passwords, you're doing just that. But you can limit the problem by implementing some basic practices, making sure your staff is trained and then retrained frequently. Here are some things you can do: 1. Require passwords that are hard to guess, but don't go overboard. If you require passwords that are too complex, nobody will remember them. You know what happens next—yellow sticky notes on their monitors. That doesn't really help security. 2. Control what happens if a password is shared. It's easy to say that your staff should never under any circumstances share a password. But that's not how things work in the real world. Sometimes a system administrator really does have a reason to request a user's log-in credentials. 3. When that happens, what should the user do? That depends, but at the least they should know that they should then immediately change the password. You might also want to require that any password-sharing request be reported on a routine, easy-to-fill-out form that will disclose the action to whomever you designate to handle this, such as your IT manager. 4. Make password changes easy to accomplish, and automate the reporting process so that every such change is logged. 5. Don't depend on complex control software as a primary means of user verification. It might be useful, but nothing works as well as good practices properly followed. Remote Data Replication: Combat Disasters And Optimize Business Operations Watch It Now Require two-factor authentication for access to information that's really important. Many companies use a smartcard that doubles as an access card and organizational ID card. This reduces the problem of stolen log-in credentials. More complex methods of access control certainly exist and should be used under extraordinary situations, but are not always appropriate. It's important to remember that maintaining access security requires the willing cooperation of your staff. This means that you have to tell them what needs to be protected, the means they should follow to protect that information and what they should do if they suspect that protection has been compromised, even by someone who claims a plausible reason to do so. Here's one way such a procedure might work: One of your workers with access to something sensitive, such as human resource data, requests help with a problem logging in to the network. Somebody from the help desk asks for the log-in credentials to see what the problem is and to try to fix it. The person being helped provides the information and then immediately sends an email to a designated manager saying something like this: "I provided my log-in info to Sam Smith from the help desk to fix a log-in problem. My extension is 123." Once the log-in problem is solved, the employee should immediately change their password. That change will be recorded by your network management system where it can be verified by a manager or security staffer. Will that eliminate all data loss? Of course not, but it will eliminate some of it. It requires little in the way of resources and it allows management follow-up since problems—including an administrator who seems to be asking for a lot of passwords—will show up quickly. While you can throw automation at such a problem, at some point the most basic answer is training and management. It's hard to be more effective than that unless you already have training and management practices to enforce password discipline in place already. ShutterstockTypical attacks have included attempts by disgruntled or former employees to extort their employer for financial gain. Often, these extortion cases have a financial impact on the organisation concerned, with the notice estimating that victim businesses incur significant costs ranging from $5,000 (£3,053) to $3m (£1.8m).

But attacks also include modifying and restricting access to company Websites, disabling content management systems, and conducting distributed denial of service attacks.

“The FBI and DHS assess that disgruntled and former employees pose a significant cyber threat to US businesses due to their authorized access to sensitive information and the networks businesses rely on,” the FBI and DHS’s note said.

“The exploitation of business networks and servers by disgruntled and/or former employees has resulted in several significant FBI investigations.”

It also warned that insiders tended to use their access to corporate systems to “destroy data, steal proprietary software, obtain customer information, purchase unauthorized goods and services using customer accounts, and gain a competitive edge at a new company.”

Safeguarding Advice

There are of course a number of obvious measures that organisations can undertake to minimise the risks posed by unhappy staff, or former employees. This includes regularly reviewing staff access and limiting their access to only the areas they need to do their job.

When a staff member leaves, his or her access should be terminated immediately. When IT personnel leave, all administrative passwords to servers and networks should also be changed. And organisations should ban the use of shared usernames and passwords for remote desktop protocols, and do not use the same login and password for multiple platforms, servers, or networks.

But there are other, less obvious practices that organisations should undertake. This includes letting third party companies that provide technical support or email support, know when an employee has left, so they cannot be duped into providing new access rights. Additionally, companies are advised to restrict Internet access on corporate computers to cloud storage Web sites.

Staff should also not be allowed to install unauthorised software on corporate computers, and daily backups should be maintained. Staff should also be forced to change their passwords to corporate accounts regularly.

Warnings of this nature are nothing new. Last year, a study sponsored by security firm Vormetric found that most organisations do not block privileged users from access to sensitive data.

It also highlighted the fact that one of the biggest data breaches of all time occurred not by a malicious external actor, but by IT contractor Edward Snowden, who was able to take privileged information from the National Security Agency (NSA).

Are you a security pro? Try our quiz!