<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1033252670099820&amp;ev=PageView&amp;noscript=1">
New Call-to-action

Monsters Are Real, Insider Ghosts Are Too


[fa icon="calendar"] Aug 10, 2016 7:30:00 AM / by WALLIX


Insider threats are very real. Hackers are perceived as being faceless guys that wear hoods. The insider is your colleague, your friend a member of your team. Working with third party companies and contractors is a fact of life. 81% of companies outsource part of their operations to an external service provider (according to PwC), and why not, when there are benefits to be gained in cost, agility and productivity? 


Not all cyber-crime is faceless...

Some security experts predict that the biggest threat to an organisation comes from organised teams of highly skilled cyber-attackers, overlooking the obvious. In previous posts we’ve examined what’s in the mind of an external malicious attacker. But what if the threat is closer to home, inside your network perimeter, inside your building or even in your office? In this post we examine the motivations of an insider threat, and review the movitations someone can have to create havoc from within.

Disgruntled IT staff can potentially be a significant risk to any organisation, as generally, they have administrative access to privileged systems that are key to the daily operation of a business. These disgruntled employees access can be monitored, but without knowing what types of outcomes discontented insiders might accomplish, monitoring can become strenuous and overbearing.

This article focuses on human beings on the payroll with a real name, so there are no hard and fast rule for spotting a rogue. The law of averages means there is a possibility you could miss the early warnings signs that an otherwise talented and hardworking employee who is prepared to abuse their privileges for their own gain whether they be financial or just getting their own back.


The orphan account risk...

Many organisations don’t effectively decommission privileged users when they move from one role to another or, even worse, when they leave altogether. Known as orphaned accounts, this obviously remains a huge issue, most disgruntled employees end up leaving, whether voluntarily or not, and a failure to decommission privileged account access gives them the means and the motive to potentially steal data. This line of thought also leads to considering what about specialist contractors or “trusted” third parties.

Unfortunately, eliminating orphaned accounts is much easier said than done. With so many systems, identity stores and applications managed in silos, accounts can easily fall between the cracks. In some cases, especially for privileged users such as administrators, login credentials are shared. What happens when one of the admins leaves or changes roles? Is the shared account updated with a new password? Or maybe decommissioning doesn’t happen because users have accounts IT doesn’t even know about — also known as shadow IT.

So what's the reality and why care...

The CERT Insider Threat Database contains over 1,000 incidents where insiders have either harmed their organisation (sabotage); stolen proprietary information (theft of intellectual property); or modified, or deleted data for the purpose of personal gain or identity theft (fraud). Of these cases, 33 were reported to involve a disgruntled employee, as documented by either court documents or witness statements. This shows that even though the database holds a large number cases, the documentation of such behaviour is limited and it is likely that other cases involved a disgruntled employee.

Of those 33 cases, 70% have been categorised as sabotage, with 85% of those sabotage cases documenting revenge as the primary reason behind the attacks. Other incidents identified motives of benefiting a new employer or the need for recognition. With these findings, it is no surprise that that the top three specific outcomes of disgruntled employee attacks are data deletion (13 cases), system blocked from access (11 cases), and data copied (10 cases). It is possible for an incident to have multiple outcomes. In these 33 cases, there are 6 that have both data deletion and system blocked from access as the impact to the organisation. However, there were no cases in which the insider deleted data or blocked access the system and copied data.


Fired so I got my own back remotely over the next 4 months...

The incidents involved the deletion of data ranges - from deleting specific records to deleting source code that corrupted a critical system that the company and its customers relied on. In one case, the insider, who had full access to the company's network and systems, had a falling out with his employer and was terminated. On the day of the insider's termination, he proceeded to remotely attack the organisation for four months. The insider deleted crucial files on servers, removed key backup disks, and deleted numerous records from an important database used by other systems. The insider was able to attack the organisation in such a manner because his credentials were still enabled.

In a separate incident, an insider remotely blocked access to a system within 30 minutes after being terminated. The insider was able to access to the victim organisation's network because his credentials had not yet been disabled. The insider's job duties gave him remote authorised access to the firewall, which allowed him to repair it off site. The insider used this access to disable the CEO's account from accessing the internet and modified files to disable the system.

I had plenty of time to plan chaos...

Another incident involved an insider who had various external personal issues, including a custody battle and financial issues. These issues were multiplied by a poor performance review and the notification that he was being terminated in two months. The insider's supervisor characterised him as volatile, angry, and inflexible. The insider became hostile at work, even threatening the HR department, he was immediately terminated. The insider had previously installed back doors into the network and used a generic administrative password, that wasn't changed after he was terminated, to change additional administrative passwords and prohibit specific individuals' access to the system who had a direct role in the insider's termination.

I built it so it's my network to control...

A fourth incident involved an insider who created the organisation's network that provided critical systems to thousands of individuals. However, the insider was the only one who knew the passwords, but refused to provide these passwords to any new administrators. This caused a dispute between the insider and the employer. Additionally, this insider set the network up to fail if anyone attempted to reset the network without the proper passwords, effectively prohibiting anyone from working towards resolving the issue.

My boss wouldn't listen, I had a point to prove...

Two additional incidents involving insiders copying data, stemmed from disagreements with their managers over possible security issues and the insider's attempts to address the vulnerability. In both cases, the insider complained and made suggestions to correct security vulnerabilities and improve the companies' policies. The insiders' suggestions were not accepted, causing the insiders to become disgruntled. Both insiders decided to prove that their suggestions were best by exploiting the vulnerabilities, resulting in the insiders cracking more than 30 user passwords. One insider reported his work to his manager, while the other one decided to use the passwords to gain access to other systems.

So who do you trust, people, technology or process...

The technology being used in today’s businesses is more powerful than ever. Tools and systems are helping to increase productivity and drive digital transformation. But this increased visibility of IT and its key part in business now sees it under greater scrutiny, especially when it comes to trusting those with access to this now critical infrastructure.

The ticking time bomb...

A layoff can come as a complete surprise to an employee, and it can hit at a difficult time in that person’s life. While you might expect a little venting, it can cross a line. Add to that mix a dedicated employee who has had lots of super admin privileges for years with remote access, and you could be sitting on a ticking time bomb.

To check at the end:

The Wallix AdminBastion (WAB) Suite was designed to prevent such incidents. It establishes pervasive, sustainable Privileged Access Management across the IT environment no matter how much that environment changes over time. WAB Suite is able to easily span both cloud and on-premises system deployments. Its single gateway has single sign-on for access by system admins. With this capability, the IT department can define and enforce access policies for admins and employees across the globe.

Furthermore, today’s rapid change and uncertainty favours WALLIX’s unique agent-less architecture. Most other Privileged Access Management solutions require a software agent to be installed and maintained on each target system, which makes those systems much less flexible and much more costly to maintain. This Privileged Access Management “tax” becomes especially painful during a time of rapid change. Oftentimes, it results in the Privileged Access Management system being shunted aside in the name of expediency. This creates a huge, and enduring, risk.

In contrast to traditional Privileged Access Management architectures, WAB Suite is light. It sets up rapidly no matter the system and doesn’t require complex maintenance or agent-updates as underlying systems evolve. With WALLIX, you don’t have to choose between getting work done rapidly or ensuring security compliance by keeping privileged access management in place across all systems.


Get our FREE DEMO to manage and monitor privileged access

Topics: Preventing Insider Threat


Written by WALLIX