Tag Archives: Insider threat

Controlling Insider Threats

There are two flavors of insider threats.

#1 is Edward Snowden. Skilled. Motivated. On a mission. Understands that there will be collateral damage. Knows that he or she is breaking the rules. Sometimes it is national security. Other times it is industrial espionage. Still other times it is pure curiosity. Often, but not always (such as sneaking a peak at a celeb’s medical records out of nosiness) money changes hands.

#2 is your average employee. Trying hard to do his or her job. Is a human being. Human beings make mistakes. No money. No evil intent. Just being human.

I don’t have any stats, but I bet for every #1, there are a couple hundred #2s – or more.

Let’s assume that there are a lot more cases of benign insider threat than malicious insider threat, but no matter the intent, the threat is real.

So what can you do?

Here are 5 tips.

#1 – Require cybersecurity awareness training, AKA anti-phishing training of everyone, but the lowest paid employee to the CEO. All it takes is one of them to click on the wrong thing and you are in a full-blown ransomware incident.

#2 – Avoid public WiFi. I know it is convenient and it is just to do this one thing, but it is far from secure. If you have to use public WiFi then at least use a SECURE VPN.

#3 – Enhance endpoint protection. Endpoints, AKA your users’ phones, tablets, laptops, computer computers and home whatever, is THE weak link in the chain. Enhance that and you will reduce overall risk. And it isn’t just company laptops. It is all endpoints.

#4 – Really stay on top of patches. The golden rule is 24/72. This means patch within 24 hours any zero day exploit that is under attack and 72 hours for everything else. Just this month we saw a Microsoft patch that was released late last week (netlogon), that the feds ordered all executive branch agencies to patch within 24 hours (by Monday night) and yesterday Microsoft said the bug is being exploited in the wild. This means patching your operating system and all applications. Even the ones that you don’t use. They are still an attack vector. And this includes employee owned phones — and deal with the ones that are no longer being patched by the vendor/carrier.

#5 – Proactively manage remote desktop/remote control tools. We are seeing multiple nation-state attacks that are going after remote access solutions. RDP. VPN. Remote control. They are an easy attack vector and we know for a fact that they are being actively exploited by hackers.

While these seem simple, doing them right is hard. If you need help, contact us. Credit: SC Magazine

Cisco Learned About the Insider Threat Problem – the Hard Way

I talk a lot about the insider threat problem because it is prevalent and hard to stop.

Cisco learned about that the hard way.

Sudhish Kasaba Ramesh resigned from Cisco in April 2018. OK, good, time to move on.

FIVE MONTHS LATER, he accessed Cisco’s infrastructure at Amazon and deployed code that shut down 16,000 Webex accounts and deleted 456 virtual machines. He did this via Google’s cloud infrastructure.

Cisco spent over $2,000,000 in customer refunds and labor to fix the problem. While $2 million is a lot to you and me, it is merely embarrassing to Cisco.

Some customers were down for several weeks as a result of the attack.

Sudhish pleaded guilty and was released on bond. He is scheduled to be sentenced in December. He faces a maximum of 5 years in the slammer and a $250,000 fine. Since he is here on one of those visas that companies like Cisco use to give American jobs to foreigners to save money, he could also be deported (in case you wondered where I stand on those visa programs, that should be clear 🙂 ).

In this case, the former employee could have likely done a lot more damage than he did. He was, for whatever reason, upset with Cisco and decided to take it out on them. What if, instead deleting 456 virtual machines, he deleted 10,000 VMs or 50,000 VMs. Or instead of deleting 16,000 accounts he deleted 16,000,000 accounts. He was merely toying with Cisco.

On the other hand, how come he was able to login at all?

And why did it take Cisco two weeks to recover? What happened to their disaster recovery solution?

This does point out that it is hard to secure your infrastructure when an I.T. person leaves if you have not designed your security to take that into consideration.

I am sure (I hope) that Cisco has improved both their security and their disaster recovery since then.

But could could a disgruntled ex-employee do this to you? I am sure Cisco didn’t think so. Credit: Bleeping Computer

Security News for the Week Ending August 28, 2020

Ransomware is an Equal Opportunity Business

As American businesses deal with ever increasing ransomware attacks, larger ransom demands and ransom and extortion wrapped up together, we are not alone. Not that the fact that we are not alone should make us feel better. A new Iranian hacker group is using Dharma ransomware to go after businesses in Russia, Japan, China and India. According to the researchers who discovered this, the hackers aren’t apparently quite sure what to do once they get in. Credit: Group-IB

New Zealand Stock Exchange Attacked

The New Zealand stock exchange was down for the third time in two attacks after hackers attacked with with a volumetric attack (I think that is a fancy word for big). Basically, they crushed the exchange’s servers with a lot of useless data. You have to assume that a stock exchange has a lot of security in place and has certainly considered that someone might want to use it to make a point, so the fact that they went down three times and then halted trading says that (a) they made their point and (b) the exchange’s preparations were not sufficient. Do you care if your online systems are taken down by hackers? Are you prepared in case they try? Credit: News.com

Insider Threat Is a Real Problem

A Russian national inside the U.S. offered to pay an employee of an unnamed company $500,000 to plant malware in the company’s network. When the employee didn’t go for the plan, the Russian upped the offer to a million dollars. The Russian told him that the company would pay millions to not have their data posted on the web. The employee, instead, went to the FBI and the Russian national is now in custody. Credit: Security Week

UPDATE: It turns out the unidentified company is Tesla.

Homeland Security Releases 5G Strategy

Homeland Security’s CISA released a strategy document for the migration of the country to 5G. While those trying to sell 5G gear are pretending that the country is ready for 5G, the reality is that 5G that lives up to the 5G hype is years away except for small pockets.

The strategy document calls for 5G policy and standards emphasizing security and resilience, expanding awareness of 5G supply chain risk (code for beware of HUAWEI and China), encourage other companies to get into the 5G game and identifying risk based on potential 5G uses.

All of this is good, but unless this is more than a press release, it will not make any difference. Credit: SC Magazine

Security News for the Week Ending May 1, 2020

China, Korea, Vietnam Escalate Hacking During Covid-19 Outbreak

The Trump administration is calling out China for hacking our hospitals and research facilities who are looking for cures and vaccines for Covid-19. That should not be much of a surprise since China has always opted for stealing solutions vs. figuring them out themselves. At least that this point, the U.S. is not doing anything about this theft. Credit: CNN

At the same time, Vietnam is hacking at China’s Ministry of Emergency Management and the Wuhan government, probably trying to do the same thing and also steal information on their neighbor’s lies about their death toll. Credit: Reuters

Finally, South Korea’s Dark Hotel government hacking group is hacking at China, using 5 zero-day vulnerabilities in one attack. 5 is a massive arsenal to use in one attack, since zero-days are hard to find (or at least we think they are. Since they are unknown until they get used or announced, we don’t really know). Reports are that the group has compromised 200+ VPN servers in an effort to infiltrate the Chinese government and other Chinese institutions. Credit: Cyberscoop

Bottom line, it is business as usual, with everyone hacking everyone they can.

Israel Thwarts Major Coordinated Cyber-Attack on its Water Infrastructure

Israel says that they have reports on coordinated attacks on their wastewater, pumping and sewage infrastructure.

The response was to tell companies to take their systems off the Internet as much as possible, change passwords and update software. All good things to do but disconnecting from the Internet likely makes companies unable to operate, since most plants run “lights out” – with no onsite staff.

The attacks took place on Friday and Saturday – during the Jewish Sabbath when the least people would be around to detect and respond. Credit: The Algemeiner

Surveillance Company Employee Used Company’s Tool to Hack Love Interest

An employee of hacking tool vendor NSO Group, who was working on site at a customer location, broke into the office of the customer and aimed the software at a “love interest”.

While vendors like to claim that they are righteous and above reproach, the reality is that they have little control over what employees do. Even the NSA seems to have trouble with reports of their analysts sharing salacious images that they come across.

in fact, the “insider threat” problem as it is referred to is a really difficult problem to solve. In this case, the employee set off an alarm when he broke into the office where the authorized computer was located and was caught and fired. Most do not get caught. Credit: Vice

Over 1,000 Public Companies List Ransomware as Risk

In case you had any doubt about the risk that ransomware represents, over 1,000 publicly traded companies list ransomware as a risk to future earnings in their 10K, 10Q and other SEC filings. Companies only have to list items that have the potential to be material to earnings, so it is usually a relatively short list. Four months into 2020, 700 companies have already mentioned ransomware is on that short list. Credit: ZDNet

Nearly 3 in 5 Americans Don’t Trust Apple-Google Covid Tracking Tech

The authorities want to track the contacts of anyone who who tests positive for Covid-19. The way they want to do this is by getting everyone to install an app on their smartphone. 1 in 6 (16%) Americans don’t even have a smartphone. For the high risk group, these over 65, only 50% have smartphones and for those over 75, it is even less.

Resistance is higher among Republicans and those that think they are at lower risk. Only 17% of all smartphone owners said they would Definitely use it.

The main reason for resistance is that people don’t trust Apple, Google and others to keep their data private. Even if the tech companies wanted to keep it private, the government could demand that they hand it over. Credit: Washington Post

Why An Insider Threat Detection Program is Critical

Adams County, Wisconsin is now facing a crisis of confidence and likely some lawsuits as well.

Why?

On March 28, 2018, the county says, it uncovered “questionable activity” on county computer systems.

Three months later, in late June, their investigation was complete.

The result: 258, 120 people had their data illegally accessed.

Data included protected health information and tax information.

How did this happen?  Someone installed illicit software on some workstations (key logger software) to capture userids and passwords.  The key logging software was disabled when it was discovered in March.

They say that there is no indication that the information was used for identity theft.  At this point they are not offering people credit monitoring.  Since there is no indication of a problem, they are telling people that they should, using their own time and effort, register a fraud alert at the credit bureaus.

So who perpetrated this dastardly deed?

According to search warrants filed earlier this month, they are investigating the computer of Adams County Clerk Cindy Phillippi.

Well, you say, the filing of a search warrant does not mean it is true.

Sure enough – accurate.

But apparently the county is convinced enough that the personnel director has asked the Adams County Board to hear charges against Phillippi and requested that she be removed from her elected office.

Apparently, she allegedly installed key logger software on nearly all of the county’s computers because she wanted to investigate a county department head that she believed was using his county computer to access pornography.  Clearly she was not a computer expert.

Maybe in Wisconsin the county clerk is considered a law enforcement investigator.  Unusual, but who knows?

Now the county is going to spend tens of thousands of dollars reporting the breach to those affected, state and federal regulators, Health and Human Services and others.

The worst part – the software was installed on or around January 1, 2013 – MORE THAN FIVE YEARS AGO.

Way to go Wisconsin!

So what does this mean to you and me?

First, if you are a resident or employee of Adams County Wisconsin, it means that a nosy clerk probably accessed your data.

But, since most of us do not live in Adams County, that is likely not a concern for most of us.

This is a perfect example of a an insider threat.  A person, in a position of trust, used that trust to do something (all right, allegedly, but I think she basically copped to it) that will cost her her job, could land her in prison, will likely subject the county to lawsuits, will cost the county tens of thousands of dollars and cause 250,000 people some consternation. 

An insider threat program should detect this kind of activity.  Unless she was using stolen credentials, it should detect that she (or someone), without authorization installed software, was connecting to computers that she (or someone) should not have, was collecting large quantities of data and other unusual activities.

It is also not clear why it took over five years to detect this problem.

This small county (population 20,148) is going to have a potentially large budget issue – assuming they don’t have insurance and most do not – because of not dealing with the insider threat.

Source: Data Breach Today

 

Security News Bites for Week Ending July 13, 2018

Timehop Hack Compromises 21 Million Users

In a bit of good news/bad news, the social media time capsule site Timehop said that it was hacked around July 4th, but that they interrupted the hack in progress.  Still the hackers got usernames, passwords, email addresses, date of birth, gender, some phone numbers and other information for 21 million users.

More importantly, the security tokens that Timehop uses to access the social media sites like Twitter were also compromised.  Part of the good news is that since they detected this hack in progress, they were able to immediately disable those tokens, reducing the damage.

Still this does point out the risk of granting someone else proxy to your data – in this case, 21 million users were compromised because of a breach of a third party.  The data here was not particularly sensitive – unless your FB posts are sensitive, but that is purely accidental.

One bit of bad news in all of this (beyond all the bad news above for the people who’s data was stolen).  This attack in December 2017.  The hacker logged on in March and April 2018 also.  The hacker next logged in on June 22 and finally, stole the data on July 4, 2018.

Why is that important?  Because GDPR went into effect on May 25, 2018 and the data was stolen on July 4, 2018.  I hope they have deep pockets or a lot of insurance.  The Register article has a table with the number of GDPR impacted records, but I am having a hard time making sense of it.  For sure, it is in the millions.  (Source: CNet and The Register)

Apple Adds Security Feature to iOS11.4.1

Apple has added USB restricted mode to the current release of iOS.  Restricted mode locks down the lightning port of an iPhone or iPad after it has been locked for another so that it cannot be used for data access, only charging.  It defaults to enabled although you can manually turn the feature off.  This is designed to make it harder to hack an iPhone/iPad.

This will make it harder for law enforcement to hack into phones, but some of the hackers are saying that they have figured out a workaround.  The cat and mouse game continues.  (Source: The Verge)

Another Hospital Invokes Emergency Procedures Due to Ransomware

Cass Regional Medical Center in Harrisonville, MO.  put ambulances on diversion and invoked its incident response protocol earlier this week due to a ransomware attack.  They shut down their EHR system to make sure it did not become a casualty of the ransomware attack.  The day after the attack they said that they had begun decryption of the affected systems, which, while they are not saying, is likely a result of paying the ransom and getting the decryption key from the attacker.  The wording of the statement did not say that they were restoring the affected systems from their backups.  Other hospitals, which chose not to pay the ransom, took weeks to recover, so the reasonable assumption is that they paid off the hackers.  (Source: Cass Regional web site)

The Insider Threat is a Real Problem

We are seeing an increasing number of insider threat issues; some are accidental, some are intentional.

A hacker was found to be selling manuals for the Reaper MQ-9, a $17 million military drone for less than $200 on the dark web.  He got them by hacking an Air Force Airman’s home Internet router which was not patched for a known vulnerability.  It is likely that the Airman was not involved, but it is not clear if he was authorized to have the manuals on his personal home computer (Source: Defense One).

In another case, an employee of a Navy contractor stole thousands of documents from his soon to be former employer before going to work for a competitor.  He was caught and convicted (Source: The Hartford Courant).

These are just two examples of many.  Most do not get caught because the company that was hacked does not want the bad publicity.  Still it is a multi-billion dollar a year problem.