Tag Archives: Insider threat

Is Your Data Walking Out With Your Ex-Employees?

As Americans are quitting their jobs in record numbers this year, is your data going with them?

The exodus is being called the great resignation. We (the U.S.) set new monthly records for the number of workers leaving their jobs three times this year. In September, over 4 million workers quit their jobs.

If you have intellectual property, customer data and partner information, it is likely going out with those exiting employees.

A study by Tessian says that 45 percent of ex-employees ADMIT to downloading, saving or sending work data out of the network before leaving their job. That only represents those who admit to doing it.

Why are they doing this?

Possibly they feel like they own intellectual property that they created.

They may think it will help them in their new job or new start-up company.

Maybe they are disgruntled and want to do harm.

In the worst case, they may be cybercriminals-for-hire who infiltrate organizations with the intention of stealing data.

Maybe your strategy up till now was to hope that nothing important was lost or stolen. Probably not the best strategy.

Waiting until after the employee leaves to examine their computer is also not a great strategy.

Before you start looking for insider activity, figure what you want to do and what you need to communicate to employees.

If you want to be successful, you need to start weeks before the employee leaves.

In fact, many companies have an ongoing data loss prevention program. That is probably the optimal way to handle this because the smart employee will steal whatever he or she plans to take long before he or she tells you they are quitting.

There are tools that will tell you about data in email, data sent to personal cloud servers (like Dropbox) and different tools that can detect files copied to USB drives.

Assuming that you see that an employee is stealing data, what is your plan?

Some employees may not know that downloading company data is a crime.

In the worst case scenario, a lawsuit may be required.

The first thing to do is to scope out the issues and decide what you want to try and do.

For more information, see this Help Net Security article.

Controlling Insider Threats

There are two flavors of insider threats.

#1 is Edward Snowden. Skilled. Motivated. On a mission. Understands that there will be collateral damage. Knows that he or she is breaking the rules. Sometimes it is national security. Other times it is industrial espionage. Still other times it is pure curiosity. Often, but not always (such as sneaking a peak at a celeb’s medical records out of nosiness) money changes hands.

#2 is your average employee. Trying hard to do his or her job. Is a human being. Human beings make mistakes. No money. No evil intent. Just being human.

I don’t have any stats, but I bet for every #1, there are a couple hundred #2s – or more.

Let’s assume that there are a lot more cases of benign insider threat than malicious insider threat, but no matter the intent, the threat is real.

So what can you do?

Here are 5 tips.

#1 – Require cybersecurity awareness training, AKA anti-phishing training of everyone, but the lowest paid employee to the CEO. All it takes is one of them to click on the wrong thing and you are in a full-blown ransomware incident.

#2 – Avoid public WiFi. I know it is convenient and it is just to do this one thing, but it is far from secure. If you have to use public WiFi then at least use a SECURE VPN.

#3 – Enhance endpoint protection. Endpoints, AKA your users’ phones, tablets, laptops, computer computers and home whatever, is THE weak link in the chain. Enhance that and you will reduce overall risk. And it isn’t just company laptops. It is all endpoints.

#4 – Really stay on top of patches. The golden rule is 24/72. This means patch within 24 hours any zero day exploit that is under attack and 72 hours for everything else. Just this month we saw a Microsoft patch that was released late last week (netlogon), that the feds ordered all executive branch agencies to patch within 24 hours (by Monday night) and yesterday Microsoft said the bug is being exploited in the wild. This means patching your operating system and all applications. Even the ones that you don’t use. They are still an attack vector. And this includes employee owned phones — and deal with the ones that are no longer being patched by the vendor/carrier.

#5 – Proactively manage remote desktop/remote control tools. We are seeing multiple nation-state attacks that are going after remote access solutions. RDP. VPN. Remote control. They are an easy attack vector and we know for a fact that they are being actively exploited by hackers.

While these seem simple, doing them right is hard. If you need help, contact us. Credit: SC Magazine

Cisco Learned About the Insider Threat Problem – the Hard Way

I talk a lot about the insider threat problem because it is prevalent and hard to stop.

Cisco learned about that the hard way.

Sudhish Kasaba Ramesh resigned from Cisco in April 2018. OK, good, time to move on.

FIVE MONTHS LATER, he accessed Cisco’s infrastructure at Amazon and deployed code that shut down 16,000 Webex accounts and deleted 456 virtual machines. He did this via Google’s cloud infrastructure.

Cisco spent over $2,000,000 in customer refunds and labor to fix the problem. While $2 million is a lot to you and me, it is merely embarrassing to Cisco.

Some customers were down for several weeks as a result of the attack.

Sudhish pleaded guilty and was released on bond. He is scheduled to be sentenced in December. He faces a maximum of 5 years in the slammer and a $250,000 fine. Since he is here on one of those visas that companies like Cisco use to give American jobs to foreigners to save money, he could also be deported (in case you wondered where I stand on those visa programs, that should be clear 🙂 ).

In this case, the former employee could have likely done a lot more damage than he did. He was, for whatever reason, upset with Cisco and decided to take it out on them. What if, instead deleting 456 virtual machines, he deleted 10,000 VMs or 50,000 VMs. Or instead of deleting 16,000 accounts he deleted 16,000,000 accounts. He was merely toying with Cisco.

On the other hand, how come he was able to login at all?

And why did it take Cisco two weeks to recover? What happened to their disaster recovery solution?

This does point out that it is hard to secure your infrastructure when an I.T. person leaves if you have not designed your security to take that into consideration.

I am sure (I hope) that Cisco has improved both their security and their disaster recovery since then.

But could could a disgruntled ex-employee do this to you? I am sure Cisco didn’t think so. Credit: Bleeping Computer

Security News for the Week Ending August 28, 2020

Ransomware is an Equal Opportunity Business

As American businesses deal with ever increasing ransomware attacks, larger ransom demands and ransom and extortion wrapped up together, we are not alone. Not that the fact that we are not alone should make us feel better. A new Iranian hacker group is using Dharma ransomware to go after businesses in Russia, Japan, China and India. According to the researchers who discovered this, the hackers aren’t apparently quite sure what to do once they get in. Credit: Group-IB

New Zealand Stock Exchange Attacked

The New Zealand stock exchange was down for the third time in two attacks after hackers attacked with with a volumetric attack (I think that is a fancy word for big). Basically, they crushed the exchange’s servers with a lot of useless data. You have to assume that a stock exchange has a lot of security in place and has certainly considered that someone might want to use it to make a point, so the fact that they went down three times and then halted trading says that (a) they made their point and (b) the exchange’s preparations were not sufficient. Do you care if your online systems are taken down by hackers? Are you prepared in case they try? Credit: News.com

Insider Threat Is a Real Problem

A Russian national inside the U.S. offered to pay an employee of an unnamed company $500,000 to plant malware in the company’s network. When the employee didn’t go for the plan, the Russian upped the offer to a million dollars. The Russian told him that the company would pay millions to not have their data posted on the web. The employee, instead, went to the FBI and the Russian national is now in custody. Credit: Security Week

UPDATE: It turns out the unidentified company is Tesla.

Homeland Security Releases 5G Strategy

Homeland Security’s CISA released a strategy document for the migration of the country to 5G. While those trying to sell 5G gear are pretending that the country is ready for 5G, the reality is that 5G that lives up to the 5G hype is years away except for small pockets.

The strategy document calls for 5G policy and standards emphasizing security and resilience, expanding awareness of 5G supply chain risk (code for beware of HUAWEI and China), encourage other companies to get into the 5G game and identifying risk based on potential 5G uses.

All of this is good, but unless this is more than a press release, it will not make any difference. Credit: SC Magazine

Security News for the Week Ending May 1, 2020

China, Korea, Vietnam Escalate Hacking During Covid-19 Outbreak

The Trump administration is calling out China for hacking our hospitals and research facilities who are looking for cures and vaccines for Covid-19. That should not be much of a surprise since China has always opted for stealing solutions vs. figuring them out themselves. At least that this point, the U.S. is not doing anything about this theft. Credit: CNN

At the same time, Vietnam is hacking at China’s Ministry of Emergency Management and the Wuhan government, probably trying to do the same thing and also steal information on their neighbor’s lies about their death toll. Credit: Reuters

Finally, South Korea’s Dark Hotel government hacking group is hacking at China, using 5 zero-day vulnerabilities in one attack. 5 is a massive arsenal to use in one attack, since zero-days are hard to find (or at least we think they are. Since they are unknown until they get used or announced, we don’t really know). Reports are that the group has compromised 200+ VPN servers in an effort to infiltrate the Chinese government and other Chinese institutions. Credit: Cyberscoop

Bottom line, it is business as usual, with everyone hacking everyone they can.

Israel Thwarts Major Coordinated Cyber-Attack on its Water Infrastructure

Israel says that they have reports on coordinated attacks on their wastewater, pumping and sewage infrastructure.

The response was to tell companies to take their systems off the Internet as much as possible, change passwords and update software. All good things to do but disconnecting from the Internet likely makes companies unable to operate, since most plants run “lights out” – with no onsite staff.

The attacks took place on Friday and Saturday – during the Jewish Sabbath when the least people would be around to detect and respond. Credit: The Algemeiner

Surveillance Company Employee Used Company’s Tool to Hack Love Interest

An employee of hacking tool vendor NSO Group, who was working on site at a customer location, broke into the office of the customer and aimed the software at a “love interest”.

While vendors like to claim that they are righteous and above reproach, the reality is that they have little control over what employees do. Even the NSA seems to have trouble with reports of their analysts sharing salacious images that they come across.

in fact, the “insider threat” problem as it is referred to is a really difficult problem to solve. In this case, the employee set off an alarm when he broke into the office where the authorized computer was located and was caught and fired. Most do not get caught. Credit: Vice

Over 1,000 Public Companies List Ransomware as Risk

In case you had any doubt about the risk that ransomware represents, over 1,000 publicly traded companies list ransomware as a risk to future earnings in their 10K, 10Q and other SEC filings. Companies only have to list items that have the potential to be material to earnings, so it is usually a relatively short list. Four months into 2020, 700 companies have already mentioned ransomware is on that short list. Credit: ZDNet

Nearly 3 in 5 Americans Don’t Trust Apple-Google Covid Tracking Tech

The authorities want to track the contacts of anyone who who tests positive for Covid-19. The way they want to do this is by getting everyone to install an app on their smartphone. 1 in 6 (16%) Americans don’t even have a smartphone. For the high risk group, these over 65, only 50% have smartphones and for those over 75, it is even less.

Resistance is higher among Republicans and those that think they are at lower risk. Only 17% of all smartphone owners said they would Definitely use it.

The main reason for resistance is that people don’t trust Apple, Google and others to keep their data private. Even if the tech companies wanted to keep it private, the government could demand that they hand it over. Credit: Washington Post

Why An Insider Threat Detection Program is Critical

Adams County, Wisconsin is now facing a crisis of confidence and likely some lawsuits as well.


On March 28, 2018, the county says, it uncovered “questionable activity” on county computer systems.

Three months later, in late June, their investigation was complete.

The result: 258, 120 people had their data illegally accessed.

Data included protected health information and tax information.

How did this happen?  Someone installed illicit software on some workstations (key logger software) to capture userids and passwords.  The key logging software was disabled when it was discovered in March.

They say that there is no indication that the information was used for identity theft.  At this point they are not offering people credit monitoring.  Since there is no indication of a problem, they are telling people that they should, using their own time and effort, register a fraud alert at the credit bureaus.

So who perpetrated this dastardly deed?

According to search warrants filed earlier this month, they are investigating the computer of Adams County Clerk Cindy Phillippi.

Well, you say, the filing of a search warrant does not mean it is true.

Sure enough – accurate.

But apparently the county is convinced enough that the personnel director has asked the Adams County Board to hear charges against Phillippi and requested that she be removed from her elected office.

Apparently, she allegedly installed key logger software on nearly all of the county’s computers because she wanted to investigate a county department head that she believed was using his county computer to access pornography.  Clearly she was not a computer expert.

Maybe in Wisconsin the county clerk is considered a law enforcement investigator.  Unusual, but who knows?

Now the county is going to spend tens of thousands of dollars reporting the breach to those affected, state and federal regulators, Health and Human Services and others.

The worst part – the software was installed on or around January 1, 2013 – MORE THAN FIVE YEARS AGO.

Way to go Wisconsin!

So what does this mean to you and me?

First, if you are a resident or employee of Adams County Wisconsin, it means that a nosy clerk probably accessed your data.

But, since most of us do not live in Adams County, that is likely not a concern for most of us.

This is a perfect example of a an insider threat.  A person, in a position of trust, used that trust to do something (all right, allegedly, but I think she basically copped to it) that will cost her her job, could land her in prison, will likely subject the county to lawsuits, will cost the county tens of thousands of dollars and cause 250,000 people some consternation. 

An insider threat program should detect this kind of activity.  Unless she was using stolen credentials, it should detect that she (or someone), without authorization installed software, was connecting to computers that she (or someone) should not have, was collecting large quantities of data and other unusual activities.

It is also not clear why it took over five years to detect this problem.

This small county (population 20,148) is going to have a potentially large budget issue – assuming they don’t have insurance and most do not – because of not dealing with the insider threat.

Source: Data Breach Today