Insider, the two faces of the employee

Posted date 11/04/2017
Author
INCIBE (INCIBE)
Insider, the two faces of the employee

Many companies make the mistake of securing their perimeter assuming that attacks always originate outside of their networks. But intentional or unintended attacks may also originate due to different situations from the inside of the company itself. In this regard, it is important to differentiate between “insider” and internal threats.

An “insider” is someone who knows the company in depth because they used to work or currently works for it and, due to their current status concerning the company, this person is somehow seeking revenge. The “insider” can perform actions such as changing important credentials, using devices inappropriately, etc.

On the other hand, when we refer to an internal threat we are talking about credentials and systems being compromised by an external entity. In this case, an employee who doesn't belong to our company, but who has access to it for some reason –a subcontractor employee, maintenance personnel, etc.– performs actions that could be harmful, such as introducing malware inside our network, changing credentials without the proper authorisation, etc.

These actions performed by unhappy employees or internal threats may be motivated by:

  • Money: The attacker is motivated by the possibility of obtaining a sum of money for the actions they intend to perform.
  • Industrial espionage: The actions performed may be motivated by a competitor with the aim of obtaining inside information on their processes.
  • Revenge: In this case, discontent is usually the main motivation. A dismissal in which the 2 parties disagree or issues with colleagues may motivate an ex-employee to perform harmful actions for the dismissing company. The ex-employee is not seeking economic profits or favouring other companies, they just want things to stop going well for the dismissing company.
  • Distraction: An internal threat may originate as a distraction to perform other malicious actions and thus preventing the main objective of the operation from being revealed.
  • Ignorance: An employee may allow public access to certain services that should be private or may perform actions without clear knowledge of their effects.

two faces

Detection and protection against these threats

Given the nature of these threats, detection may be difficult since companies can seldom anticipate attacks from within their own systems. Video surveillance is not allowed in many facilities. How can we anticipate this type of attack or protect ourselves from it? We cannot protect ourselves one hundred per cent, but we can implement measures to avoid them. Based on controls set out in standards such as Standard ISO 27001, the following guidelines or good practices can be applied to detect and protect our company from a possible “insider”.

Detection

  • Use of Software for the detection of network anomalies. Monitoring users is not a good practice. However, monitoring the network in which they work can allow to detect suspicious connection attempts.
  • Satisfaction Surveys. The conduction of this type of survey may help identify those employees who are not satisfied in the company allowing to improve their situation or, at least, to talk to them about the problem they may have.
  • Asset Inventory. A duly updated asset inventory provides a greater control over the company assets and improves the early detection of thefts and losses.

Protection

  • Use of Antivirus and Whitelists. These measures prevent the execution of malware and the installation of software that should not be present in certain devices.
  • Users and Role Management. The monitoring of users is very important since, when a person is dismissed, the cancellation of their company profile will present access to systems. Likewise, a proper role management prevent users from accessing certain sections of the system and from performing certain actions without control. The principle of least privilege may be applied here; employees may be provided only those basic principles they need in order to perform their tasks based on their position within the company and on their duties.
  • Firewalls and Proxy Browsers. In order to avoid irregular connections originated within towards external sources (unusual Internet browsing, use of unauthorised ports, etc.), the use of firewalls with browsing filters or proxies (reverse proxy) will prevent users from performing certain actions.
  • Use of DLP (Data Leak/Loss Prevention) and UAM (User Activity Monitoring). In order to avoid data loss and unauthorised access activities to not permitted sites by users through a proxy browser. As in the case with the previous instance, these measures will serve as protection against irregular activities and data leak attempts.

Real Cases

One of the most famous cases about unhappy employees took place in Maroochy segawe treatment plant, in Australia. In this case, the unhappy employee used a laptop provided with the necessary control software and a radio modem. He accessed the system by connecting the computer to the pumping system of the plant without being detected. This intrusion resulted in countless litres of waste water spilled in rivers and parks, as well as the loss of reputation of the company in charge of managing the sewage system. The employee was sentenced to 2 years' imprisonment for illegal access to the sewage management system of the County, something he did because he was dismissed from the company he worked for.

Lessons learned

A duly updated asset inventory containing the relevant information of the current devices, the cancellation of system users when the labour relationship is terminated, a review of the permits when transferring to different departments and a proper monitoring of radio communications are some measures that could have helped prevent this problem at the Maroochy sewage treatment plant.

 

Another case, more recent this time (February 2017), took place at the Georgia Pacific paper mill in Louisiana, where an employee was sentenced to 34 months' imprisonment for tampering the computer system of the company after his dismissal, caused losses amounting to 1.1 million dollars due to several system failures and production delays. This former employee had a wide knowledge of the current systems of the production plant; he had worked for 15 years writing the code for the paper machines. Even though the economic loss was high, it could have been worse: the employee could have manipulated the paper production process, originating different impacts such as the manufacturing of a defective product, equipment failure or environmental problems caused by spills of toxic materials.

Lessons learned

Monitoring external communication to the company systems by firewalls and prover VPN setting associated to each employee to control who enters the system. In addition, the cancellation of user accounts when the job contract is terminated or when transferring to other department would have been sufficient to avoid the attack. In this case, the periodic credential change in the devices could have not mitigated the attack, since it was carried out immediately after being fired and not after some time.