The most dangerous person to your network security may be sitting in the next cubicle, or working for a trusted vendor. This is called the Insider Threat. It is more likely that your computer incident will come from the inside of your organization than from a cyber-criminal gang in the Russian Federation. A couple of email newsletters dropped into my inbox with new examples of insiders who became threats.
IT Support Company Personnel
An information technology support company employee, Scott Burns, recently plead guilty to accessing the email account of a client company’s CEO. For a three week period in January 2018 he lived in the CEO’s mailbox. What information he was looking for, or his overall objective in this breach have not been revealed. He was caught when he inadvertently accessed the mailbox from one of his own accounts instead of a spoofed account. Since most IT support providers have administrative access to their client’s networks, this makes a crime like this hard to prevent. I really hate to bring this example up, because my company provides computer support services to other small businesses.
Payment Processor Company – Starts Legal But Turns to the Dark Side
In this case, Gareth Long ran a legitimate third-party payment processing company for years, and amassed personal information on thousands of individuals. At some point, he decided it was more profitable to send in bogus payments that were directed into accounts he controlled, to the tune of $11 million.
Capital One and 11 Other Companies Breached by Web Service Employee
Then there is the case we reported earlier about Paige Thompson, who used the hacker alias “erratic.” She was a former employee of Amazon Web Services who stole customer data from Capital One and eleven other companies.
Foreign-born IT workers
Hate to appear xenophobic (I’m not), but this case should make you take another look at foreign and H1-B employees.
Ali Alzabarah, a 35-year-old citizen of Saudi Arabia, earned computer science degrees in the U.S. and lived in the Bay Area while working as a reliability engineer at Twitter. Alzabarah wrote to a Saudi government official that his greatest achievement was not his career, it was being an insider threat—a rogue Twitter employee—on behalf of the Saudi government.
The FBI found communications with Saudi officials during a search of his Apple account. This information and the story about Twitter’s insider threat case is based on an indictment of three men in U.S. District Court. Two of those men were Twitter employees. And each of them are charged with acting as illegal agents of a foreign government.
Business Email Compromise
Last week we reported about three organizations that fell for fraudulent invoices that were emailed from trusted but compromised emails accounts of legitimate vendors.
Trusted Vendor’s Stolen Credentials
The Target Christmas breach was started from the stolen network credentials of a HVAC vendor, and this led to more than 40 million stolen credit card numbers.
Disgruntled Employee
A disgruntled employee at Tesla used their network access to steal information and make harmful changes to manufacturing programs.
Bribery of Employees
The AT&T Wireless call center employees in Bothell, Washington accepted bribes from Muhammad Fahd to install malware on thousands of smartphones, and networking hardware on the AT&T network. Fahd was arrested in Hong Kong and extradited to the United States in early August. These efforts allegedly gave Fahd and other cyber-criminals years of unauthorized access to AT&T’s network so they could carry out their scheme.
Some of these criminals have been caught and prosecuted. But in each case they exploited a position of trust for criminal activity and personal gain.
These cases illustrate the importance of vigilance. You cannot afford to be too trusting, and even if an employee or a trusted third-party vendor has been working for you for years. Managing supply chain security has become part of the start practice of cybersecurity professionals. Employees should be background checked when hired, and periodically during their years of service. A wonderful employee can become a thief when pressured by financial events such as gambling debts or major medical expenses. Auditing, both network event audits and financial audits, can help identify a problem and allow you to investigate and take action to stop the losses.
More information:
- Secureworld – This Vendor Became an Insider Threat and Stole Millions
- Sophos Naked Security – IT service pro hacked former client’s email
- WyzGuys – Moving to the Cloud? Don’t Rely on Vendors for Security
- WyzGuys – Email Account Hijacking And Invoice Fraud Go Big
- Gurucul -Famous Insider Threat Cases
- Secureworld -Insider Threats at AT&T Wireless Activated by Cybercriminals
NOV
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com