Insider threats, the risks and dangers caused by malicious or careless acts performed by your own employees, contractors, and trusted vendors is perhaps the most difficult cyber attack to detect and defend. What happens when a member of your own IT department turns to the dark side?
Between 2015 and 2019, IT executive Hicham Kabbaj scammed his employer out of $6 million dollars for servers, other products, and installation services by fictitious technology services company “Interactive Systems. In reality, Interactive Systems was set up by Kabbaj. He placed orders, verified delivery, and approved invoices for payment to Interactive Systems, and once paid, moved the money to his own account.
An investigation revealed that several of these invoices, which were Word documents, contained metadata which proved the invoices were created on a computer belonging to Kabbaj. He had managed to circumvent internal company processes that required approval setting up a new vendor.
Kabbaj pled guilty to felony theft and is awaiting sentencing.
Defending against this type of insider threat, which in this case is a form of embezzlement requires security controls such as:
- Separation of Duties – This practice separates different roles in the purchasing process, and should have meant that Kabbaj could not have approved for payment invoices for equipment he had ordered himself.
- Mandatory Vacation – Requiring everyone to take earned vacation of a least a week allows time to uncover fraudulent practices when duties are turned over to a replacement.
- Job Rotation – This is another means of prevent a single individual from setting up a fraudulent system. Job responsibilities are rotated between employees, and should uncover a scam like this one.
- Dual Control – This practice requires at least two people to approve an invoice or confirm a delivery. Dual control is especially important in the accounts payable process, and prevents any single individual from processing a payment.
- Financial Audit – A regular financial audit by and outside auditor is another way to detect fraudulent activity by an employee.
This type of exploit is more difficult to uncover because most employers tend to trust the people working for them. And smaller organizations often lack the number of employees required to adopt the security control listed above. This makes smaller companies more at-risk for these sorts of exploits. In this situation a regular outside audit by an accounting company may be the only way these types of crimes are eventually detected.
More information:
- Sophos Naked Security – IT Exec Scams Employer
- New Twists on the Insider Threat
- Dealing With The Insider Threat
- The Insider Threat – Part 2
- The Insider Threat – Part 1
- Employees A Cyber-Threat? FBI Says Yes
FEB
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com