Aug 24 2015

A Reminder On The Danger Of An Inside Job

If you haven’t heard this before, then get ready to hear it a lot more now. While outsider threats can be and are a big deal, and obviously a major concern, one of the biggest areas of risk for ANY company is and will be it’s internal resources.

Put another way, you have to be as careful about those who you give access to, as you are with those who don’t have access to your network and corporate resources. Just because you hired them and (presumably) vetted someone, does that mean you can absolutely and with 100 percent certainty trust them? You’d like to think so, but history tells us a different tale. For example, word persists that the tremendous 2014 Sony hack was in part made possible due to help from insiders. And even if you weren’t dealing with a malicious employee, your staff still remains an Achilles – some users don’t always grasp their role in keeping the network safe and secure, and are vulnerable to phishing and other acts of social engineering as a means to compromise a target.

And now comes word from a (controversial) source, John McAfee, indicating that the massive Ashley Madison hack may have been entirely perpetrated from within the company. Which, on the one hand, is surprising because of the narrative we’ve been hearing the last month. But on the other hand? It would seem to make total sense, considering how much data has been harvested thus far, and how much is in that which was collected. And that is saying nothing of the rumored third treasure trove of information, potentially containing chats and photos exchanged by users. As bad as ALM’s security was rumored to be, with flimsy passwords and such (memo to IT staffs…insist on complex and frequently changed passwords, or 2 factor auth!), having an inside resource to either help, or be the entire hack and just seem to give credit to a “team” makes total sense.

Even if we assume, just for a moment, that this breach was another example of an inside job, let it serve as a reminder of several key points:

  1. While it may seem harsh, trust no one. Or, when it comes to your employees, trust them, but verify them. And for those in constant contact with vital records? Remain ever vigilant.
  2. Constantly change passwords to ensure that disgruntled employees who have left, don’t still have keys to the kingdom. While many companies are moving to using an individual’s own credentials (great for audit trails), you will find there are still systems that require, or are set up with, a generic admin user. And when someone leaves a company, that admin password isn’t always changed.
  3. Keep a close eye on your key systems, including those containing sensitive data. There should be no way someone can move a large number (many GB worth) of sensitive data, relatively quietly. It happened both with Sony and with ALM, where you are seeing better than 10GB of information sucked down. That’s a lot of bandwidth and a lot of data, and should have triggered some red flags.
  4. Make use of better permissions/Network access control methods. Ensure that not everyone can see everything. Just because I am in IT, does not mean I should have access to everything. If you ensure that only the appropriate people have access to the appropriate data, you are helping ensure your data remains secure. It can be a chore to build and maintain, but controlling access is a worthwhile endeavor, when you consider what the alternatives are.