Attacks/Breaches
8/18/2011
05:42 PM
50%
50%

7 Ways To Stop Insider Hack Attacks

A former IT staffer invaded his pharmaceutical employer's network and deleted virtual machines, causing about $800,000 in losses. Here's how to prevent such trouble.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Are you prepared to stop attacks by malicious insiders or a former employee? On Tuesday, Jason Cornish, 37, plead guilty in federal court to executing an attack against his former employer, pharmaceutical firm Shionogi.

Based in Japan, Shionogi also operates in New Jersey, as well as Georgia, where Cornish had worked as an IT employee before resigning in September 2010. But in February 2011, Cornish accessed the corporate network and began deleting virtual servers, in retribution for layoffs that affected a close friend and former colleague.

As a result of those attacks, which cost Shionogi an estimated $800,000 in losses after responding to the attack and restoring its systems, Cornish--due to be sentenced in November--faces up to 10 years in prison and a $250,000 fine. But security experts said Shionogi is also at fault, because of its apparently ineffective security environment and disaster recovery strategy.

Here's how businesses can do better:

Route All Offsite Access Through A VPN

Ultimately, the FBI's Cyber Crimes Task Force traced the attack against Shionogi to a free Wi-Fi connection at a McDonald's, and found that Cornish had made a $4.96 credit card purchase there just minutes before the attack. But FBI investigators also found that he'd accessed the corporate infrastructure multiple times from his home network. That means Shionogi had failed to spot suspicious activity, especially on the part of an ex-employee. "Tactically ... weren't they [Shionogi] looking at activity, and VPN connectivity, for this person?" said Ron Gula, CEO and CTO of Tenable Network Security, in an interview. Meaning that all remote connections to the network LAN should have been routed through a VPN, and those connections logged and monitored for suspicious activity.

Test The Disaster Recovery Plan

Through his continuing ability to access the corporate LAN, Cornish was able to delete data from Shionogi servers and disable its BlackBerry communications in the United States, compromising email and order shipping for days. Why didn't Shionogi have a disaster recovery (DR) plan, so that it could immediately switch to a backup IT environment? "A lot of times, organizations do DR, but unless they practice the actual recovery, they don't know [if it will work], and it doesn't matter if they have a physical, or a virtual environment," said Gula. Without a good, tested disaster recovery plan, in the wake of this type of attack, "you don't have any options," he said.

Block Unapproved Software

Interestingly, Cornish's attack involved surreptitiously installing an extra copy of VMware vSphere, which is software for managing VMware virtual environments, several weeks in advance. According to the Department of Justice, Cornish then deleted 15 virtual hosts, or the equivalent of 88 computer servers. "I don't want to throw IT management theory at you, but everything that is there should be there for a reason," said Gula. "Including accounts, and in this case, the second copy of vSphere."

Disable Ex-Employee Accounts And Passwords

Whenever an employee or contractor ceases to work at a business--or in the case of layoffs, beforehand--their network access, accounts, and passwords must be disabled. "Businesses need to be reminded of the importance of reviewing what users have access to your systems, and that changing passwords and resetting access rights is essential when a member of your staff leaves your employment," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "It only takes one bad apple to wreak havoc--so make sure your defenses are in place, and that only authorized users can access your sensitive systems."

Block Root Access To Everything

According to Tenable's Gula, well-run IT shops always block direct, root-level (for Unix) or admin-level (for Windows) access to critical systems. Because giving IT employees the keys to the kingdom is an invitation for abuse. Accordingly, give users unique passwords to systems--perhaps by using a password vault or safe--and also restrict what they can access. Assigning individual passwords to employees also makes it much easier to revoke them, and to monitor how they're being used.

Be Rigorous With Virtualized Environments

Using virtualization offers many upsides, but too often, CIOs fail to account for the potential downsides. "A lot of people use virtualization as a cheap form of DR," said Gula. "And, three applications virtualized, running on top of three servers, is more reliable than those applications each running on their own server. So people think they're more reliable, and flexible, and just add another server, and I can scale." But along the way, he said, too many users lose track of other essentials, such as network bandwidth, power, cooling, and especially the security of the virtualized environment itself, as well as who can access it.

Think Like A Malicious Insider

Perhaps the biggest takeaway from this malicious insider incident is that IT managers must think like an inside attacker, and diagnose the weak points of their infrastructure that they themselves would exploit. Furthermore, senior managers must demand answers to these questions. "A CEO who's reading this article needs to say, how do I know that the integrity of my infrastructure will be here tomorrow?" said Gula.

Attend Enterprise 2.0 Santa Clara, Nov. 14-17, 2011, and learn how to drive business value with collaboration, with an emphasis on how real customers are using social software to enable more productive workforces and to be more responsive and engaged with customers and business partners. Register today and save 30% off conference passes, or get a free expo pass with priority code CPHCES02. Find out more and register.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ChazzMann
50%
50%
ChazzMann,
User Rank: Apprentice
12/3/2011 | 10:39:42 PM
re: 7 Ways To Stop Insider Hack Attacks
Two words: Exit Interview.

Failing to even ASK someone who's headed out the door (forever) what they would change, what they liked, what they don't like, etc. about your company is just stupid. And lazy. And expensive. And . . .
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.