Attacks/Breaches
8/18/2011
05:42 PM
50%
50%

7 Ways To Stop Insider Hack Attacks

A former IT staffer invaded his pharmaceutical employer's network and deleted virtual machines, causing about $800,000 in losses. Here's how to prevent such trouble.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Are you prepared to stop attacks by malicious insiders or a former employee? On Tuesday, Jason Cornish, 37, plead guilty in federal court to executing an attack against his former employer, pharmaceutical firm Shionogi.

Based in Japan, Shionogi also operates in New Jersey, as well as Georgia, where Cornish had worked as an IT employee before resigning in September 2010. But in February 2011, Cornish accessed the corporate network and began deleting virtual servers, in retribution for layoffs that affected a close friend and former colleague.

As a result of those attacks, which cost Shionogi an estimated $800,000 in losses after responding to the attack and restoring its systems, Cornish--due to be sentenced in November--faces up to 10 years in prison and a $250,000 fine. But security experts said Shionogi is also at fault, because of its apparently ineffective security environment and disaster recovery strategy.

Here's how businesses can do better:

Route All Offsite Access Through A VPN

Ultimately, the FBI's Cyber Crimes Task Force traced the attack against Shionogi to a free Wi-Fi connection at a McDonald's, and found that Cornish had made a $4.96 credit card purchase there just minutes before the attack. But FBI investigators also found that he'd accessed the corporate infrastructure multiple times from his home network. That means Shionogi had failed to spot suspicious activity, especially on the part of an ex-employee. "Tactically ... weren't they [Shionogi] looking at activity, and VPN connectivity, for this person?" said Ron Gula, CEO and CTO of Tenable Network Security, in an interview. Meaning that all remote connections to the network LAN should have been routed through a VPN, and those connections logged and monitored for suspicious activity.

Test The Disaster Recovery Plan

Through his continuing ability to access the corporate LAN, Cornish was able to delete data from Shionogi servers and disable its BlackBerry communications in the United States, compromising email and order shipping for days. Why didn't Shionogi have a disaster recovery (DR) plan, so that it could immediately switch to a backup IT environment? "A lot of times, organizations do DR, but unless they practice the actual recovery, they don't know [if it will work], and it doesn't matter if they have a physical, or a virtual environment," said Gula. Without a good, tested disaster recovery plan, in the wake of this type of attack, "you don't have any options," he said.

Block Unapproved Software

Interestingly, Cornish's attack involved surreptitiously installing an extra copy of VMware vSphere, which is software for managing VMware virtual environments, several weeks in advance. According to the Department of Justice, Cornish then deleted 15 virtual hosts, or the equivalent of 88 computer servers. "I don't want to throw IT management theory at you, but everything that is there should be there for a reason," said Gula. "Including accounts, and in this case, the second copy of vSphere."

Disable Ex-Employee Accounts And Passwords

Whenever an employee or contractor ceases to work at a business--or in the case of layoffs, beforehand--their network access, accounts, and passwords must be disabled. "Businesses need to be reminded of the importance of reviewing what users have access to your systems, and that changing passwords and resetting access rights is essential when a member of your staff leaves your employment," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "It only takes one bad apple to wreak havoc--so make sure your defenses are in place, and that only authorized users can access your sensitive systems."

Block Root Access To Everything

According to Tenable's Gula, well-run IT shops always block direct, root-level (for Unix) or admin-level (for Windows) access to critical systems. Because giving IT employees the keys to the kingdom is an invitation for abuse. Accordingly, give users unique passwords to systems--perhaps by using a password vault or safe--and also restrict what they can access. Assigning individual passwords to employees also makes it much easier to revoke them, and to monitor how they're being used.

Be Rigorous With Virtualized Environments

Using virtualization offers many upsides, but too often, CIOs fail to account for the potential downsides. "A lot of people use virtualization as a cheap form of DR," said Gula. "And, three applications virtualized, running on top of three servers, is more reliable than those applications each running on their own server. So people think they're more reliable, and flexible, and just add another server, and I can scale." But along the way, he said, too many users lose track of other essentials, such as network bandwidth, power, cooling, and especially the security of the virtualized environment itself, as well as who can access it.

Think Like A Malicious Insider

Perhaps the biggest takeaway from this malicious insider incident is that IT managers must think like an inside attacker, and diagnose the weak points of their infrastructure that they themselves would exploit. Furthermore, senior managers must demand answers to these questions. "A CEO who's reading this article needs to say, how do I know that the integrity of my infrastructure will be here tomorrow?" said Gula.

Attend Enterprise 2.0 Santa Clara, Nov. 14-17, 2011, and learn how to drive business value with collaboration, with an emphasis on how real customers are using social software to enable more productive workforces and to be more responsive and engaged with customers and business partners. Register today and save 30% off conference passes, or get a free expo pass with priority code CPHCES02. Find out more and register.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
ChazzMann
50%
50%
ChazzMann,
User Rank: Apprentice
12/3/2011 | 10:39:42 PM
re: 7 Ways To Stop Insider Hack Attacks
Two words: Exit Interview.

Failing to even ASK someone who's headed out the door (forever) what they would change, what they liked, what they don't like, etc. about your company is just stupid. And lazy. And expensive. And . . .
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

CVE-2014-6080
Published: 2014-12-18
SQL injection vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.