Attacks/Breaches
8/18/2011
05:42 PM
Connect Directly
RSS
E-Mail
50%
50%

7 Ways To Stop Insider Hack Attacks

A former IT staffer invaded his pharmaceutical employer's network and deleted virtual machines, causing about $800,000 in losses. Here's how to prevent such trouble.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Are you prepared to stop attacks by malicious insiders or a former employee? On Tuesday, Jason Cornish, 37, plead guilty in federal court to executing an attack against his former employer, pharmaceutical firm Shionogi.

Based in Japan, Shionogi also operates in New Jersey, as well as Georgia, where Cornish had worked as an IT employee before resigning in September 2010. But in February 2011, Cornish accessed the corporate network and began deleting virtual servers, in retribution for layoffs that affected a close friend and former colleague.

As a result of those attacks, which cost Shionogi an estimated $800,000 in losses after responding to the attack and restoring its systems, Cornish--due to be sentenced in November--faces up to 10 years in prison and a $250,000 fine. But security experts said Shionogi is also at fault, because of its apparently ineffective security environment and disaster recovery strategy.

Here's how businesses can do better:

Route All Offsite Access Through A VPN

Ultimately, the FBI's Cyber Crimes Task Force traced the attack against Shionogi to a free Wi-Fi connection at a McDonald's, and found that Cornish had made a $4.96 credit card purchase there just minutes before the attack. But FBI investigators also found that he'd accessed the corporate infrastructure multiple times from his home network. That means Shionogi had failed to spot suspicious activity, especially on the part of an ex-employee. "Tactically ... weren't they [Shionogi] looking at activity, and VPN connectivity, for this person?" said Ron Gula, CEO and CTO of Tenable Network Security, in an interview. Meaning that all remote connections to the network LAN should have been routed through a VPN, and those connections logged and monitored for suspicious activity.

Test The Disaster Recovery Plan

Through his continuing ability to access the corporate LAN, Cornish was able to delete data from Shionogi servers and disable its BlackBerry communications in the United States, compromising email and order shipping for days. Why didn't Shionogi have a disaster recovery (DR) plan, so that it could immediately switch to a backup IT environment? "A lot of times, organizations do DR, but unless they practice the actual recovery, they don't know [if it will work], and it doesn't matter if they have a physical, or a virtual environment," said Gula. Without a good, tested disaster recovery plan, in the wake of this type of attack, "you don't have any options," he said.

Block Unapproved Software

Interestingly, Cornish's attack involved surreptitiously installing an extra copy of VMware vSphere, which is software for managing VMware virtual environments, several weeks in advance. According to the Department of Justice, Cornish then deleted 15 virtual hosts, or the equivalent of 88 computer servers. "I don't want to throw IT management theory at you, but everything that is there should be there for a reason," said Gula. "Including accounts, and in this case, the second copy of vSphere."

Disable Ex-Employee Accounts And Passwords

Whenever an employee or contractor ceases to work at a business--or in the case of layoffs, beforehand--their network access, accounts, and passwords must be disabled. "Businesses need to be reminded of the importance of reviewing what users have access to your systems, and that changing passwords and resetting access rights is essential when a member of your staff leaves your employment," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "It only takes one bad apple to wreak havoc--so make sure your defenses are in place, and that only authorized users can access your sensitive systems."

Block Root Access To Everything

According to Tenable's Gula, well-run IT shops always block direct, root-level (for Unix) or admin-level (for Windows) access to critical systems. Because giving IT employees the keys to the kingdom is an invitation for abuse. Accordingly, give users unique passwords to systems--perhaps by using a password vault or safe--and also restrict what they can access. Assigning individual passwords to employees also makes it much easier to revoke them, and to monitor how they're being used.

Be Rigorous With Virtualized Environments

Using virtualization offers many upsides, but too often, CIOs fail to account for the potential downsides. "A lot of people use virtualization as a cheap form of DR," said Gula. "And, three applications virtualized, running on top of three servers, is more reliable than those applications each running on their own server. So people think they're more reliable, and flexible, and just add another server, and I can scale." But along the way, he said, too many users lose track of other essentials, such as network bandwidth, power, cooling, and especially the security of the virtualized environment itself, as well as who can access it.

Think Like A Malicious Insider

Perhaps the biggest takeaway from this malicious insider incident is that IT managers must think like an inside attacker, and diagnose the weak points of their infrastructure that they themselves would exploit. Furthermore, senior managers must demand answers to these questions. "A CEO who's reading this article needs to say, how do I know that the integrity of my infrastructure will be here tomorrow?" said Gula.

Attend Enterprise 2.0 Santa Clara, Nov. 14-17, 2011, and learn how to drive business value with collaboration, with an emphasis on how real customers are using social software to enable more productive workforces and to be more responsive and engaged with customers and business partners. Register today and save 30% off conference passes, or get a free expo pass with priority code CPHCES02. Find out more and register.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
ChazzMann
50%
50%
ChazzMann,
User Rank: Apprentice
12/3/2011 | 10:39:42 PM
re: 7 Ways To Stop Insider Hack Attacks
Two words: Exit Interview.

Failing to even ASK someone who's headed out the door (forever) what they would change, what they liked, what they don't like, etc. about your company is just stupid. And lazy. And expensive. And . . .
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-3488
Published: 2014-07-31
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2014-3554
Published: 2014-07-31
Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp allows remote routers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS Search List (DNSSL) in an IPv6 router advertisement.

CVE-2014-5171
Published: 2014-07-31
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

Best of the Web
Dark Reading Radio