Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


7 Ways To Stop Insider Hack Attacks

A former IT staffer invaded his pharmaceutical employer's network and deleted virtual machines, causing about $800,000 in losses. Here's how to prevent such trouble.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Are you prepared to stop attacks by malicious insiders or a former employee? On Tuesday, Jason Cornish, 37, plead guilty in federal court to executing an attack against his former employer, pharmaceutical firm Shionogi.

Based in Japan, Shionogi also operates in New Jersey, as well as Georgia, where Cornish had worked as an IT employee before resigning in September 2010. But in February 2011, Cornish accessed the corporate network and began deleting virtual servers, in retribution for layoffs that affected a close friend and former colleague.

As a result of those attacks, which cost Shionogi an estimated $800,000 in losses after responding to the attack and restoring its systems, Cornish--due to be sentenced in November--faces up to 10 years in prison and a $250,000 fine. But security experts said Shionogi is also at fault, because of its apparently ineffective security environment and disaster recovery strategy.

Here's how businesses can do better:

Route All Offsite Access Through A VPN

Ultimately, the FBI's Cyber Crimes Task Force traced the attack against Shionogi to a free Wi-Fi connection at a McDonald's, and found that Cornish had made a $4.96 credit card purchase there just minutes before the attack. But FBI investigators also found that he'd accessed the corporate infrastructure multiple times from his home network. That means Shionogi had failed to spot suspicious activity, especially on the part of an ex-employee. "Tactically ... weren't they [Shionogi] looking at activity, and VPN connectivity, for this person?" said Ron Gula, CEO and CTO of Tenable Network Security, in an interview. Meaning that all remote connections to the network LAN should have been routed through a VPN, and those connections logged and monitored for suspicious activity.

Test The Disaster Recovery Plan

Through his continuing ability to access the corporate LAN, Cornish was able to delete data from Shionogi servers and disable its BlackBerry communications in the United States, compromising email and order shipping for days. Why didn't Shionogi have a disaster recovery (DR) plan, so that it could immediately switch to a backup IT environment? "A lot of times, organizations do DR, but unless they practice the actual recovery, they don't know [if it will work], and it doesn't matter if they have a physical, or a virtual environment," said Gula. Without a good, tested disaster recovery plan, in the wake of this type of attack, "you don't have any options," he said.

Block Unapproved Software

Interestingly, Cornish's attack involved surreptitiously installing an extra copy of VMware vSphere, which is software for managing VMware virtual environments, several weeks in advance. According to the Department of Justice, Cornish then deleted 15 virtual hosts, or the equivalent of 88 computer servers. "I don't want to throw IT management theory at you, but everything that is there should be there for a reason," said Gula. "Including accounts, and in this case, the second copy of vSphere."

Disable Ex-Employee Accounts And Passwords

Whenever an employee or contractor ceases to work at a business--or in the case of layoffs, beforehand--their network access, accounts, and passwords must be disabled. "Businesses need to be reminded of the importance of reviewing what users have access to your systems, and that changing passwords and resetting access rights is essential when a member of your staff leaves your employment," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "It only takes one bad apple to wreak havoc--so make sure your defenses are in place, and that only authorized users can access your sensitive systems."

Block Root Access To Everything

According to Tenable's Gula, well-run IT shops always block direct, root-level (for Unix) or admin-level (for Windows) access to critical systems. Because giving IT employees the keys to the kingdom is an invitation for abuse. Accordingly, give users unique passwords to systems--perhaps by using a password vault or safe--and also restrict what they can access. Assigning individual passwords to employees also makes it much easier to revoke them, and to monitor how they're being used.

Be Rigorous With Virtualized Environments

Using virtualization offers many upsides, but too often, CIOs fail to account for the potential downsides. "A lot of people use virtualization as a cheap form of DR," said Gula. "And, three applications virtualized, running on top of three servers, is more reliable than those applications each running on their own server. So people think they're more reliable, and flexible, and just add another server, and I can scale." But along the way, he said, too many users lose track of other essentials, such as network bandwidth, power, cooling, and especially the security of the virtualized environment itself, as well as who can access it.

Think Like A Malicious Insider

Perhaps the biggest takeaway from this malicious insider incident is that IT managers must think like an inside attacker, and diagnose the weak points of their infrastructure that they themselves would exploit. Furthermore, senior managers must demand answers to these questions. "A CEO who's reading this article needs to say, how do I know that the integrity of my infrastructure will be here tomorrow?" said Gula.

Attend Enterprise 2.0 Santa Clara, Nov. 14-17, 2011, and learn how to drive business value with collaboration, with an emphasis on how real customers are using social software to enable more productive workforces and to be more responsive and engaged with customers and business partners. Register today and save 30% off conference passes, or get a free expo pass with priority code CPHCES02. Find out more and register.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/3/2011 | 10:39:42 PM
re: 7 Ways To Stop Insider Hack Attacks
Two words: Exit Interview.

Failing to even ASK someone who's headed out the door (forever) what they would change, what they liked, what they don't like, etc. about your company is just stupid. And lazy. And expensive. And . . .
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...