7 Ways To Stop Insider Hack Attacks

A former IT staffer invaded his pharmaceutical employer's network and deleted virtual machines, causing about $800,000 in losses. Here's how to prevent such trouble.

Mathew J. Schwartz, Contributor

August 18, 2011

5 Min Read
Dark Reading logo in a gray background | Dark Reading

10 Massive Security Breaches

10 Massive Security Breaches


(click image for larger view)
Slideshow: 10 Massive Security Breaches

Are you prepared to stop attacks by malicious insiders or a former employee? On Tuesday, Jason Cornish, 37, plead guilty in federal court to executing an attack against his former employer, pharmaceutical firm Shionogi.

Based in Japan, Shionogi also operates in New Jersey, as well as Georgia, where Cornish had worked as an IT employee before resigning in September 2010. But in February 2011, Cornish accessed the corporate network and began deleting virtual servers, in retribution for layoffs that affected a close friend and former colleague.

As a result of those attacks, which cost Shionogi an estimated $800,000 in losses after responding to the attack and restoring its systems, Cornish--due to be sentenced in November--faces up to 10 years in prison and a $250,000 fine. But security experts said Shionogi is also at fault, because of its apparently ineffective security environment and disaster recovery strategy.

Here's how businesses can do better:

Route All Offsite Access Through A VPN

Ultimately, the FBI's Cyber Crimes Task Force traced the attack against Shionogi to a free Wi-Fi connection at a McDonald's, and found that Cornish had made a $4.96 credit card purchase there just minutes before the attack. But FBI investigators also found that he'd accessed the corporate infrastructure multiple times from his home network. That means Shionogi had failed to spot suspicious activity, especially on the part of an ex-employee. "Tactically ... weren't they [Shionogi] looking at activity, and VPN connectivity, for this person?" said Ron Gula, CEO and CTO of Tenable Network Security, in an interview. Meaning that all remote connections to the network LAN should have been routed through a VPN, and those connections logged and monitored for suspicious activity.

Test The Disaster Recovery Plan

Through his continuing ability to access the corporate LAN, Cornish was able to delete data from Shionogi servers and disable its BlackBerry communications in the United States, compromising email and order shipping for days. Why didn't Shionogi have a disaster recovery (DR) plan, so that it could immediately switch to a backup IT environment? "A lot of times, organizations do DR, but unless they practice the actual recovery, they don't know [if it will work], and it doesn't matter if they have a physical, or a virtual environment," said Gula. Without a good, tested disaster recovery plan, in the wake of this type of attack, "you don't have any options," he said.

Block Unapproved Software

Interestingly, Cornish's attack involved surreptitiously installing an extra copy of VMware vSphere, which is software for managing VMware virtual environments, several weeks in advance. According to the Department of Justice, Cornish then deleted 15 virtual hosts, or the equivalent of 88 computer servers. "I don't want to throw IT management theory at you, but everything that is there should be there for a reason," said Gula. "Including accounts, and in this case, the second copy of vSphere."

Disable Ex-Employee Accounts And Passwords

Whenever an employee or contractor ceases to work at a business--or in the case of layoffs, beforehand--their network access, accounts, and passwords must be disabled. "Businesses need to be reminded of the importance of reviewing what users have access to your systems, and that changing passwords and resetting access rights is essential when a member of your staff leaves your employment," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "It only takes one bad apple to wreak havoc--so make sure your defenses are in place, and that only authorized users can access your sensitive systems."

Block Root Access To Everything

According to Tenable's Gula, well-run IT shops always block direct, root-level (for Unix) or admin-level (for Windows) access to critical systems. Because giving IT employees the keys to the kingdom is an invitation for abuse. Accordingly, give users unique passwords to systems--perhaps by using a password vault or safe--and also restrict what they can access. Assigning individual passwords to employees also makes it much easier to revoke them, and to monitor how they're being used.

Be Rigorous With Virtualized Environments

Using virtualization offers many upsides, but too often, CIOs fail to account for the potential downsides. "A lot of people use virtualization as a cheap form of DR," said Gula. "And, three applications virtualized, running on top of three servers, is more reliable than those applications each running on their own server. So people think they're more reliable, and flexible, and just add another server, and I can scale." But along the way, he said, too many users lose track of other essentials, such as network bandwidth, power, cooling, and especially the security of the virtualized environment itself, as well as who can access it.

Think Like A Malicious Insider

Perhaps the biggest takeaway from this malicious insider incident is that IT managers must think like an inside attacker, and diagnose the weak points of their infrastructure that they themselves would exploit. Furthermore, senior managers must demand answers to these questions. "A CEO who's reading this article needs to say, how do I know that the integrity of my infrastructure will be here tomorrow?" said Gula.

Attend Enterprise 2.0 Santa Clara, Nov. 14-17, 2011, and learn how to drive business value with collaboration, with an emphasis on how real customers are using social software to enable more productive workforces and to be more responsive and engaged with customers and business partners. Register today and save 30% off conference passes, or get a free expo pass with priority code CPHCES02. Find out more and register.

About the Author

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights