Slide Show: 8 Egregious Examples Of Insider Threats
Real-world case studies from the CERT Insider Threat Center
April 10, 2013
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltc94608acf452fd67/655cf371ab171e040a838b2a/329050_DR23_Graphics_Website_V5_Default_Image_v1.png?width=700&auto=webp&quality=80&disable=upscale)
Unlike large customer information data breach cases that are publicly announced due to disclosure laws, many of the most intriguing insider theft, sabotage, and fraud cases never see the light of public scrutiny because companies would rather not air their dirty laundry if they don't have to. But these cases can offer valuable lessons on how insiders can be a threat in future situations. That is why the folks at the CERT Insider Theft Center work with private sector firms and law enforcement authorities to discretely study insider cases for the benefit of the industry. Since 2001, CERT has studied more than 800 cases.
Here are eight illustrative examples of the kind of damage these insiders can do to an organization.
A large U.S. city locked in labor negotiations with union employees was hit by two employees who helped build the traffic control system for the organization in protest of the proceedings. Even though the city had pre-emptively disabled union employee access to systems due to concerns of potential sabotage, these two insiders managed to gain control of the system due to a supervisor previously sharing his credentials. Once in the system, they disconnected signal control boxes at four intersections and locked out anyone else from being able to fix the problem.
"So for four days in this major city, the traffic lights would just blink and go from color to color," says Dawn Cappelli, principal engineer at CERT.
Photo Credit: stock.xchng
An employee at a computer networking company got a job at one of two major semiconductor customers serviced by the firm. In order to do business with both of those semiconductor companies, the networking firm had access to each of their most sensitive intellectual property. When the networking company employee got his new job, he used his remaining time at his old job to downloaded nearly 80 documents from his new employer's competitor. He was only caught through his own hubris -- when he started emailing the documents to new co-workers, one of them tipped off the authorities.
"It's very important to know what controls your trusted business partners have on your information," Cappelli says. "Even more importantly, what controls do they have on insider threats within their company? Because their insiders are basically your insiders."
Photo Credit: istockphoto.com
Three employees at a law firm managed to use Dropbox to transfer approximately 78,000 documents from their firm to their Dropbox accounts before abruptly quitting and moving to another firm. They then modified confidential client information on those files in the Dropbox account and set their accounts to sync both ways so that faulty information would be transmitted back to the original employer's cache of documents.
"So now they're doing business on faulty information," Cappelli says, "which, of course, cost them their clients, who then went to the competitor."
Sometimes there are love spats. And then there are just criminal husbands who use their work credentials to put their wives on a no-fly list. This happened within a foreign government agency when a employee was able to use his access to the country's terrorist watch list to put his wife on it while she was out of the country. Her appeals fell on deaf ears for three years until her husband was on tap for a promotion and his superiors ran a routine background check only to find out their employee's wife was a supposed terrorist. That's when they saw her appeals and discovered the plot.
"When you think insider threats these days, a lot of people think theft," Cappelli says. "But what about this kind of case where it is just modifying or inserting one line into a file?"
Photo Credit: stock.xchng
A financial engineer at a hedge fund organization managed to steal that company's crown jewels -- its trading algorithms -- in spite of very tight controls around that intellectual property. He managed to bypass those controls by using two virtual machines and eventually sending the information to his personal email account and to an external hard drive. He was discovered only due to additional controls IT had installed that allowed them to notice this employee had unusually large numbers of files on his system.
"You need to really think about how you configure your host-based controls so insiders can't evade them by using virtual machines," Cappelli says.
Photo Credit: stock.xchng
A contract programmer of 30 years for a software company decided to put out his shingle for "fixing" that software using a sabotage scheme that would fuel his side business. The plan hinged on his inserting one line of code into the software that made it so that after a random number of power cycles, the machine using the software would shut down and not come back up.
"Then they would have to call him, he would come in and save the day, and now he was on his way to earning extra income," Cappelli says.
Photo Credit: stock.xchng
Similarly, another supply chain case was discovered at a hard drive manufacturing company. That organization had contracted with a foreign manufacturing company, which then subcontracted with another foreign firm to make hard drives for the client. An employee at that subcontractor loaded malware onto 1,800 hard drives.
"The malware searched for online gaming credentials and sent them to someone in China," Cappelli says.
Photo Credit: stock.xchng
"No matter how good your security is, it's only as good as how well it is enforced," Cappelli says.
Photo Credit: stock.xchng
"No matter how good your security is, it's only as good as how well it is enforced," Cappelli says.
Photo Credit: stock.xchng
A manufacturing firm that was having a hard time designing a process to produce a certain widget had a dastardly idea -- why not spy on a customer it knew produced a similar type of product by asking for a visit to that company's manufacturing floor to "inspect" equipment on customer premises. The manufacturing company sent two employees, one as lookout and the other as a photographing spy, to take pictures of the customer's manufacturing operation with a cell phone. The employees were successful in spite of security policies around that area that should have kept the spies from walking around without escort or carrying cameras.
"No matter how good your security is, it's only as good as how well it is enforced," Cappelli says.
Photo Credit: stock.xchng
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024