Introduction
If an employee with access to sensitive information was terminated, then the employee is considered as an insider threat. These insiders can cause three types of threats to an organization: Sabotage, Fraud, or theft of intellectual property (IP) or data using Information Technology (IT). IT sabotage uses IT to harm the critical assets of the organization. IT can be used to steal data or IP or also for espionage by insiders. Using IT to tamper data, addition, or deletion of data for personal gain or to perform an identity crime can be considered IT fraud.
Hacker’s Targets
In the present scenario, since the employee had access to sensitive information on the intranet, that could be the target. However, other targets are possible. Broadly, a terminated employee could perform the following malicious actions: 1) unauthorized extraction, duplication, or exfiltration of data, 2) data tampering, 3) destroying, and deleting critical assets, 4) eavesdropping, or packet sniffing, 5) impersonating, or spoofing others, 6) using social engineering for attacks, or 7) installing malicious software. Some of the targets for theft could include customer data, employee data including personal information, supplier and partner information, business secrets, information assets, and IP. Types of IP that an employee can steal include proprietary software or code, business plans, proposals, strategic plans, trade secrets, and product information such as designs, formulas, and schematics. The theft of IP most often is not to sell it, but to gain a business advantage by either taking it with them to a new job, start a competing business, or to take it to a foreign government or organization. If the terminated employee is disgruntled, they can modify, delete, or exfiltrate the data to harm a specific person, system, or organization. They may commit IT sabotage against their employers’ systems and then attempt to extort money from them by offering to assist them in recovery efforts only in exchange for a sum of money. IT sabotage can include deleting both the data and its backups so that the business cannot run. The employee can delete or change all user’s credentials so that nobody else can login to the system. They can deface the company websites. The employee can install rogue AP (Access Points) for the Wi-Fi network so that the network can be accessed later, whenever the employee has a need. The data can be modified so that the shipments reach wrong addresses or addresses where the employee can collect them and sell them. In case of theft of IP, since the information stolen is that for which they already have authorized access and since it is done at work during normal business hours as part of their normal job, it can be difficult to determine if the access is legitimate or illegitimate.
Examples of IT sabotage include shutting down power grids, disabling hotlines, corrupting customer records, adding a company’s domain to anti-spam blacklist, deleting critical data, perpetuating DOS or DDOS (distributed denial of service), identity theft, theft and sale of customer and employee credit card information, and defacing company’s websites. Data diddling by making small, random, or incremental changes to data during storage, processing, input, output, or transaction is possible so that the act remains undiscovered rather than modifying the file contents or damaging or deleting entire files. By shaving away at assets in accounts with financial value systematically and regularly, also known as salami slicing is possible. Before the employee physically leaves the premises, information can be sent to unauthorized parties using email.
Methodology
A terminated employee or an insider will try to acquire unknown access paths to so that the activity of sabotage is concealed. The following methodology is commonly employed by terminated employees for hacking:
The employee will try to gain elevated accesses and will try to extract data using those accesses for exfiltration later on. This exfiltration can be done by using network access (email, FTP, uploading to file sharing sites), use remote network access such as a VPN (virtual private network) token, removable media, printed documents, or work laptops (known as host data exfiltration).
The employee might create scripts to copy, compress, and merge source code files then encrypt, rename, and upload them to an external file hosting server.
The employee might subvert software development process if the organization is developing software so that the software backups are destroyed or malicious code is injected into the source code so that the employee can have a backdoor available at a later date.
The employee may use social engineering to obtain login credentials of privileged users
The employee creates backdoors before the termination or after being notified of termination
The employee installs a modem or a rogue AP for access following termination
The employee disables anti-virus programs on desktops
The employee performs network probing or any other act that passively or actively scans the network
The employee installs a remote network administration tool
The employee downloads and installs malicious code or tools such as a password cracker, a rootkit, or a virus. After termination, they can send phishing emails to their coworkers to install viruses.
Trojan programs, which pieces of software that are installed covertly to perform functions with the privileges of authorized users, but unknown to those users. They are installed using viruses or directly by the terminated employee prior to termination to compromise computers on the trusted internal network. Trojans can be used to steal data and passwords, send keystrokes-, provide remote access, monitor network or a user activity, or perform a specific function such as spamming. Trojans can be exploited over the Internet, through the firewall, or across the internal network by the terminated employees who no longer have authorized access. Trojans are dangerous as they can hide in authorized communication channels such as web browsing. A girlfriend exploit is used to install a Trojan or a backdoor (or a trapdoor) through a storage device such as a USB drive provided by a trusted friend.
The employee plants a logic bomb while still employed, which is a virtual access path to disrupt systems as it performs the task of disrupting the system on behalf of the employee
The employee might steal passwords of privileged users so that they can be used after termination
There might be shared accounts such as the database administration accounts which can be misused by the terminated employee
Testing and training accounts can be used for IT sabotage by terminated employees
Most employees who intend to harm the organization write, test, and plant logic bombs, prepare backdoors accounts as well as sabotage backups before they are terminated.
Other methods include changing passwords right before termination, disabling or deleting system logs, removing history files and backups, failing to create backups, not documenting systems or software as per requirements, unauthorized access of customer’s systems and co-worker’s machines, sharing passwords with others and demanding passwords from subordinates, not recording physical accesses by tailgating, and refusing to return laptops upon termination.
Consequential damages to IS
A study by CERT (Computer Emergency Readiness Team) showed that 92% of insiders who were responsible for an IT sabotage attack on an organization did it after a negative event such as termination, dispute with a current or former employer, demotion, or transfer, which can be considered as stressful events. The organization suffers some type of business impacts such as the inability of continuing the business due to non-availability of network or loss of software or systems. When the data, as well as the backups, are destroyed, a business cannot continue. Other negative consequences that can happen due to IT sabotage are negative media attention, loss of reputation, or embarrassment when websites are defaced. In the case of data theft, organizations have legal liability due to exposure of customer and employee financial and personally identifiable information. Similar results can ensue if trade secrets or product designs are stolen. Innocent people may be victimized due to data theft. Impact due to stolen trade secrets and business data may not be quantifiable and may be the death of the business (Moore et al, 2009, pp. 15-23).
Preventive actions and responses
Figure 1: Security Safeguards as They Relate to the Five Components
Source:
CERT suggests some best practices that have to be followed by the organization to prevent insider attacks as well as respond to them. They are:
Include considering insider threats while performing an enterprise-wide risk assessment to enable mitigation at the enterprise level. This will ensure that critical assets are identified and proper controls are defined to protect them from both insiders as well as outsiders.
Policies are clearly documented and followed so that there is no feeling of discrimination.
Periodic security awareness training has to be given to all employees.
Suspicious or disruptive behavior is monitored and responded to as they are the behavioral precursors to malicious activities.
Negative workplace issues such as termination and demotion have to be anticipated and managed.
The physical environment should be tracked and secured by various means such as access controls that are strictly employed.
Password and account management policies have to be implemented
Implementing separation of duties, which means that responsibilities of critical functions are divided amongst employees, and the principle of least privilege, which means that employees are given the minimum authorizations required to get the job done.
Software development lifecycle should be strengthened against insider threats by constituting peer reviews, authentication and role-based access control, requirements and design oversights, and automated data integrity checks have to be constituted.
Extra caution has to be exercised about privileged user login credentials. Separation of duties or using two-man rule for critical system administrator functions, ensuring non-repudiation of technical actions, and encryption can limit the damage as well as improve the detection of malicious usage of privileged user actions.
Technical controls to detect backdoor accounts, keystroke loggers, logic bombs, or other malicious programs have to be implemented. DLP (Data loss prevention) or EDLP (Enterprise DLP) software can be used to detect and prevent data exfiltration. Removable media controls will also help in this.
Employee online actions have to be logged and monitored
Since data loss is difficult to control, a layered defense has to be adopted. Similarly, for remote attacks also layered defense mechanisms have to be adopted.
Upon termination, all accesses have to be terminated. This should ensure that all known and unknown access paths are also terminated. This has to be done immediately after the termination so that the damage can be mitigated.
The backup and recovery process has to be audited regularly (Moore et al, 2009, pp. 27-31).
Conclusion
These are not exhaustive and it depends on the type of business and the type of controls available as to what actions have to be taken to prevent the threat from a terminated employee. It is very important for an organization to develop an insider incident-response plan so that such issues are properly handled.
References
Cappelli, D., Moore, A., & Trzeciak, R. (2012). The CERT guide to insider threats: how to prevent, detect, and respond to information technology crimes (theft, sabotage, fraud). Upper Saddle River, NJ: Pearson Education, Inc.
Kroenke, D. M., & Boyle, R. J. (2015). Experiencing MIS. Upper Saddle River, NJ: Pearson Education Inc.
Moore, A., Cappelli, D., Trzeciak, R., & Shimeall, T. J. (2009). Common sense guide to prevention and detection of insider threat: version 3.1 (3rd ed.). Pittsburgh, PA: Carnegie Mellon University.
Salem, M. B., Hershkop, S., & Stolfo, S. J. (2008). A survey of insider attack detection research. In S. J. Stolfo, S. M. Bellovin, S. Hershkop, A. D. Keromytis, S. Sinclair, & S. W. Smith, Insider attack and cyber security: beyond the hacker (pp. 69-90). New York, NY: Springer Science+Business Media, LLC.
