Is the Insider Threat Really Over?

Published: 2011-04-26
Last Updated: 2011-04-26 21:45:06 UTC
by John Bambenek (Version: 1)
7 comment(s)

There has been a bit of press lately about how external threats are overtaking internal threats in the near term.  Traditionally it has been viewed that internal threats (i.e. disgruntled employees) pose a greater threat to an organization than outsiders.  In reality, the lines are blurring but external attackers are becoming more sophisticated in their attacks.  That said, I was made aware by a coworker of an interesting controversy emerging from South Korea.  In essence, one of their major banks was offline and unable to process any transactions for several days.  Around April 12, customers were unable to perform ATM transactions, online transactions or any in-bank transactions for about a day.  For several days afterwards, transaction were highly unreliable.  In essence, this bank (Nongyhup Bank, NH Bank) basically suffered a catastrophic system failure.

According to reports, a contractor from IBM had his laptop infected, which in turn successfully attacked about 60% of the banks infrastructure and crippled its ability to do business.  The running controversy is whether this was an insider attack or someone who compromised a contractor and used as used it as a beach-head to get into the bank.  That investigation is playing out and we'll see where that goes.  From what I can tell (and that's limited because... well... I don't speak Korean) there was a contractor's laptop that was compromised, Chinese IP addresses were involved (and for those of you who know the geopolitical history know that is entirely unsurprising) and there are 300,000 some odd complaints about people not being able to get their money who are in various states of non-pleased.

Like I said, the investigation is ongoing and who knows what really will happen.

Disclaimers aside, my first thought was the IMF incident  which ultimately led to the spectacular collapse of Satyam. Maybe that's not the case here, but I do know when I've applied for contractor positions at pretty big firms, I've been appalled by how easy it would be to game the system and, for that matter, how easy the system has been gamed.

In this particular case, there has been a non-trivial amount of incidents that should have served as a warning sign for internal controls.  My personal favorite expression regarding the failures of this bank and how they responded (after it became catastrophic) is that they started a 2011 training session with "a highly critical self-reflection and atonement".  Maybe I'm odd, I find that expression humorous.  

Ultimately, organizations security is determined by who it trusts to run the shop.  If all you do is a phone screen (which may or may not be the actual person who is going to start the job the following Monday), you may be asking for trouble.

What are your thoughts?  How important is it to consider the insider threat and to vet your contractors and employees?

Background:

IEEE: South Korean NH Bank's Week-Long System Failure That Affected 30 Million An Inside Job? 

Korea Times: Chinese IPs linked to Nonghyup crash

The Dong-A-Ilbo: `Nonghyup Bank averaged 2 financial accidents per month`

--
John Bambenek
bambenek at gmail /dot/ com
Bambenek Consulting

7 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives