Is the Insider Threat Really Over?

Published: 2011-04-26. Last Updated: 2011-04-26 21:45:06 UTC
by John Bambenek (Version: 1)
7 comment(s)

There has been a bit of press lately about how external threats are overtaking internal threats in the near term.  Traditionally it has been viewed that internal threats (i.e. disgruntled employees) pose a greater threat to an organization than outsiders.  In reality, the lines are blurring but external attackers are becoming more sophisticated in their attacks.  That said, I was made aware by a coworker of an interesting controversy emerging from South Korea.  In essence, one of their major banks was offline and unable to process any transactions for several days.  Around April 12, customers were unable to perform ATM transactions, online transactions or any in-bank transactions for about a day.  For several days afterwards, transaction were highly unreliable.  In essence, this bank (Nongyhup Bank, NH Bank) basically suffered a catastrophic system failure.

According to reports, a contractor from IBM had his laptop infected, which in turn successfully attacked about 60% of the banks infrastructure and crippled its ability to do business.  The running controversy is whether this was an insider attack or someone who compromised a contractor and used as used it as a beach-head to get into the bank.  That investigation is playing out and we'll see where that goes.  From what I can tell (and that's limited because... well... I don't speak Korean) there was a contractor's laptop that was compromised, Chinese IP addresses were involved (and for those of you who know the geopolitical history know that is entirely unsurprising) and there are 300,000 some odd complaints about people not being able to get their money who are in various states of non-pleased.

Like I said, the investigation is ongoing and who knows what really will happen.

Disclaimers aside, my first thought was the IMF incident  which ultimately led to the spectacular collapse of Satyam. Maybe that's not the case here, but I do know when I've applied for contractor positions at pretty big firms, I've been appalled by how easy it would be to game the system and, for that matter, how easy the system has been gamed.

In this particular case, there has been a non-trivial amount of incidents that should have served as a warning sign for internal controls.  My personal favorite expression regarding the failures of this bank and how they responded (after it became catastrophic) is that they started a 2011 training session with "a highly critical self-reflection and atonement".  Maybe I'm odd, I find that expression humorous.  

Ultimately, organizations security is determined by who it trusts to run the shop.  If all you do is a phone screen (which may or may not be the actual person who is going to start the job the following Monday), you may be asking for trouble.

What are your thoughts?  How important is it to consider the insider threat and to vet your contractors and employees?

Background:

IEEE: South Korean NH Bank's Week-Long System Failure That Affected 30 Million An Inside Job? 

Korea Times: Chinese IPs linked to Nonghyup crash

The Dong-A-Ilbo: `Nonghyup Bank averaged 2 financial accidents per month`

--
John Bambenek
bambenek at gmail /dot/ com
Bambenek Consulting

7 comment(s)

Comments

If this contractor was really an IBM employee, I don't think there is even a way to vet that person. If you are having a problem, or need support from IBM, you basically take who they send. When can you do when dealing with a big company like this to ensure proper security on their employees systems? It's been my experience that they don't divulge much of their security policy, and it's not like you can refuse help from them.
I think there's a difference between "insider threat" and "threat on the inside", at least how I usually hear it used. There are some things that can be done to minimize "threat on the inside" that will also be effective against an "insider threat".

But a determined insider will always win; only the dumb or careless ones will get tripped up. The rest of the time we are just blissfully ignorant. :-)
We can make it much harder for the insider to score at first, and then to remain undetected. Authentication, separation of responsibilities, logging (securely), change control, and auditing ... all well known business methods ... help a lot.
I have seen more than once where corporations I consulted for have been terribly sloppy about how they run their internal network. Like sending passwords in the clear to log into web services when they could have easily used https instead. Also, contractors are in a way easier to deal with that employees: contractors are provided by an outside agency, so you have someone you can sue that supposedly has some money. IBM ought to be very careful who it sends to a place like a back because the liability is so high. If indeed this Korean back was compromised because an IBM guy brought in an infected laptop, then I expect IBM will pay dearly for the mistake -- whether the consultant knew he was infected or not. If he knew, and it was deliberate, then he goes to jail, but IBM still pays.

See, you can't recover from your damages so easily if its your own employee.

BTW I have been a full-time independent consultant since 1986. :-O
Simple solution, would be to isolate the contractors into their own zones, with limited access internally and externally. This adds to the level of security and limits access to resources not required for their usage.
That only works if the contractors are not doing work on the network infrastructure. I have worked where contractors were used in the noc of a company that provided secure communications for the military. You couldn't very well put them on a separate zone and still have them do the work.
On a side note, I recently moved all the roving laptops into just such a zone. It keeps the lan from getting infected just because somebody was careless at a coffee shop. It solved a few other problems as well. :-)

Diary Archives