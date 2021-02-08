Internal threat actors cause millions in damages and at times walk away scot-free while you’re left picking up the pieces. Think you’re immune to this type of event? Let’s walk through a fictional scenario and see how you fare, then discuss some important steps you want to take to protect your company.

You’re the CIO of a mid-sized business with a great team and you’re looking to hire a security analyst. You want to provide the opportunity for your team members to advance and take on new challenges so you post the role in-house and receive a number of qualified applicants. After several interviews, you decide that “Taylor” is your winning candidate.

You meet with Taylor, explain your expectations and ask if there are any questions. Taylor asks if there is going to be a raise with this change in responsibility. You explain that there is a probationary period as with any role change and that Taylor’s performance will be reviewed and accordingly remunerated during the next review cycle. Taylor seems a little disappointed but accepts the response with a smile and heads off to start working as your newest security analyst.

As part of this new role, Taylor is granted elevated permissions including some administrative and service accounts. Since you run a very skinny security team (sound familiar?) it’s tough to lock down access and keep watch around the team’s activities. But you have some network monitoring and auditing tools in place.

It begins with a few small errors …

A few months after Taylor joined the team, odd system failures start occurring. A few servers get infected with ransomware, one server loses its data drive, and a few more servers experience intermittent reboots. Stability hasn’t historically been a problem in your environment but for some reason, things are becoming very unpredictable. During these incidents, you note that Taylor has been an absolute rock star, working countless hours, always available and attempting to step in and lead the team.

After about the third unexplained event, you suspect someone is inside your network and decide to call in an external team to investigate as you just don’t have the forensic skills in house. You spend $100k and personally dedicate two weeks to the investigation. The forensics team finds that during each failure and attack, a remote computer logged in as Administrator from an off-site location performed malicious actions. The trail was VERY well hidden but one tiny misstep revealed that the computer used was a company laptop. In fact, it was Taylor’s laptop.

After recovering from your initial shock and dismay, you schedule an emergency meeting with the executive team to explain the findings. Collectively, you agree that the best course of action would be to confront Taylor. HR, legal, yourself, and Taylor meet to understand what’s transpired. Taylor assures you that they’ve done nothing wrong and would never do anything to harm the company. You terminate Taylor and gather the rest of your team to inform them of the termination and answer any questions they may have.

After the team meeting, one of your other security team members approaches you privately and explains that over the past few months, Taylor had been very upset about other security team members higher salaries (even though Taylor had FAR less experience). You ask why this wasn’t brought forward to their manager or to you directly, the team member simply states that Taylor made us all promise not to get involved. You realize right away: Taylor was in fact guilty of the actions but was only trying to show you just how valuable they were before the next review cycle.

Besides the HR lessons that can be gleaned from this experience, there are several security misses that should be examined. Let’s walk through some of the points and how they might apply to your environment:

Generic administrator or service accounts should NEVER be used by any user. If they are, there must be additional safety measures in place to monitor and alert on their use.

Any user who requires administrative privileges should be given a separate, named administrative account. This account must only be used for administrative purposes.

Auditing must be enabled across all administrative accounts including permission changes.

Shared accounts are absolutely forbidden! If you can’t attribute the activity to anyone, you can’t secure your environment.

Administrative accounts should have long random passwords (32 characters or more)

Remove the ability for generic administrator or service accounts to perform interactive logins.

Maintain a list of administrative accounts that is kept up to date and regularly reviewed.

A password management solution is required with audit capabilities.

Implement MFA for all accounts including administrators where ever possible.

Implement monitoring for user behaviour with alerting capabilities.

For most environments, every item (except arguably the last three) can be implemented without spending a dime on new software. If you have a windows domain or any type of centralized authentication system, you are generally good to go. The last three don’t have to break the bank, they can be implemented with minimal spend (like a few thousand dollars) and for the value they provide, it’s a no-brainer.

If you still believe the scenario above (or similar disgruntled employee scenarios) could never happen to you, I have some swampland in Florida I think you’ll really love. Give me a call, we can make a deal…

