Insider Threats: When Trust Is Broken

No time to read? Listen to this article here:



You see him every evening right as you’re about to clock out and get ready for the drive home after a full day’s work. He works the night shift, and he’s always very friendly, energetic, and easy to talk to. ‘He’s one of the good guys,’ you think to yourself as he smiles and waves as you’re leaving the office.


But what you didn’t know about this guy is that a week before he sabotaged the Voice Over IP (VoIP) system of a local TV network after smuggling out sensitive data. He also seized control of all the shipping accounts from a freight-weighing station and attempted to get hired at Lockheed Martin and his local police department in order to gain access to various databases used by law enforcement.


He is the ultimate Insider Threat.


Using his keys, he accesses a locked drawer and reaches for a blank RFID card used for subcontractors who usually visit during the day. The card can be programmed with different privilege levels. He swipes it at his computer terminal, creating an Admin card - for himself. This will give him unrestricted access to every room and floor within the building. When he’s finished with his mission, he will wipe the access control logs and slip out undetected.


Taking the elevator to the third floor, he stops at every user’s workstation, quickly searching for sticky notes containing the user’s handwritten credentials. For the ones he doesn't find, he utilizes a toolkit installed on a USB thumb drive to crack Windows logins. He bugs every workstation he accesses and manages to discover a folder containing the company’s network security policies, along with detailed information that lays out the infrastructure of the entire corporate network.


The building is now under his control, both physically and virtually. The server room is under his command, and every remote desktop account, along with all the company’s Work Groups and every account managed by every employee both inside and outside the company. At the end of his shift, he will even wipe the security footage and replace the missing sections with a prerecorded video he copied from a previous shift. After all, he’s the night shift security guard.


That person was me.



An Overlooked Attack Vector: Physical Vulnerabilities


According to the Department of Homeland Security, an insider threat is defined as “the threat that an employee or a contractor will use his or her authorized access, wittingly or unwittingly, to do harm”.


The reality about insider threats is that they are very real and usually quite inconspicuous and their agendas are not overtly obvious if and when such a threat is suspected.


Oftentimes when people think about this type of attack vector, they don’t picture our fellow co-worker as the culprit. While the majority of insider threats occur through the negligence of an employee or a contractor through some accidental error and not with malicious intent, the focus of this article highlights the threat actor who is maliciously motivated by attacking the physical layer of a company’s structure and workspace layout because outlining every possible attack vector could amount to writing a book.


This year, Panda Security published a statistical analysis piece, showing that insider threats have increased by 47% in the past two years. With this attack vector on the rise, it is paramount that organizations focus on developing an insider threat plan that identifies weaknesses in their company’s physical structure and access controls, and enforces policies that prevent authorized users from creating, sharing, or publically displaying credentials for personal convenience.


Last year, ObserveIT reported that credential thefts cost businesses a total of $871,000 per incident, which is three times more than what it costs to remediate the damage caused by negligence. Credential thefts occur whenever a user’s credentials are used to gain unauthorized access to programs and systems. This can also occur when users share their access with a co-worker or with someone who is not authorized to use specific systems or programs.


Additionally, last year alone, insider threats carried out from the theft of credentials cost organizations $2.79 million, encompassing 14% of all incidences. 62% of such incidents occurred from negligent insiders, and 23% were carried out by criminals.



Common Errors To Avoid: Sticky Notes


I have put special emphasis on credential theft because it is one of the easiest to commit. After all, escalating a user’s privileges can be as easy as holding the door open for someone who is not authorized to access a certain floor or room.


Following this same vein of thought, the hardware used to manufacture new employee or contractor badges must also be guarded by access controls, and not stored in a desk and protected only by your contracted security guards, no matter how much you like or trust them. Consolidating who may have authorized access to such devices can limit the potential number of individuals that can abuse them.


One of the most common practices I discovered during my experiences as an insider threat actor was that employees wrote down their credentials on sticky notes and stuck them in their line of sight at their workstations. Obviously, this enables anybody passing by the workstation to be able to view the credentials.


However, people who post their logins normally do so with the belief that fellow employees will respect the sanctity of their workspace. I have even seen law enforcement in government buildings make this same mistake, so don't feel too guilty if this sounds like something you would do.



Decommissioned Hardware


Oftentimes I found that companies do not wipe the intellectual data from obsolete hardware after it has been decommissioned and stored. This can pose a security risk because anyone with access to these storage areas could potentially gain access to the data stored on those systems as well.


Costs and time restraints, as well as the lack of manpower are usually to blame for such inconveniences, however, improper disposal of sensitive equipment containing corporate data gives the advantage to threat actors who could easily access the intellectual property. Back up what is important. Forensically wipe the rest.



Proprietary Company Manuals And Proper Disposal


Likewise, I found copies of manuals detailing network protocols and procedures that have been discarded in storage rooms after they had been updated, providing significant insights into network architecture and policies. These were not treated as particularly sensitive based on how they were stored, when in fact they needed to be shredded and properly discarded by qualified personnel.



Improper Storage of Access Control Equipment


Access control equipment provides a physical security layer that is designed to control the movement of authorized and unauthorized persons within the physical scope of a building. Storing blank RFID cards in an area that can be accessible to an unauthorized person is another security concern as if such cards can be accessed, they can be programmed or reprogrammed at will. This applies to used access cards as well.



Cracking Biometric Scanners


Another example of improper storage is when not-yet-installed access control equipment itself is accessible, particularly to anyone with administrative access privileges.


Biometric scanners are a recognized and often effective line of defense against threat actors. However, did you know that most biometric scanners were designed to work with a kind of “master keys” called “masterprints”, which in lockpicking terms means a key that can be used to unlock any applicable lock?


In other words, a threat actor can use these masterprints to bypass the device’s access control system, especially if it uses sub-par scanning techniques. Good biometric scanning equipment is manufactured to identify and reject attempts to use masterprints, however, less powerful scanners such as the ones often found in garden-variety IoT devices are not always fortified to reject these attempts.


Some scanners are powerful, some are cheap and clunky, so it always pays to purchase biometric scanners that have verifiable enterprise-grade tampering protection.



Policies That Restrict Users From Unauthorized Software Installations


Finally, one of the worst security risks I have encountered is the lack of access controls installed on company computer systems, compounded with improperly configured user profiles bearing excessive administrative privileges. This not only permits general users to create critical changes in network configurations but allows a user to pretty much do as they wish, without enforcing policies that actively monitor and prohibit these activities.


A threat actor can use remote access malware to gain the ability to modify, damage, or impair the integrity of those systems - abilities to create new user accounts, keylog sessions, and siphon off sensitive company data are particularly concerning.


The moral of this article, as it often is, hope for the best, but plan for the worst.


An article by

Jesse McGraw


Like this content? Subscribe to our newsletter to get weekly cybersecurity insights and top news - straight to your mailbox!