“The exploitation of business networks and servers by disgruntled and/or former employees has resulted in several significant FBI investigations in which individuals used their access to destroy data, steal proprietary software, obtain customer information, purchase unauthorized goods and services using customer accounts, and gain a competitive edge at a new company,” the alert states.
The alert notes that in many of these cases, the theft of proprietary information was facilitated through personal email accounts and cloud storage services like Dropbox. In other cases, employees installed unauthorized remote desktop protocol (RDP) software to enable access after they were fired.
Tripwire security analyst Ken Westin notes that tools like Dropbox make it much easier for non-technical employees to steal data. “An employee may have Dropbox running on systems that are connected to shared drives on the network, so even if the employee is terminated they may still have access to files on Dropbox through their account,” Westin said. “Many times the file sharing accounts used to exfiltrate data are personal accounts, and IT administrators are not able to revoke their credentials or control the data shared through these services.”
According to the alert, many people have also tried to extort their former employers by modifying or restricting access to company Web sites, disabling content management systems, and/or launching DDoS attacks.
There are countless examples of these types of attacks — in May 2014, Ricky Joe Mitchell was sentenced to four years in federal prison and ordered to pay $428,000 in restitution for responding to the news that he was going to be fired from his position as a network engineer with the oil and gas company EnerVest by resetting all network servers to factory settings, disconnecting critical pieces of network equipment, and disabling the equipment’s cooling systems.
Companies have incurred costs ranging from $5,000 to $3 million from such attacks. “Businesses reported various factors into their cost estimates, to include: calculating the value of stolen data, Information Technology (IT) services, the establishment of network countermeasures, legal fees, loss of revenue and/or customers, and the purchase of credit monitoring services for employees and customers affected by a data breach,” the alert states.
In response to the threat, the FBI and DHS are advising that all companies do the following:
- Conduct a regular review of employee access and terminate any account that individuals do not need to perform their daily job responsibilities
- Terminate all accounts associated with an employee or contractor immediately upon dismissal
- Change administrative passwords to servers and networks following the release of IT personnel
- Avoid shared user names and passwords for remote desktop protocol
- Do not use the same login and password for multiple platforms, servers, or networks
- Ensure third party service companies providing email or customer support know that an employee has been terminated
- Restrict Internet access on corporate computers to cloud storage websites
- Do not allow employees to download unauthorized remote login applications on corporate computers
- Maintain daily backups of all computer networks and servers
- Require employees to change passwords to corporate accounts regularly
While much of that advice might seem obvious, a recent Vormetric survey of IT security decision makers found that only 27 percent of respondents block privileged user access to data — and in a recent SpectorSoft survey of IT professionals, 61 percent of respondents said they’re unable to deter insider threats.
“The key to mitigating these insider risks, and preventing them from turning into insider threats, is detection,” SpectorSoft CEO Jason Judge said by email. “A great starting point is to examine the online activity of an employee as soon as you become aware, or suspect, they may be disgruntled or plan on leaving your organization. Experts advise reviewing the 30 day period leading up to resignation or termination.”
“The fear of getting caught is a powerful deterrent,” Judge added. “If employees know that their interactions with corporate resources are recorded and logged, they are less likely to attempt a malicious act than if they thought no one was looking.”
A recent eSecurity Planet article offered several tips on how to defend against insider threats, from data encryption to data loss prevention policies.