In a recent report, a $250 million retailer in Pennsylvania got a call from the Business Software Alliance [BSA]. The BSA told them that some of their Microsoft software might be pirated. Upon further investigation they discovered not only was their software illegal but they had purchased it from a company secretly owned and operated by their IT systems administrator!
Their “trusted” employee of seven years also had a for-pay porn website running on one of their corporate servers. Plus, he had downloaded 400 customer credit card numbers from their e-commerce server. It gets worse. He was the only person with the administrative passwords.
The problems began in 2008. Microsoft traced the sale of the software to a client company’s sysadmin. When a security company started investigating, they found that the IT systems admin had sold the company more than half a million
dollars in pirated software.
They also noticed that bandwidth was very high. They found a server with over 50,000 pornographic images and more than 2,500 pornographic videos.
They also did a forensic search of the employee’s machine and found a spreadsheet with hundreds of valid credit card numbers for their e-commerce site.
After discussing the findings with the company’s CFO they discovered the employee was the only one who had passwords for the core network router/firewall, network switches, the corporate VPN, the HR system, the e-mail server administration, Windows Active Directory administration, and Windows desktop administration.
So, the security team and company went to work. They scheduled the employee to fly overnight to California. This allowed the teams five and half hours to map out the network and reset all of the passwords. When the employee landed the COO met him, and fired him.
Never heard about this? Well, most companies keep these things under wraps.
Dawn Cappelli, technical manager of CERT [a program of the Software Engineering Institute at Carnegie Mellon University] stated that three quarters of companies are victimized by insiders, and the companies typically handle the matter internally.
However, these companies deny other companies the opportunity to learn from the violation. CERT identified that the most common mistakes companies make is inadequate vetting during hiring, overlooking red flags of behavior, and
inadequate oversight and monitoring of employee access privileges.
IT employee threats are difficult to detect. Their devious activities often look like their regular duties. These employees edit and write scripts, edit code, and write programs so nothing looks out of order. They typically know where the weakness is in the security, and know how to hide their activities.
The security firm estimated that the incident cost the retailer approximately $250-300K. This included the security firm’s fee, the short notice flight, the legal fees against the employee, the new CIO, and the costs associated with
hiring a temporary network admin. Plus, they had to make of their software licenses legitimate.
So, what could have prevented this breach? First, one other person should have been privy to the passwords. Furthermore, there should have been a separation of duties. The employee handled both security and administrative responsibilities. So, he was monitoring himself.
The company also failed to do a solid background check on the employee. Even though the employee had a clean criminal background check, it did not verify his application credentials. Some of his credentials were fraudulent.
Finally, his personality should have raised a red flag. The employee was very cocky, dismissive of others, and extremely confident. He acted like he was smarter than everyone else in the room.