Preventing external attacks to IT systems is a huge and critical task for most companies, but what are businesses doing to stop similar attacks when they come from within? That's a question that more companies should be asking themselves as internal IT sabotage cases regularly hit businesses hard, causing big monetary losses and often knocking companies offline for days or weeks.
Last week in the US, a 37-year-old former IT staff member for the subsidiary of Japanese drug company, Shionogi, pleaded guilty to remotely infiltrating and sabotaging the company's IT infrastructure this past February. The damage scrambled the company's operations for days and cost Shionogi more than $800,000 in damages, according to IDG News Service.
The former employee, Jason Cornish, logged in to the network using a hidden virtual server he had previously created, then wiped out the company's virtual servers one by one, taking out e-mail, order tracking, financial and other services, according to IDGNS and court filings. IDGNS also reported that Cronish's former boss at Shionogi refused to turn over network passwords and was eventually fired.
IT security analysts say that incidents like this should be clear reminders that companies need to be working harder to fight back against such attacks on a regular basis using basic security steps and common sense. It is key to remember that intrusion threats can come from within your corporate walls at any time, not just from outside your firewalls.
"The thing to do is to try to separate the duties out so that anything that happens would require collusion between more than one person to perpetuate fraud or do damage," says Pete Lindstrom, an analyst with Spire Security. "The way you separate this is to have proactive steps and a logging or monitoring system that will record activity to other systems. It generates their tracks."
The challenge, Lindstrom says, is that IT insiders are often experts in their departments and they know how to work around such protections. "At this stage, it's a tricky game. A really clever attacker can do a lot to hide himself."
In addition to maintaining a separation of duties, it is important to really know who your company is hiring to take on critical IT tasks. "Certainly you should be doing background checks," Lindstrom says. "If you knowingly hire someone who has a history of hacking that's a risk you need to know about."
Companies should also work hard to limit the use of IT administrator accounts that are shared between several people, he says. "It's where you can run into problems," Lindstrom says. "You should try to minimize that. Try to convince administrators that they don't really want the responsibility of all this access because every cop knows that every crime is an inside job and if something happens, they'll be an early suspect."
Clearly delineating which IT staff members have specific privileges and responsibilities is crucial to preventing inside attacks, Lindstrom says.
Dan Twing, president and COO of analyst firm Enterprise Management Associates, says several important steps can be taken by companies to guard against internal sabotage before it occurs:
1. Create and maintain good documentation for networks and resources used by broad parts of the IT department. That means having tightly-controlled records for passwords and access points, as well as clear documentation for the systems infrastructure from top to bottom, on-premises and off-premises. "There's just so much that isn't documented by IT departments," he says. "Some IT people don't write things down so they can be the hero in an emergency and swoop in to fix things, or they are too lazy to document things and they think that makes them indispensable."
2. Maintain "super administrator" access where possible so your company can maintain the highest level of control over your systems to prevent infiltration. Be sure that this is clearly documented and is controlled by only a few senior and trusted people in your organisation.
3. Have fast and clear change procedures for administrative passwords so that no worker can make system changes once they leave the company. If they need access for something, they can be given compartmentalized access which can be overseen by other trusted IT team members so they can do their work separate from the production environment. "The more of this that you do, yes, you are slowed down a bit, but you gain control," Twing says. "There's always a trade-off."
4. Use IT tools that allow you to set thresholds and alerts when there are unexpected activities inside the network to aid in the detection of possible sabotage events. "Remember that you need to be monitoring internal processes and systems as much as you are monitoring your perimeters to keep hackers out," he says. "At least you can stop something internal before it becomes big. Don't just assume that your external perimeter is the only place where bad things can happen."
Andrew Walls, a security analyst with Gartner, says the critical balance in all of this is ensuring that your IT people have the needed powers to get their jobs done while also setting limits to their overall control over the systems.
"Many organisations have this idea that IT is this arcane world and that the wizards who reside there have to always be trusted," Walls says. "That idea went away a long time ago. The same rules that govern the rest of your company's staff have to apply to your IT staff."
In the recent Shionogi case, Walls says it is ironic that the former IT worker used licensed IT tools to cause the harm from within the company. That could have been avoided if his network access had been removed immediately, within 20 minutes of his departure from the company, Walls says. "In no uncertain terms, if you terminate a person from their employment, their access must disappear immediately, not in five or 20 hours. In many organisations, they actually start removing access privileges before the person is even gone. That's what enabled this whole attack."
In the Shionogi case, Cornish had resigned after an ongoing dispute, but the company hired him back as a contractor so he could finish a project for them, according to IDGNS. That might have been a fatal mistake, Walls says.
"I worry about an organisation that says 'we don't like what this guy is doing so we're going to turn him into a contractor and then allow him to keep access,'" Walls says. "If someone can't be trusted, they shouldn't have access to your environment. What happened here to enable this to go on was that their user provisioning lifecycle was not handled well. If your system is so complicated that you cannot replace one member of your team quickly, then you have a bigger problem."
One simple way to help prevent such problems, Walls says, is for business executives and the IT staff to actually get to know each other better so they work as a team and not as separate worlds.
"The business manager needs to have personal relationship with their IT managers and know them on a first name basis," Walls says. "They need to talk with them regularly. A business needs to know when an IT person is going off the rails and the only way to do that is to have personal relationships and know each other. IT people shouldn't be treated as a 'geek squad' at a separate table but as part of the company and part of the team."
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.