One malicious insider will be jailed for a revenge attack he took out on a former employer. Brian Johnson, former sysadmin for US paper manufacturer Georgia-Pacific pleaded guilty to Intentionally Damaging Protected Computers last February. A Louisiana Court sentenced johnson to 34 months in jail and ordered him to repay the US$1,134,828 (£909900) of damage that his vengeance apparently caused.
The indictment reads that Johnson, “knowingly caused the transmission of programs, information, code, and commands, and, as a result of such conduct, intentionally caused damage, without authorisation, to protected computers, and such conduct caused loss to Georgia-Pacific LLC, Georgia pacific Consumer operations LLC and Georgia-Pacific Consumer Products LP during the one year period from February 14, 2014 to February 13, 2015.”
After Johnson was fired from his role in February 2014, he re-accessed Georgia-Pacific through a VPN and spent the next couple of weeks doing upwards of a million dollars in damage. Once Johnson was in, he started messing with the industrial control systems of Georgia Pacific's toilet paper factory in Port Hudson, Louisiana.
One day shy of two weeks after Johnson's employment was terminated, the US Federal Bureau of Investigation raided his house. Agents found a connection into his former employer on a seized laptop and before long, Johnson was arrested.
This all could have been avoided if only off-boarding policies were properly in place Steve Armstrong, managing director of Logically Secure told SC Media UK: “This smacks of the IT system not being recognised as being important to the organisation so off-boarding was not key. It suggests that those that remained were incompetent, as they neither blocked the VPN account nor checked the logs correctly to catch the wrong doing. This was totally avoidable through basic checks and processes.”
Malicious insiders are relatively rare compared to the simple well-intentioned mistakes that most insiders make. Typically an insider will break security by attempting to circumvent the encumbering security policies their employer's put in place, thereby exposing their employer's data.
Malicious insiders are a far rarer phenomenon and there are few public examples. The 2014 breach of Morrison's serves as a notable example though.
After IT auditor Andrew Skelton was formally disciplined for having his eBay wins delivered to his office, he leaked the details of 100,000 colleagues to Pastebin. In his resignation letter he reportedly wrote, “I have almost as little concern for the company as it does for me.” Skelton was later sentenced to eight years of jail time and Morrison's employees are currently in the process of suing their employer for failing to protect their data properly.
Graham Mann, managing director of Encode Group UK told SC that events like these merely highlight how security is everyone's business. Organisations need to implement policies from the top down, “that are articulated throughout the workforce, with clear responsibilities for triggering and managing individual processes”.
“When someone leaves an organisation, particularly if they have been ‘let go', it's vital that all access rights are rescinded instantly. Corporate passwords must be changed, depending on access rights. VPN links to the individual blocked. Legal needs to ensure that system access is covered in the contractual arrangements with employees or contractors. HR has to orchestrate the entire leaving process, including the network security rights.”
The elimination of direct privileged access would also help mitigate this threat added Brian Chappell, director of technical services, EMEAI and APAC for BeyondTrust: “When we are focused on the external threat it's easy to forget that malicious outsiders commonly become malicious insiders, by exploiting internal accounts and privileges, once they breach the outer defences. No physical security solution relies on a single layer of defence, neither should cyber security, it's only through layers of security we can protect against failures in any single one, whether technological, process or both.”