Internet Security Systems - AlertCon(TM)

Disgruntled Job Losers and their Insider Threat

Posted by Gunter Ollmann on September 22, 2008 at 10:54 PM EDT.

Everywhere you turn recently, you’ll encounter news of yet another round of layoffs or projections of new job losses through to the end of the year. The economic repercussions of the current global financial disaster and pending recession are casting an ever darkening shadow over many corporations.

Just last week, while I was reading the London Metro on the Tube, the headlined story “110,000 banking jobs ‘to be lost’” claimed that 110,000 banking and finance jobs could be lost in Britain in the next year, and was based upon a report by the Hay Group – which projected 350,000 jobs are to disappear in the UK over the next 18 months (dated 22 June 2008). Similarly, I’m seeing further US news stories of this company or that company in the process of laying-off tens of thousands of employees.

The numbers are indeed scary and remind me of the dot-crash times (and a few times in-between then and now) and, more importantly, the security consulting engagements that followed. The last time there were employee layoffs to this scale, I received lots of calls about recovering important data and business critical files that had been inadvertently deleted or encrypted (and their passwords "forgotten") by the recently departed, and needing access to locked out systems.

At the time, it wasn’t actually that difficult to recover most of the deleted files or work-around the encryption. Back then, breaking password protected Office documents and ZIP files were a piece of cake and, in the worst case, most other file formats could be easily bruteforced. Nowadays, I think it’s an altogether tougher situation – today’s desktop encryption tools are substantially tougher than they were at the beginning of the millennium, and more employees know how to use them.

Not only that, but top-tier encryption options have been added to almost every business application out there. I guess people really have been paying attention to the various regulatory compliance mandates.

For that very reason, I think that many organizations are going to find themselves in quite a bind as they layoff staff this time round.

Unlike a “quick firing”, tens of thousands employees are readying themselves for the eventuality of losing their jobs – and no doubt a high percentage of them are (or will be) “disgruntled”. In today’s computer-based work environment, with a little planning and forethought, a disgruntled employee can do a lot of damage with little fear of being caught and prosecuted. If you don’t believe me, what about that rogue Sysadmin in San Francisco? He locked out management from the systems network maintenance points and likely racking up more than $1 million in upgrades, consultants and repairs for his former employer.

“Ten-eighty-ten”

There’s an observational rule that I’ve heard about several times over the years at various cyber-crime conferences – the “ten-eighty-ten” rule. Basically, it states that 10 percent of any population will always follow the law (the goody two-shoes), 10 percent will always break the law (the criminals), and the remaining 80 percent will break the law if the probability of getting away with it is high and there’s and advantage in doing so (the opportunists).

What this means for many organizations is that the threat of impending job loss is likely to result in many employees reevaluating their terms of employment and, if they have a vindictive streak, could be preparing some damaging contingencies. That is to say, “insider threats” are more advanced and a higher risk than ever before.

Some of the things employers are going to have to keep a closer eye on over the next few months include:

  • The unexpected changing of passwords, particularly admin-level accounts, to critical infrastructure components.
  • Enablement of full-disk encryption on personal desktops and laptops – without centralized recovery key storage.
  • Restrictive ACL’s on shared file systems and directories – controlled by single user accounts.
  • Activation of system-level password protection – e.g. BIOS passwords.
  • The use of in-file password protection of critical business documents.
  • The installation of new software and unauthorized applications – which could contain backdoors and remote access functionality.

The last point is the hardest one to cover. Access to custom build-it-yourself stealthy malware toolkits are pretty easy, and can be acquired for only a few dollars from many online shops (remember, some kits allow you to script the malware to start at a certain date/time, do its nastiness, and automatically uninstall itself afterwards to avoid detection) . As such, organizations may want to ensure that hosts used by recently departed staff are taken offline immediately, backed up on to an external storage device, and completely rebuilt from trusted media before being reconnected to the network and passed on to another employee.

Most enterprises also have tools and processes to help reduce (if not mitigate) some of this impending threat. In particular:

  • Monitor changes of admin passwords and changes in disk encryption with system event logging tools
  • Implement Anomaly Detection System (ADS) monitoring of changes in access to confidential information repositories (in particular changes in data extraction sizes and their destinations, etc.)
  • Monitoring and blocking of outbound communications channels – e.g. encrypted email attachments, Webmail access, etc.
  • Use Data Leakage Prevention (DLP) capabilities to monitor the transfer of confidential files to removable media, and bulk personal information through Internet communication channels.

There are of course many additional things you can try to help monitor the situation and help reduce your exposure, but two final pieces of advice (found out the hard way):

  1. Make sure you get all the passwords (and passphrases) from the employee before they depart and verify - there and then - that those passwords actually work. Test them out!
  2. Disable or cancel all accounts that belong to the employee the moment you escort them from the building – and make sure you know all the accounts they had access too. (you don’t want them wirelessly connecting back-in)

It’s a gruesome time for all concerned, but the probability of a disgruntled employee derailing your business after they depart is a clear and present danger.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.