In the past few weeks, there has been a lot of discussion in the media about Jason Cornish, an IT administrator who had worked for drug-maker Shionogi, who did over $800,000 in damages by simply accessing resources using his logon credentials to wreck havoc after being laid off. Insider abuse makes up as much as half of all attacks as discussed in an early blog article. Unfortunately in the landscape of hacktivist groups who publicize their works, insider threat is seldom mentioned or discussed – one has to wonder why this is the case.
Hactivist groups are often trying to make a point by defacing a website or stealing data only be to disclosed in an embarrassing fashion. In the case of an insider attack, they do not want their works to be known as they have a more difficult time hiding their identity. They want to make a statement or exact revenge for wrongs perceived or real. In either case, the attacked organization will be reluctant to publicly disclose an attack so it is often left up to the attacker to make their work public.
With so much attention on the exploits of hacktivists, it is easy to continue to focus on the perimeter services (webservers, databases, firewalls, etc.) and continue to ignore the much easier to exploit internal services. In the case of Jason Cornish, he did not need zero-day exploits or sophisticated rootkits, he simply used his administrative credentials. Too often organizations fail to control administrator credentials through regular cycling of passwords, changing of passwords upon an employee leaving, and audits of credentials that are used. IT administrators are the most powerful individuals in an information organization in that they can often access more computers and data than the executive staff. Who is watching the gatekeepers?
Most IT professionals will agree that passwords need to be cycled, privileged access needs to be audited, and credentials revoked when an employee leaves a company. Unfortunately these practices are inconsistently practiced for lack of process, tools, or discipline. How many systems have the same local administrator account password for years? How do you know your “trusted” IT administrator isn’t logging into his HR specialist’s laptop using that same account to see salary information of his peers and boss?
Arellia has seen many organizations with similar stories to that of Shionogi. We have heard stories of administrators gone stray and abusing their privileges. We have heard stories of computers that have had the same local administrator password for 10 years. This is a real problem, which is why we built Local Security Solution. Insider threat is real and it costs real money.