Of Monty Python and Insider Threats
For those of us old enough to remember, the classic comedy show Monty Python's Flying Circus had a series of skits parodying the Spanish Inquisition. The catchphrase “No one expects the Spanish Inquisition” was declared to explain the surprise when the trio of inquisitors suddenly appeared. I always think of this exclamation when I read about a company being pawned by a malicious employee. No one expects the insider!
But the larger question is “why not?”. Why is everyone still so shocked when a business is exploited through the effort of a bad employee? At some point it must be expected; you are going to be attacked from the inside. And shame on you if you fail to take (any) proactive steps to prevent it.
The most recent sensational insider threat story comes from the digital game provider Roblox. Allegedly, an employee was paid to provide access to Roblox records, including the backend customer service panel and player accounts. Joseph Cox has written a full expose for Motherboard (Vice).
The attacker provided some different stories explaining how he/she gained access but initially (probably most accurate) claimed it was through targeting customer support representatives. How were these employees identified – you don't even have to wait for it – LinkedIn. The social engineer's phonebook, LinkedIn is a quick and easy way to identify corporate employees and their job functions. The attack is as easy as identifying a dozen or so employees of the company and sending an email offering a handsome reward for access. It only takes one disgruntled or down on their luck employee to burn the house down.
Employees need access to critical systems to do their job. A business can't afford, nor should it, to directly monitor every employee. There has to be some level of trust or the employee-employer relationship completely breaks down. This is why every corporate entity that deals with customer data and finances needs a robust insider threat program.
To take a phrase from politics, “Trust, but verify”. Audit, audit, and audit again. Monitor systems so that when data goes missing or is inappropriately released, it is clear where it came from and who last touched it. Businesses can't always stop the malicious insider from executing a planned attack but they can be diligent in attribution and punishment. Send the message to the employees, we trust you to do your job but we have systems in place to catch those that violate the trust.
Employee monitoring is also a necessary task to prevent an attack from the inside. It stinks of Big Brother but it doesn't have to be so overtly Orwellian. Good people policies are the best defense. Take notice to employees that have a sudden mood swing, change in attitude, or show obvious financial distress. A business should be caring for its employees anyways and offering services for those going through troubled times is the right thing to do. While the main goal of the documentation should be to get the employee help and services, the information should also be passed along to the insider threat program. A dedicated, financially secure employee who loves her job is not going to sell network access to a hacker. The recently divorced father of three who has been written up twice in the past month and seems to spend way too much on his Draft Kings account probably will.
No one expects the Insider. But you should expect the Spanish Inquisition!