Inside job: How to keep ex-employees from hacking into your business | Crain's Sacramento

Inside job: How to keep ex-employees from hacking into your business

A cyberattack upon Sacramento Regional Transit’s databases in November 2017 caused no lasting damage, but did raise the question of whether the hacker got inside help. | Crain National photo by Jim Watkins.

At first, it sounded like a joke: Last November, on Sacramento Regional Transit’s home page, were the words: “I’m sorry to modify the home page, i’m good hacker, i I just want to help you fix these vulnerability. This is one of the loopholes, modify the home page...”

The next day, after SacRT technicians attempted to reset the page to normal, the agency received another odd message at its Facebook site: “hello, I will always attack your website, we are hackers. we can do everything. Pay us now to stop attacking.”

According to SacRT General Manager Henry Li, the hacker managed to erase about 30 percent of RT’s database. The impacted files were for computer programs that handled internal operations, such as the agency’s ability to assign buses for routes and allocate employees to RT locations.

The hacker wanted one bitcoin – worth about $8,000 at that time – or another attack might occur. SacRT refused the extortion attempt because it had already backed up all of the data, Li notes. “SacRT follows a rigorous protocol when it comes to backing up files,” the GM said during an online chat. “There was no significant data loss.”

Ultimately, the only major drawback was riders’ ability to pay. Full service was restored within a few days.

The hacker’s identity and how they got into SacRT’s system remains unsolved. “One logical explanation is that this may have been an inside job,” says J.P. Buntix, Bitcoin writer for online cryptocurrency publication The Merkle. “The bigger question is why anyone would attack SacRT and not do any damage in the process. It also makes one wonder how the criminals were able to access these critical systems in the first place.” 

Stories like these are not uncommon. According to IBM’s X-Force Threat Intelligence Index, 60 percent of all data breaches are actually triggered off by efforts of current employees or former workers who were not properly discharged. Three-quarters of the attacks are malicious in nature. The others are typically unintentional, IBM says.

A 2017 survey by identity management software maker OneLogin reveals that nearly half of all ex-employees at large IT corporations retain access to their email and other systems long after they have left the company. Twenty-five percent of 500 IT-based decision makers surveyed said that access was still valid more than a week after the worker’s departure.

In addition, nearly 48 percent of respondents knew of former employees who still had access to corporate applications, and 20 percent said the failure to “deprovision” workers had resulted in a data breach at their company.

“The bottom line is that companies aren’t following very basic but essential security measures around employee provisioning and deprovisioning,” says Alvaro Hoyos, OneLogin’s chief information security officer. “This should be a cause for concern among business leaders, especially considering how many data breaches are caused by ex-employees.”

Security risk

Such was the case with former KTXL Fox40 employee Matthew Keys, who in 2016 was sentenced to two years in federal prison for helping hackers break into Tribune Media Co.’s news server to alter stories. Tribune Media owns the Sacramento television station. Keys, who was the station’s social media producer, has maintained his innocence.

Although the crime carried potentially a much longer sentence, U.S. Attorney Benjamin Wagner at time of sentencing said Keys’ actions caused no lasting damage to Tribune Media. “This was simply a case about a disgruntled employee who used his technical skills to torment a former employer,” Wagner said.

Not everyone is as lucky. Sacramento-based Sutter Health has endured a series of data breaches over the past 20 years involving exposure of patient personal records. The worst took place in 2011, when a password-protected but unencrypted desktop computer with access to data for 4 million patients was stolen from the company’s administrative offices. The theft appeared to involve someone who knew exactly where to go to obtain the machine, according to published reports.

That resulted in a $4 billion class action lawsuit by patients, alleging that Sutter had failed to properly protect the data. The suit was dismissed in 2014 because the plaintiffs could not prove that any unauthorized persons had actually seen the information, according to the California Third District Court of Appeal. The PC had never resurfaced since its disappearance and “may well have been wiped clean,” with the thief never looking at its contents, the court noted.

Still, Sutter Health began a series of upgraded data security procedures, according to communications director Nancy Turner. Those included encryption of all company computers – an event that was underway during the laptop theft – and cloud-based data storage. There was also an immediate effort to inform patients of the breach, including how to learn if their records were among those compromised, Turner says. This policy is a Sutter standard today.

As a result, Sutter Health has been recognized as one of the “Most Wired” hospitals by the American Hospital Association in 2015. 2016 and 2017, according to AHA President and CEO Rick Pollack. Such hospitals “are using every available option to create more ways to reach patients and provide better and more-secure access to care,” Pollack says.

Who do you (not) trust?

Insider threats are usually a surprise to companies because they typically focus on intruders from the outside, according to IT threat management firm Trustwave. The company’s annual Security Pressures Report notes that a major reason for the oversight is that businesses simply trust their personnel. There’s also the fact that the data leakers are often the persons who are supposed to have regular access to the information, such as IT security specialists. No alarms will go off if the data is accessed, the study notes.

To help prevent unauthorized release or loss of data by employees, experts such as international IT legal firm Seyfarth Shaw, whose offices include one in Sacramento, and data security firm Fair Warning recommend better oversight of their actions. Potential “red flags” by workers include:

  • The too “Eager Beaver.” This employee has many connections and is always looking for ways to get ahead. This can mean jumping ship at the first chance and heading to a competitor with some valuable inside intel.
  • The No-Rules Executive. This is the old-timer who flies above the rules because they’ve “always been right” with the way they’ve done things. It’s also the person who is likely to forget to encrypt the confidential email that gets intercepted by a malicious user.
  • The quiet type. This is the employee that isn’t seen or supervised much, and perhaps isn’t a true employee but a contractor, but has connections to the company’s inner workings. Such a worker can also be someone who is streaming confidential data to a personal laptop at home.
  • The well-intentioned new hire. Eager to make a good first impression, this neophyte could innocently forget to encrypt email, click on a phishing link, misplace an access badge, or even accidentally delete crucial content from a server.
  • The disgruntled ex-employee. A worker who feels they have been let go for unfair reasons could turn out to be one who retains access to the company’s network, then finds a buyer for its data.

Out with inner intruders

So, how does a company prevent intrusion by an internal hacker? There’s no full-proof way, but there are ways to reduce the odds, according to IT support provider Digital Guardian:

  • Establish an “acceptable use” policy. Define what is and is not acceptable use of the company’s data. Emphasize that the organization has the right to monitor all activity, personal or private, on company-provided equipment and on corporate networks. Remember to train employees on this policy and make them sign a statement acknowledging their training. And, make sure the training is refreshed at least annually. “The acceptable use policy is the police car with a radar detector,” the company notes. “It causes employees to slow down and consider their actions.”
  • Remove temptation. Protect sensitive information with passwords or multi-factor authentication, and encryption. Only provide employees with access to applications and data as required by their positions. Remember to terminate accounts that are not required for employee duties.
  • Make sure employees are easily able to report suspicious activities. Train employees to spot unusual occurrences such as a coworker who complains more or is less cooperative than previously, generally seems unhappy with their job, or starts taking proprietary items home. Offer a way for eye witnesses to quickly – and quietly – report such events.
  • Be vigilant when an employee leaves the company. Any departing employee, even those leaving a company on good terms, may be tempted to take information with them to their next job, DG notes. Terminate all employee accounts as soon as the employee leaves, remove them from all access lists, and collect any company property and access tools that they were given during their tenure. And, remind them of their legal responsibilities for data confidentiality as per any employee-signed confidentiality agreement.
February 11, 2018 - 10:33pm