Rogue staff favour IT sabotage

Australian defence and national security agencies have been warned not to overlook the threat of IT sabotage as they focus on preventing high-profile cyber attacks and theft.

According to Carnegie Mellon University's CERT Insider Threat Centre, half of US organisations suffered at least one malicious insider attack in the past year. 

IT sabotage was the most frequent threat from insiders, said the centre’s technical manager Dawn Cappelli at the Cyber Security Summit in Canberra last week.

“IT sabotage is often overlooked,” she said. “Everyone seems concerned about theft and cyber attacks exfiltrating their critical information.

“That is definitely a big threat. But IT sabotage is very easy for a technically adept insider to carry out.”

Cappelli said one third of IT sabotage attempts were perpetrated by insiders, either intentionally or unintentionally.

She highlighted Vitek Boden, a disgruntled former employee of a SCADA software vendor who hacked into the waste management system of Queensland’s Maroochy Shire in 2000.

Boden was hired by a contractor to supervise the installation of a SCADA system for a sewer system with some 150 pumping stations.

He applied for a job at the area’s Council but was rejected. After that, the Council’s sewer pumping stations began experiencing apparent malfunctions, releasing 264,000 gallons of raw sewage into local rivers and parks.

Over time it became clear that intentional disruptions were behind alarms being turned off, loss of communications, pumps not activating at appropriate times and the release of raw sewage.

Police found that Boden had a copy of Council’s SCADA software, and was able to control the system from his car using a laptop, a data radio from his former employer and one of their local processors.

In 2001 Boden was sent to prison for two years.

Cappelli said her organisation had some 150 case studies of such insider threats and Boden showed a classic pattern of the disgruntled insider.

“They are very technical users. They are upset about some matter. It may be financial. It may be a new boss, they don’t like,” she suggested.

“Technical people can be very picky about the work they do. Something makes them angry.”

Cappelli said rogue employees were typically those who were demoted and eventually fired, or those who quit over conflict in the workplace.

She said they were motivated by revenge, typically established means for an attack before leaving the company.

“They create a way they can get back into the organisation and attack later or they set up the attack with malicious code before they leave,” she said.

Cappelli urged chief information officers to consider how they should handle any privileged contractors who were on the HR radar.

“Do you recognise they may represent an increased risk? If you do realise that risk, do you know what to do about it?”

She said it was important to have policies, processes and the technical measures to review what those insiders were doing. Creating backdoor accounts was very common, she said.

“What code have they been writing? What have they downloaded from the Internet such as hacker tools?”

Several IT security breaches involving rogue employees have been reported in recent years but Cappelli indicated that three quarters of insider attacks were handled internally.

“They don’t want people to know about it. They just quietly fire the person. They don’t want the publicity. They don’t want their competitors or shareholders to know,” she said.

Highlighting the CERT Insider Threat Centre’s Common sense guide to detection of insider threats (pdf), she noted four distinct kinds of insider threats, each characterized by a common set of circumstances:

• IT sabotage from slighted employees or contractors
• Theft of organisations’ intellectual property or trade secrets
• Insider fraud
• National Security espionage

Cappelli said that recent Australian workshops suggested the patterns emerging were broadly similar to those in the US.