Friday, October 23, 2015

Insider threat plea deal

The US DoJ has released information about a case in which a suspect recently took a plea deal.  The individual, Chris Woods, was let go from his workplace in January 2014.  The victim company (unnamed in the press release) smartly terminated his access.  However, when firing developers (or anyone who works in IT) you have to take extra precautions.  In this case, the fired employee was a web developer.  He may have been able to gain access to the credentials of others with little effort, particularly if the organization was using federated authentication.

Mr. Woods used the credentials of another employee without their knowledge or consent and caused more than $61,000 worth of damage to the victim organization.  I was previously unaware that you could be prosecuted without the victim organization being named, but apparently that is true here. The press release specifically does not name the victim.  However, it probably provides enough information to determine who the victim is.

MFA could have helped
There are a few interesting things I'd like to point out about the case.  First, insider threats are very serious.  It's good that the victim company had a policy to terminate access when the employee was terminated.  That's a good place to start.  But they didn't count on the employee having other credentials.  These credentials may have belonged to another employee, or may have been a shared account to which Mr. Woods had access.  If it were shared account, it should not have been remotely accessible.  However, if it were the account of another employee multi-factor authentication could have prevented the entire incident.  Of course, with IT employees, even MFA can't eliminate all risks.  IT employees have the technical chops to plant beaconing backdoors or even register their own MFA tokens on the accounts of others.  In short, while MFA provides good defense in depth, don't assume that MFA is a silver bullet.

Terminating Access
At Rendition Infosec, we advise that clients should have two procedures for terminating access - one for general employees and another for those who work in IT or have other elevated permissions.  For the latter group, the risks are increased and the response should be as well.  Anything less is inappropriate for the circumstances.  In organizations where the IT user had access to group accounts (stop using group accounts please) or service account credentials, plans for those to be changed should be part of the employee termination process when possible.

OSINT Exposure
DoJ shouldn't assume that just because they release redacted information that others can't follow the leads.  First off, the target area isn't very large.  The press release says Winchester, VA.  Second, the perpetrator's name and profession are proudly listed in the press release.  A disproportionate number of information technology professionals use LinkedIn and other social media sites (and the terminated employee is part of this demographic).  We do social media exposure analysis for companies all the time, but this one was ridiculous. 

A single LinkedIn search looking for "Chris Woods" who was employed in Winchester, VA as a web developer but terminated employment on or about January 2014 turned up the victim organization in minutes.  I called the victim organization's media relations department to ask if they would confirm or deny their involvement, but I haven't received a response.  This is the part where my lawyer would probably advise not to name them since I have nothing conclusive.  And I'll take his hypothetical advice by not naming them.  You can probably figure out the victim as well, but I'll leave that to you in case you care.  I will say that if I'm right, there may have been regulatory reporting requirements on the victim's part - depending on what information the developer accessed illicitly.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.