Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Is the Insider Threat Really Over?

Published: 2011-04-26
Last Updated: 2011-04-26 21:45:06 UTC
by John Bambenek (Version: 1)
7 comment(s)

There has been a bit of press lately about how external threats are overtaking internal threats in the near term.  Traditionally it has been viewed that internal threats (i.e. disgruntled employees) pose a greater threat to an organization than outsiders.  In reality, the lines are blurring but external attackers are becoming more sophisticated in their attacks.  That said, I was made aware by a coworker of an interesting controversy emerging from South Korea.  In essence, one of their major banks was offline and unable to process any transactions for several days.  Around April 12, customers were unable to perform ATM transactions, online transactions or any in-bank transactions for about a day.  For several days afterwards, transaction were highly unreliable.  In essence, this bank (Nongyhup Bank, NH Bank) basically suffered a catastrophic system failure.

According to reports, a contractor from IBM had his laptop infected, which in turn successfully attacked about 60% of the banks infrastructure and crippled its ability to do business.  The running controversy is whether this was an insider attack or someone who compromised a contractor and used as used it as a beach-head to get into the bank.  That investigation is playing out and we'll see where that goes.  From what I can tell (and that's limited because... well... I don't speak Korean) there was a contractor's laptop that was compromised, Chinese IP addresses were involved (and for those of you who know the geopolitical history know that is entirely unsurprising) and there are 300,000 some odd complaints about people not being able to get their money who are in various states of non-pleased.

Like I said, the investigation is ongoing and who knows what really will happen.

Disclaimers aside, my first thought was the IMF incident  which ultimately led to the spectacular collapse of Satyam. Maybe that's not the case here, but I do know when I've applied for contractor positions at pretty big firms, I've been appalled by how easy it would be to game the system and, for that matter, how easy the system has been gamed.

In this particular case, there has been a non-trivial amount of incidents that should have served as a warning sign for internal controls.  My personal favorite expression regarding the failures of this bank and how they responded (after it became catastrophic) is that they started a 2011 training session with "a highly critical self-reflection and atonement".  Maybe I'm odd, I find that expression humorous.  

Ultimately, organizations security is determined by who it trusts to run the shop.  If all you do is a phone screen (which may or may not be the actual person who is going to start the job the following Monday), you may be asking for trouble.

What are your thoughts?  How important is it to consider the insider threat and to vet your contractors and employees?

Background:

IEEE: South Korean NH Bank's Week-Long System Failure That Affected 30 Million An Inside Job? 

Korea Times: Chinese IPs linked to Nonghyup crash

The Dong-A-Ilbo: `Nonghyup Bank averaged 2 financial accidents per month`

--
John Bambenek
bambenek at gmail /dot/ com
Bambenek Consulting

7 comment(s)
Diary Archives