Wednesday, May 27, 2009

The Insider Threat

Simon Potts wasn't happy with his job. He was what they call a 'disgruntled employee'. After ten years working for KPJ Industries, as a loyal employee, he has rarely been recognized for doing a good job. He has been passed over for promotion, and this year he knows that his raise was smaller than other employees. He was mad that co-workers were showing up late for work, taking on much less of a workload, and still getting a bigger raise than he was. He deserved more, but his boss had it out for him. Bob, the office manager, always seemed to resent Simon's ability, and Simon was sure he spoke ill of him to other managers. Simon realized this was a dead-end job, and his days were numbered. It was time for him to take what he deserved, and then quit. That would be satisfying, and when he sold the customer database to a competitor, it would teach them a lesson. At least, this was the rationale Simon used when he decided to steal a sensitive customer database, with credit card numbers, from KPJ Industries in November, 2008.

Simon Potts was viewed by his management as a nice guy, but they didn't feel he was motivated. He took on a lot of work, but had a hard time completing projects on time. So, when the new year came along, Simon was given a score of "meets requirements" in his performance review. His manager tried to explain how Simon could do better, but he felt that no matter what he said, Simon took it too personally. There were signs that Simon was a disgruntled employee, but the company had no training for managers on how to identify and deal with disgruntled employees.

On November 11th, 2008, Simon notices his manager has gone to lunch and left his office unlocked. Simon has been planning for some time, and finally worked up the nerve to walk into Bob's office. He closed the door behind him and quickly moved to Bob's desk. The computer was unlocked. The company security policy locked the screen after thirty minutes, so it was pretty common to find co-worker's computer unlocked over lunch. Simon inserted a USB thumb drive and installed a keystroke logger, KSL.exe. Now, everything that Bob typed would emailed once a day to Simon. Simon was sure this would expose how his management talked about him behind his back. He would take Bob's passwords and gain access to the company CRM database, which contained sensitive customer information, such as credit card numbers, email and home addresses.

Simon returned to his desk, confident that he would quickly have what he wanted, and then he would remove the keystroke logger and quit. In the meantime, he spent his lunch using search engines to find prospective buyers for the database he hoped to acquire.

In the first day, Simon had Bob's passwords and he used this to log into Bob's email from his computer. He read through past mail, looking for some evidence that Bob really had a grudge against him. Maybe he would find evidence that he could use to sue the company, and make a few extra bucks. He didn't find anything, but got into the habit of reading Bob's email every day that week. Meanwhile, Simon found some people who were willing to pay several thousand dollars for the customer database. It was the day before Thanksgiving, and the company would be closed for four days. This was when Simon had planned to steal the database. He logged onto the CRM web interface and gave the command to save a copy of the entire database to his USB thumb drive. The job took 45 minutes, but he wasn't concerned, there was almost nobody left in the office that afternoon. He locked his desk, took the USB thumb drive and put on his jacket. With a smile on his face, he headed for the front door.

Simon thought he was clear and free, as he reached for the door, but that is when the security guard stepped out and stopped him. Simon's mind raced, he was sure it was nothing. After all, he had deleted the KSM program from Bob's computer, and he doubted they had any evidence of wrongdoing. That's when the police showed up, with Bob and the HR manager. Simon realized this wasn't going to be a very good Thanksgiving holiday after all.

As it turns out, Simon's trickery had not gone unnoticed. The first sign that something was wrong, was when Bob went into his email the day after Simon installed the keystroke logger. Usually, new mail was marked as unread, and for some reason, it was marked as read. In fact, for three days Bob noticed the same thing. Once in a while, during the day, he would see email come in as unread and before he had a chance to get to it, it would get marked as read. Bob called the help desk and they directed him to the company security team. It was clear that someone else was reading Bob's email and they began a computer forensics investigation.

The computer forensics investigator started with what they knew: someone was reading Bob's email. They went to the email team and found that two computers at different IP addresses on the network were accessing his account at the same time. It was easy to see who the culprit was, however, it would not be wise to confront Simon at this time. In order to convict Simon, or just to prove Simon was really breaking security policies so he could be fired, they would need to be careful in gathering evidence. They would need to follow the company's process for computer forensics investigations. The most important thing in an investigation is to ensure that the evidence is properly gathered and not altered. In court, they might have to prove they did not tamper with log files.

The next step was to ask the network team to capture traffic from Simon's computer. They attached a logging device to the span port on the switch that Simon's computer was directly wired to. On Bob's computer, they made a cloned copy of his hard drive, using the computer forensics 'rig' that would ensure an exact copy was made. Bob's original hard drive, and a copy were kept for the investigation, and another copy was replaced in Bob's computer so he could continue working. A search showed that a keystroke logger has been installed, but was later removed. Simon did uninstall the program, but he forgot to clean up the system logs that showed what he had done, and when.

At night, after Simon went home, the investigator did something similar with the hard drive in his workstation. He made a cloned copy, that later showed what Simon had been doing. The forensics investigation of Simon's hard drive clearly showed that he had been web surfing (through the company web proxy) and reading email using Bob's credentials. At this time, Simon had not stolen the customer data, and before leaving work each day, Simon cleared his browsing cache. The forensics software was able to find deleted files and show that Simon was not only reading Bob's email, but also shopping for a buyer for the customer database he planned to steal.

With strong evidence of wrongdoing, the computer forensics investigator worked with the database team to watch for a login from Bob's account. Simon did not have the authorization to dump the entire database, but Bob did. It was obvious that Simon wanted to not only steal the data, but frame Bob for the theft. When Simon logged on and started the download, that is when the HR manager called in the police. Everyone was waiting at the front door, for Simon to attempt to leave with the database. When the police found the USB thumb drive, they had the evidence they needed.

Simon was taken downtown, to the police headquarters, where he was interrogated. Simon thought he could blame it all on Bob. He tried to explain that he caught Bob stealing the data, and he was going to the HR manager with proof. When the police listed all the evidence the computer forensics investigation uncovered, Simon admitted what he had done and pleaded guilty.

If this case had been different, and gone undetected until Simon left with the data, the company could probably still have proven that he was the culprit, after the fact, but some of the data would have been missing and they would not have been directly logging his network traffic. Still, his sloppy actions got him noticed sooner on, and the company was able to protect their data and catch Simon in the act.

In a recent Computerworld survey (2/24/09), it was shown that 60% of US workers steal company data when they leave. Technical employees are more likely to do sabbotage than less technical employees, who typically try to steal data, to leak or sell to competitors, in ways very similar to what Simon did. This emphasizes the importance of having authorization rules for who can access data, having good security logging and auditing those logs. Often, sensitive data must follow the protection guidelines of regulations, such as HIPAA, GLB, PCI or Sarbanes-Oxley. This case also shows the importance of having a well-defined computer security forensics process in place.