An Infosec Prediction: More Human-Based Attacks
By Daniel Miessler on April 6th, 2008: Tagged as Information Security | Security
As those performing attacks against corporate IT assets become more professional we’re going to start seeing more of the following types of attacks:
- Bribery
- Extortion
- Blackmail
Think about who’s increasingly behind the information security attacks these days, and think of how they could more effectively attack an organization given large amounts of money and their willingness to engage in standard, physical crime.
The Problem
How hard is it to find out who works in IT in a large organization? How difficult would it be to make contact with someone who can disable or modify the anti-malware systems at one of these fortune 500 companies? And what would happen if someone with an Eastern European accent offered Bob, the mediocre (but dangerously knowledgeable) IT guy, the following sorts of propositions:
I’ll give you $50,000 cash to drop this piece of malware on your network. It’s undetectable by all of your malware detection and will remain so because this is the only place we’re going to use it. It will give us information we can use to silently extort your company’s C-level execs, and nobody will ever know how we got the information. They’re millionaires anyway. Think about it — all your debt instantly gone — plus a new home theater system that’ll be the envy of the neighborhood.
…and if/when Bob says no…
You’ll take the money and be happy or me and my meth-selling buddies will start getting real cozy with your wife, and we might accidentally burn down your house, too, or hurt your daughter. Don’t bother calling the police; we’re an international crime syndicate and that will just annoy us. Trust me, take the money and everything will go smooth. How about a new car?
Then there’s the blackmail angle if they’re willing to do some research and/or some setups. The point is that all they need is to get an internal employee to drop some of their highly specialized and virtually undetectable malware onto the internal LAN.
In short, the game is to overcome the internal employee’s fear of being caught using either fear or greed. And that’s precisely what this new type of traditional, organized criminal player is good at. They’re already into the classical elements, e.g. drugs, guns, violence and prostitution, so leveraging those resources to reap profits in the cyber world seems more inevitable than far-fetched.
This isn’t just movie plot stuff; there really are very organized criminal groups, with millions of dollars of backing, getting into the business of pulling the IT jewels out of top U.S. companies. And when they start figuring out that shmuck-boy the IT guy is the thing standing between them and a multi-billion dollar company’s most sensitive information — the games will begin. In fact, I’m willing to bet they’ve already started.
The Information Security Response
There are predictable ways that we in information security will react:
Increasing the types of background checks required to get into IT. Debts and overall life stability will be increasingly scrutinized, much in the same way it is for those with clearances in the intelligence community. In fact, clearances may become a new standard for certain IT shops.
Separation of duties, least privilege, and auditing will start to get taken far more seriously by everyone. Everyone from the companies themselves to the groups that are auditing them are going to be looking very hard at how to limit the damage individual employees are able to do if they were to go bad.
Additional outsourcing of sensitive roles due to the specialized requirements of IT in the future. If clearances are needed, as well as training in how to deal with these types of threats, that’s just going to be that much more reason for companies to outsource the whole operation to external experts.
Additional professionalization of IT due to the newer, more stringent requirements. More requirements for college and/or certification plus the initial and ongoing background checks will raise the bar for entry into the field. This will further exacerbate any existing IT labor issues and complicate the discussion of using foreign-born workers.
So, is this movie-plot fiction or a real possibility?
--
I think option two is the most likely, and should already be practiced at any company that is large enough. However, $50K does sound like a tempting offer …
Comment by Maxo — 4/7/2008 @ 11:56 am
Say… has this happened to you? Sounds just a touch to probable to be fiction. Yikes.
Comment by Paul Eckstrom — 4/7/2008 @ 11:28 pm
I am very intrigued by this position that you stipulate. One reason being I am an IT guy and the other, I consider myself immune to either form of coercion. I sum it up to the reality that if this scenario presents itself to me I will be in a very tricky situation which will ultimately result in my death. Considering the loyalty that I present to any establishment that I associate myself with, I would not be inclined to act against it. Secondly, I can not be threatened or manipulated by means of acts of violence against my loved ones or asset. (Especially since I have no assets.) I am a firm believer in the “kill the hostages” policy that I coined upon learning about worldly events such as the weapons transport that was seized by terrorists a few days ago of the coast of Africa. If I were in charge, several cruise missiles would have found their way to that ship immediately after verifying that a terrorist seizure had in fact taken place. If I ever got the phone call that went like this, “Hi Mark. We have your wife here with a gun to her head and you have one day to upload the virus to your company’s network….” My response would succinctly and cleverly entail, ” You can have it your way, Dr. Venkman. Shoot the bitch, I will not be pawed at.” and hang up the phone.
Comment by Mark Cunningham — 10/1/2008 @ 8:59 pm