Employee Hacking: The New Inside Job Joseph Kummer Terri Berry Brad White
Summary • 1. Specific instances of employee hacking and the consequences which resulted therefrom. • 2. How employees utilize their positions within an organization to obtain sensitive information and then briefly discuss their various motivations for doing so.
Summary • 3. Various methods and techniques for preventing employee hacking and potential modifications to accounting laws and regulations relating to internal controls and IT security that would assist in ensuring that businesses allocate sufficient resources for the protection sensitive information from their own employees.
Specific Incidents • 1. Gucci America Inc. • 2. U.S. State Department • 3. Education Logistics • 4. Akimbo Systems (f/k/a Blue Falcon Networks),
The How and Why • Extensive knowledge of the system and the company • Possess necessary access credentials • Understand the security systems in place and related control mechanisms and know how to avoid controls and detection • TRUST!!!
Intentionally cause damage to the company • Recklessly cause damage to the company • Personal financial gain • Sale of trade secrets • Sale of financial or other insider information • Sale of authorization/access codes and/or knowledge of the system
Prevention • Promote information security as an organizational goal • Obtain top level support for making information security a priority • Implement proper access and authorization controls • Change access and authorization controls on a regularly scheduled basis • Monitor employee access records • Deprovision user access as appropriate
Federal and state governments protect 3rd parties • Require implementation of security and confidentiality procedures and technology • Require strict access control policies, including deprovisioning policies • Require monitoring of employee access • Require reporting of unauthorized disclosures, access and/or breach