Friday, February 6, 2009

People Hacking 101: How to Infiltrate a Credit Agency

The economic situation is getting worse.  Layoffs are pervasive in every industry, and it's global.

It gets worse.  Since there is very little chance for pay raises or employee "happiness" spending, things are starting to look grim, and this is driving higher insider crime - but maybe not in the sense that immediately comes to mind.

A peek into the distressed employee's mind can show a battle royale of opposing forces; one side is upset and wants to set fire to the place, the other is happy to have a job.  Enter into this situation the dire economic need more and more employees find themselves in and you begin to see an ethical situation teetering on the brink.

All that's needed now is a slight nudge in one direction or the other.  The following scenario is real... played itself out in real-life about 3 years ago... when things were still half-way decent.
After a 3rd round of layoffs from the Acme Credit Card Company employee morale was down, and everyone was worried about losing the job next.  The call center employees knew that at any given point they could be next, and with the local economy faring poorly, everyone was in a state of panic.
One evening on the way to her car a female call center employee was approached with an offer.  For $1,000 and dinner she would need to answer some questions about the Acme Credit Card Company's internal call center procedures.  The inquisitor was clearly after some security knowledge that only an insider could give... but the employee seized the opportunity for a quick grand, obliged.  The following week the same employee was approached in the parking lot again with a USB memory stick, and an envelope.  The envelope contained simple instructions, and $3,000 cash with the promise of a higher payout on completion of the task.
Over the next 2 weeks the employee followed directions and plugged in the USB stick and ran a simple application while she worked during the day, then unplugged it and slipped it into her shirt on the way out the door so no one would suspect anything.  After 2 weeks, she was approached again, in the parking lot, with another envelope and an outstretched hand for the memory stick.  The envelope had another $6,000 in it, bringing the total to $10,000 for 2 weeks of simple covert operation.
The employee never heard from or saw that person again...
Now - ask yourself what protections your company has against this situation.  What types of protections will the antivirus, the IDS, the DLP appliances, and all the other "boxes" on your network afford you?

This turned out to be a data breach that saw nearly ~100,000 cardholder records compromised, including online logins, passwords, credit card numbers, mother's maiden name... you name it.  The total cost was estimated somewhere around $14MM including cleanup, fraud, and other associated costs.

This will become more prevalent as the economic climate deteriorates, and organized crime begins to step in even harder.

There are measures which can protect against this type of situation, and rarely do the countermeasures require serious purchases...
  • First and foremost identify where critical information (such as cardholder data, etc) lives in your network and systems
  • Lock down critical information on a need-to-know basis, masking non-necessary bits
  • Establish role-based access controls and procedures (monitor they are enforced)
  • Create an oversight/audit group which can operate independently of IT, reporting to either Legal Counsel, or Risk... audit internal procedures and their effectiveness regularly
  • Establish behavioral-baselines for your employees; profile what groups of people do what and then create red flags when there are deviations
  • Lock down workstations, remove the user's ability to add hardware/software to your pre-built, locked-down image
  • Create a zero-in/zero-out policy; establish checkpoints at the entrance to call centers and critical data silos... create a policy that allows for nothing to be brought in, or removed without specific authorization
  • Perform extensive background checks tiered appropriately to the level of access an employee has
  • Make these policies public and post consequences...
With a little bit of hard work, your company can survive the onslaught of organized crime, and rogue employees.  What measures do you have that would protect you in this very real situation?  I'd love to hear your answers either publicly or privately.

No comments: