Last week, Apple found out it had an insider threat active in its ranks. It was the type of insider that Dtex and the industry commonly refers to as a “leaver.” In this case, the leaver also happened to be a privileged user. A leaver is someone who conducts malicious activities prior to resigning. A privileged user is someone who has special access to specific systems and data. The combination, as Apple discovered, can be a recipe for disaster.
After the leaver, a former employee by the name of Xiaolang Zhang, informed Apple that he was planning to depart the company to take a job with China-based electric vehicle startup XMotors, Apple started looking into his past digital and physical behaviors. After growing suspicious due to activities it observed, Apple notified the FBI. The FBI investigated and then charged Zhang with the crime of stealing trade secrets about Apple’s self-driving car program from the company.
In a story about the incident, Info Security Magazine’s Kacy Zurkus wrote:
Because it was required in his role, Zhang had access to Apple’s intellectual property, including confidential databases.
In that same story, Zurkus cites the Dtex 2018 Insider Threat Intelligence Report:
Cases of insider threats are not uncommon. According to 2018 Insider Threat Intelligence Report from Dtex Systems, 38% of the assessments run as part of the report found evidence of employees who were exhibiting flight-risk behaviors.
And, she quotes Dtex CEO Christy Wyatt:
The criminal complaint filed in this case is not only evidence of what the former Apple employee may have done, it is also proof of how easy it is for anyone with privileged access rights to steal confidential data from their employers Apple, Tesla, Waymo and the litany of other organizations that have been victimized by insiders lately shows that companies are doing a great job of piecing together wrongdoing after the fact. It also shows that business needs to be more aware of activities taking place as they happen.
The incident at Apple reveals multiple security lessons. We’d have to fully dissect the criminal complaint to understand all of them. There are a few top takeaways that anyone with a stake in protecting data and IP should be paying attention to. This situation shows: 1) Understanding behaviors is key to knowing whether or not someone is planning to leave a company; 2) It is important to have forensics tools that can piece together what’s happened after the fact; 3) It is equally important to have the ability to receive alerts in real time when bad behaviors are in play.
Read the full Info Security Magazine story: Former Apple Employee Charged with Data Theft
To learn more about how leavers impact organizations, check out our Dtex 2018 Insider Threat Intelligence Report
To understand more about how Dtex works to prevent this type of breach, read 10 Reasons Why Organizations Deploy Dtex
Russia, if ever one word said it all …
Last Friday, United States Department of Justice (DOJ) Special Counsel Robert Mueller issued an indictment against 12 members (including the infamous Guccifer 2.0) of Russia’s Main Intelligence Directorate of the General Staff (GRU). The GRU is one of the country’s primary intelligence units. The formal accusation states that the 12 conspirators conducted large-scale cyber attacks against the DNC, DCCC and the Hillary Clinton Campaign for the purposes of stealing information and interfering with elections.
Since then, thousands of stories and millions of social media posts have published about the situation. Today, the plot thickened after the meeting held between US President Donald Trump and President Vladimir Putin of Russia concluded.
Much of what is going on involves issues that are beyond what actually took place online. Law, diplomacy, foreign policy, national policy, and national defense are all now in the mix. However, anyone interested in using the evidence presented in the accusation to understand the nature of successful cyberattacks should take note of a few things the indictment makes clear:
1) The attacks were simple and unsophisticated
2) The attacks relied on spearphishing, one of the oldest tricks in the book
3) The attacks took advantage of vulnerable people
Hindsight is 20/20, of course. It will never be known whether or not a few simple precautionary steps to better defend the people who were targeted by the GRU could have prevented them. It is highly-logical to conclude that anyone responsible for defending their organizations’ data and people against this type of attack should, at the very least, take stock of what controls they have in place to protect their insiders. Controls should go much deeper than mere anti-phishing technologies and awareness trainings. To truly remain protected, organizations need to understand how executives, employees, contractors, partners and other entities with access to networks are behaving, what kind of activities they are engaging in and how they are accessing and sharing data.
To learn more about the importance of understanding how insiders are impacting security programs, read: Defending Against the Wrong Enemy: The 2017 SANS Insider Threat Survey