Today, CNBC broke the news that Tesla founder and CEO Elon Musk believes that an insider sabotaged Tesla by manipulating code in the Tesla Manufacturing Operating System and by exporting large amounts of user data to unknown third parties. Apparently, the insider did it by using false user names. The CNBC story reports that Musk sent an all-company email explaining what’s known so far. In it, Musk wrote:
I was dismayed to learn this weekend about a Tesla employee who had conducted quite extensive and damaging sabotage to our operations. This included making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties.
The full extent of his actions are not yet clear, but what he has admitted to so far is pretty bad. His stated motivation is that he wanted a promotion that he did not receive. In light of these actions, not promoting him was definitely the right move.
Monday, June 18: Dtex, Insider Threats in the News: Elon Musk Says Insider Sabotaged Tesla; US Inspector General Says Insider Risk is Putting Critical Infrastructure in Jeopardy; CIO Australia Reports Dtex Helps AMP Detect What Firewalls and AV Misses – Human Behaviors
Musk’s email describes a classic case of a disgruntled insider, something those of us in the industry are all too familiar with. Our analysts frequently help clients make their way through investigations. Some reveal that disgruntled employees were able to steal data and inflict damages by misusing credentials, bypassing security controls and other means. Organizations that can’t see what insiders with privileged access to systems and data are doing are always going to be vulnerable to this kind of inside threat.
For a deeper look at how malicious insiders operate, see the Dtex 2018 Insider Threat Intelligence Report. Read the CNBC story: Elon Musk emails employees about ‘extensive and damaging sabotage’ by employee.
Not all Attacks are Cyberattacks
Much focus is placed on “cloak and dagger” type cyberattacks that give rise to stories about Russian and Chinese hacks that end in massive data breaches, espionage and attacks on physical infrastructure. This makes it easy to forget that some of the most formidable national security vulnerabilities are found in technologies that aren’t connected to the internet, including industrial control systems (ICS).
Last week, the United States Inspector General published a report stating that lax security policies within the US Bureau of Water Reclamation (USBR) had opened the ICS systems controlling several US dams to insider threats. According to the Inspector General:
While isolating ICS from business systems and the internet may deter external cyber threats, insider threats from employees, contractors, and service providers who have legitimate access to ICS still exist. Insiders, particularly those with system administrator access, can use their intimate knowledge of the ICS in combination with their elevated system privileges to bypass controls and potentially disrupt mission operations. Further, because insiders are authorized to use the systems, these individuals may not be detected immediately when they access ICS for unauthorized purposes. Accordingly, the greatest insider threat risk is from individuals who have system administrator access privileges to the ICS.
Since 9/11, the US Department of Homeland Security (DHS) has identified 16 critical infrastructure sectors, which includes dams. According to the DHS:
There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.
To learn more about the specific dams that are at risk see the AP story published last week in The Sacramento Bee: Folsom, Shasta among dams at-risk of ‘insider threats’
Not All Insiders Are Equal
Last week, the United States Department of Justice (DOJ) announced that Weldon Marshall of Texas was sentenced to prison for unlawfully retaining national defense information. According to the DOJ, Weldon was able to use his security clearance to download highly sensitive US Navy documents classified as “secret.” In addition to serving in the Navy, Marshall also worked as a defense contractor. Interestingly enough, the sentencing came only days after it was widely reported that Chinese government hackers made their way into a Navy contractor’s computers to steal sensitive data. Data that included top secret plans to develop a supersonic anti-ship missile. Whether or not there is any relationship between the two remains to be seen.
Both incidents do show that no amount of AV, firewalls, IPS, anti-phishing or email security gateway technologies can defend us against insiders. Organizations that don’t have visibility over insiders behaviors are going to continue to fall victim to them over and over again.
Read the DOJ’s release: Former Defense Contractor Sentenced for Unlawfully Retaining Classified Information. Read about the attack on the Navy in The Washington Post: China hacked a Navy contractor and secured a trove of highly sensitive data on submarine warfare.
Malicious privileged users aren’t the only insiders responsible for creating insider threats. More often than not, our most trusted insiders are the ones who are responsible for data breaches. Such is the case with an incident that took place in the Chicago Public School system last week. In his SC Magazine article about the occurrence, Doug Olenick wrote:
A Chicago Public Schools (CPS) worker accidentally emailed private student information to more than 3,700 families who have students in the system.
Hopefully, no personal information abuses will take place as a result of error. It is a great time for the school district to review its insider threat defense program. This needs to include determining whether or not there are controls in place that can prevent risky information sharing, technologies that can provide insights into user behaviors, and security education services for employees.
Dtex in the News
Enterprises and government agencies across the globe are beginning to recognize that it is important to openly talk about their security challenges and solutions. The more they are discussed, the more the industry can learn about what’s working and what’s not.
Last week, in CIO Australia, AMP went on record about how it is attacking vulnerabilities in its environment. The article reported that the company’s CTO said the bank is taking a number of steps to hit its goal to reduce vulnerabilities by 15 percent. According to AMPs CTO:
There’s no way we could go back to our executive board and ask for an exponential increase in the funding for cyber, it’s just not going to happen. Throwing bodies at it just isn’t the answer anymore.
According to CIO:
Instead, AMP has got smarter in the way it deals with security threats: leveraging automation and advanced analytics, hiring a data scientist to its cyber function, introducing gamification concepts to tackling vulnerabilities and ramping up its employee education programme.
Among the steps it’s taken to leverage analytics and automation, is the integration of Dtex into ServiceNow. According to CIO:
Last year, AMP rolled out a user behaviour intelligence platform by DTEX, a company founded in Adelaide.
The platform combines lightweight visibility with analytics to detect insider threats, based on a user’s normal behaviour. AMP integrated it with ServiceNow so that a ticket is automatically raised to the cyber security team when a policy breach occurs.
According to the AMP CTO:
We’ve had a lot of success gaining insights into things that would otherwise go undetected by antivirus and firewalls and all that, just based on behaviour.
Read the full article: AMP appoints data scientist to cyber team to meet ‘audacious’ target
The Dtex 2018 Insider Threat Intelligence Report continues to provide security professionals and bloggers with things to think about. Most recently, WatchGuard Information Security Threat Analyst Marc Laliberte used findings from the report’s section about how insiders bypass security controls to support his Dark Reading submission: 3 Tips for Driving User Buy-in to Security Policies.