Insiders who sabotage their organisation’s network are almost always motivated by revenge, said a joint report from the US Secret Service and the Computer Emergency Response Team.
The study, which was commissioned by the Department of Homeland Security, focused on past incidents of network sabotage at critical infrastructure organisations, such as banks, telecoms operators, energy companies and government bodies.
The report looked at 50 incidents which occurred over a seven-year period and found that almost all were caused by current or former employees, with 60% caused by ex-staffers. Forty-six of the incidents were sparked by work-related events, such as sackings or demotions.
In almost every case the incident should not have come as a complete surprise, said the report, as those responsible were typically regarded as problem employees by management or fellow workers.
The report recommended that organisations tighten up user privileges to access the network, particularly after showing disgruntled employees the door.
One incident in the survey described how a sacked employee had gained access to the network after using a network account he had set up before leaving the organisation. No one knew about this access route as he had sole responsibility for setting up such accounts.
- A negative work-related event triggered most inside saboteurs' actions
- Most of the inside saboteurs had acted in ways that had already raised concern in the workplace
- The majority of inside saboteurs planned their activities in advance
- When hired, most inside saboteurs were granted system administrator or privileged access, but less than half had authorised access at the time of the incident
- inside saboteurs used unsophisticated methods for exploiting vulnerabilities in applications, processes and procedures, but used relatively sophisticated attack tools
- Most inside saboteurs compromised computer accounts, created unauthorised backdoor accounts, or used shared accounts in their attacks
- Remote access was used to carry out the majority of the attacks
- Most inside saboteur attacks were only detected once there was a noticeable irregularity in the information system or a system became unavailable
- Inside saboteur activities caused organisations financial loss, undermined their business operations and damaged their reputations.