While Halloween only comes around once a year, there are some truly frightful security mishaps occurring on a daily basis. Some of these mishaps have made headline news, while others were too terrifying to share... until now.
Just in time for Halloween, renowned cyber security expert and SANS Faculty Fellow, Dr. Eric Cole, shares three horrific tales of hideous human behavior which he has personally witnessed and lived to tell! Warning: What you are about to read is real.
Ghosts of Employees Past
Consider this frightening tale. When performing a routine security assessment for an organization, it was discovered that more than 145 accounts of employees who no longer worked for the organization were still active. GASP! Even scarier, when looking for possible activity on these accounts it was discovered that 17 of them were still actively being used. You can imagine the horror, but it gets worse.
After approaching HR to find out if there was anything special about these accounts it was revealed that seven of the 17 people who were actively using their old accounts were fired five months earlier for stealing information about the company and giving it to a competitor. Talk about a nightmare! Fire an employee for stealing, take away their badge but forget to cut off account access, only to learn they continue stealing from the organization even after termination. Now, that is terrifying!
If you don't have goose bumps yet, this global tale will likely raise a hair or two. A large US manufacturing organization with state-of-the-art industrial technology was under constant attack by the Chinese. Every four to six weeks for several years this grotesque scene continued to play out. These compromises wreaked havoc within the manufacturing organization's security environment. Yet despite the disturbing efforts of the Chinese hackers, the company was able to keep its technology a secret. However, for some mysterious reason (OK, because of costs), the executive team decided to move all of its US manufacturing and production to... China. GASP! The security team was left screaming in horror as their worst nightmare came true. Despite being able to successfully fend off the attacks over a three-year period while located in the US, within just two years after moving overseas the Chinese hackers were able to successfully infiltrate. As if this story couldn't get any more horrific, it didn't take long for them to develop a competing product which outsold the US company's product. The US company was forced to close its Chinese operations, as it was unable to compete. While the US manufacturing company is still in business today, its product line went from a billion-dollar product line to a mere million-dollar product line. How's that for a gruesome tale?
A hideous discovery
Still not scared? Here's a wicked story that is sure to give you nightmares. A typical full security assessment of an organization includes the facility as well as the data center; this means checking all policies, personnel, cyber security, and physical security. It was 11 p.m., haunting hours, the ideal time to test out the physical security of a building. Creeping through the dark to make sure the doors were locked, a horrific discovery was made. A door in the back by the loading docks (which just happens to be next to the data center) was unlocked. As if that wasn't frightening enough, right next to the door, along the edge of the wall and out of reach of the motion detector, was all of the company's taped storage! PII and PHI were easily available for any ghoul to take. Because this was a major exposure, someone within the organization had to be alerted immediately, otherwise, walking away knowing there was exposure could result in liability. Thinking this nightmare could not get any worse, the closest person within the organization to the office was the company's CFO who arrived to re-secure and lock the building in flannel, footy pajamas (how about that for a creepy image?).
So what can we learn from these terrifying tales? First, don't assume that processes, procedures and policies are being followed. Verify and check to make sure they are. Second, common sense doesn't prevail in most environments, so don't assume people will make the right decisions. Ensure that employees have the data to support all decisions, so that they are making them in a proper and correct manner.