Can I borrow your swipecard?
[...so we can add 2,000 new admin accounts to your system]
This case involves an accountancy firm based in South East England. The firm had just lost a big client and as a result had to make some cuts which included letting a few members of staff go.
Jamie had been one of these staff members. He was disgruntled to say the least. He'd expected better from the company and was worried about how he was going to manage financially. Jamie had a week of holiday remaining, which he was planning to use for job hunting. On his last day he left early and posted some very detailed and anger infused posts on Facebook and LinkedIn. The next day he got a sympathetic LinkedIn message from a contact called Ben. Ben had a proposal.
Ben explained that he just had to post his ID to a post-box address, they would just use it for a day to look around and then post it back. Easy money.
Angry and desperate for money Jamie agreed.
He posted his passes to a mailbox Ben gave him and, as promised, 2 days later they were returned and Jamie was £5,000 richer.
What Jamie wasn’t aware of was that Ben was planning a little more than just "reconnaissance". Once the pass was used to gain access to the building, the attackers got onto the firm’s network via one of the desktops in the office. Once there they did a number of things, including creating themselves an admin account.
Having obtained persistent access to the company network they posted Jamie back his pass. They then proceeded to create more and more accounts on the network and sell them to other attackers on the dark web. Each account was going for around £4000-£5000.
This went on for quite some time, over a year. It only got detected when the accountancy firm hired a new cyber security professional, Jeff. The firm had around 500 employees but Jeff noticed that there were almost 2000 accounts! He called a meeting with the partners and raised the alarm.
The firm remains unsure the true extent of the malicious activity however they do know that all of the customer data had been copied and in turn re-sold on the dark web. This data included sensitive details and company accounts. They ended up losing many of their clients.
What can we learn?
Train your staff well: Jamie should have been suspicious of Ben's contact. Once in other staff should have questioned Ben's presence. Who is he? Why is he wearing Jamie’s ID badge? Staff should trained to politely challenge people they don't know.
Policies: Staff need to know what the policies are and what behaviour is expected of them.
Defence in depth: In many companies security ends when you swipe in at the front door. This gives you only one chance to stop an attacker. Build additional rings of security throughout the building, prioritise areas such as server rooms and IT infrastructure.
Disable accounts and passes: Staff who leave the company should have all accounts immediately disabled. Disable accounts for staff who are suspended, on long term sick or maternity leave. If they won’t be coming in they don’t need access.
Lock down accounts: keep admin accounts to a minimum and don’t allow them to be used as regular accounts. Review the number of user accounts your company has, is there any that should have been removed?
Social engineering penetration testing: Once you have reviewed your policies, trained your staff and tightened your technical controls, test how effective those controls are by conducting a social engineering penetration test - get trained professionals to attempt to enter your company premises and exfiltrate data or equipment. You don't know if your controls are effective until they are tested.