You Already Have Admin, Dumbass

As those performing attacks against corporate IT assets become more
professional we’re going to start seeing more of the following types of
attacks:

• Bribery

• Extortion

• Blackmail

Think about who’s increasingly behind the information security attacks these
days, and think of how they could more effectively attack an organization
given large amounts of money and their willingness to engage in standard,
physical crime.

The Problem

How hard is it to find out who works in IT in a large organization? How
difficult would it be to make contact with someone who can disable or modify
the anti-malware systems at one of these fortune 500 companies? And what
would happen if someone with an Eastern European accent offered Bob, the
mediocre (but dangerously knowledgeable) IT guy, the following sorts of
propositions:

…and if/when Bob says no…

Then there’s the blackmail angle if they’re willing to do some research
and/or some setups. The point is that all they need is to get an internal
employee to drop some of their highly specialized and virtually undetectable
malware onto the internal LAN.

In short, the game is to overcome the internal employee’s fear of being
caught using either fear or greed. And that’s precisely what this new type
of traditional, organized criminal player is good at. They’re already into
the classical elements, e.g. drugs, guns, violence and prostitution, so
leveraging those resources to reap profits in the cyber world seems more
inevitable than far-fetched.

This isn’t just movie plot stuff; there really are very organized criminal
groups, with millions of dollars of backing, getting into the business of
pulling the IT jewels out of top U.S. companies. And when they start
figuring out that shmuck-boy the IT guy is the thing standing between them
and a multi-billion dollar company’s most sensitive information — the games
will begin. In fact, I’m willing to bet they’ve already started.

The Information Security Response

There are predictable ways that we in information security will react:

1. Increasing the types of background checks required to get into IT. Debts
   and overall life stability will be increasingly scrutinized, much in the
   same way it is for those with clearances in the intelligence community.
   In fact, clearances may become a new standard for certain IT shops.

2. Separation of duties, least privilege, and auditing will start to get
   taken far more seriously by everyone. Everyone from the companies
   themselves to the groups that are auditing them are going to be looking
   very hard at how to limit the damage individual employees are able to do
   if they were to go bad.

3. Additional outsourcing of sensitive roles due to the specialized
   requirements of IT in the future. If clearances are needed, as well as
   training in how to deal with these types of threats, that’s just going
   to be that much more reason for companies to outsource the whole
   operation to external experts.

4. Additional professionalization of IT due to the newer, more stringent
   requirements. More requirements for college and/or certification plus
   the initial and ongoing background checks will raise the bar for entry
   into the field. This will further exacerbate any existing IT labor
   issues and complicate the discussion of using foreign-born workers.

So, is this movie-plot fiction or a real possibility?