Sepio | Blog

Departing Employee? Incoming Data Breach…

Internal Threats

Internal Threats

Employees – a friend or a foe?

Employees pose one of the most significant risks to organizations and can be (whether they intend to or not) major internal threats. For 90-95% of IT leaders, the enterprise’s staff is their greatest cause of concern. With employees having insider access to the organization, they can easily carry out a destructive cyberattack. Additionally, some employees have access to sensitive information and confidential data. According to the 2019 Varonis Data Risk Report, more than half of the companies surveyed found that over 1,000 sensitive files were accessible to every employee. This means that the entire organization could have targeted such data.

Internal Threats

Malicious insiders pose a dangerous risk

When it comes to internal threats, malicious insiders pose a dangerous risk. These actors willingly seek damage to the organization and have insider knowledge and privileges that can be capitalized on in an attack. This seriously harms their target. You might have a malicious actor sitting right next to you… Or, in 2021, on your Zoom meeting – plotting their attack as you read this; they might even be thinking about using you as a pawn. The seemingly innocent look on their face is nothing but a façade. Only 5% of internal cyber incidents were carried out by employees with malicious intent. So, although you can probably rule out your colleague, you should remain vigilant – anyone could be a nefarious cybercriminal.

A more common scenario is when an employee, acting with negligence or carelessness, accidentally (often unknowingly), causes a cyber breach. Similarly, staff members that are unaware of cyber risks, and the various social engineering techniques used by bad actors, can unwittingly be the cause of a harmful attack. Careless and uninformed staff cause a worrying 23% of cyberattacks. You should now be looking at all colleagues surrounding you, including yourself. The mouse that you used to click on this very article could be concealing a Rogue hardware device that has the potential to inject keystrokes and cause data theft, malware injection, and more.

There are several causes for insider attacks, but some of the most prominent are:

Internal Threats

Devices are an asset and a liability.

Organizations have, for some time now, been issuing staff with company-owned devices that are used for remote work. Whether the device can also be used for personal purposes is up to the organization’s cybersecurity department and the relevant policies. Although doing so brings about increased security issues. COVID-19 forced most of the global workforce to turn to remote work if they had not already, which increased the number of BYOD devices in use. Depending on the organization’s telework policy, these devices typically provide users with remote access to the organization’s network and confidential information. Moreover, sometimes even storing such information on the endpoint itself. Great, right? Well, yes, thanks to these devices, many organizations were able to continue some, if not all, operations during the most disruptive period in recent history.

Unfortunately, that is about as positive as this blog is going to get. Endpoints are susceptible to hardware attacks whereby a Spoofed Peripheral – which is by design, malicious – is connected via the USB interface. Since these Rogue Devices impersonate legitimate HIDs, no security alarms are triggered. And the peripheral, or rather the attacker, has access to the unsuspecting (debatable) user’s device. From here, depending on what the endpoint provides the user with access to, the attacker can commit data theft, inject malware, carry out espionage activities, and initiate a ransomware attack, to name a few.

A recipe for disaster

The risks associated with employees and remote devices are always apparent. Organizations need to be on constant alert for attacks originating from both sources. However, when the two are combined, the threat is even more significant. Let me explain… What happens when an employee is terminated? You cut off that employee’s remote access privileges, obviously. Okay, but what about the data stored on the device? Shockingly, 65% of organizations cannot wipe devices remotely. Therefore, the terminated employee still has access to such data until they are no longer in possession of the device-one of many internal threats.

Internal Threats

This is where the risk comes in. You now have an individual who has just lost their job, has nothing to lose (relatively speaking), and has access to sensitive data belonging to the very organization that put them in their unenvious position. A hardware attack is looking pretty appealing. This is especially because the tools are relatively cheap, go undetected, and can cause significant damage to the victim. Now that is a disgruntled employee if there ever was one.

But that is not the only risk. Yes, there are more. A laid-off employee may not wish to cause harm to their ex-employer, but their carelessness could be just as damaging. A lack of cybersecurity awareness could result in an ex-employee recklessly discarding the device. The inability to wipe the data remotely means that such negligence on the employee’s behalf puts the organization at significant risk. Was the device unknowingly sold on eBay to a dangerous hardware attacker? Was the device handed down to a friend or family member who hastily attached a vulnerable peripheral to it? The possibilities are endless and the list of damage that internal threats can cause goes on…

We are here to help!

Yes, I tricked you when I said there are no more positives to this blog…you are welcome.

Sepio’s Hardware Access Control (HAC-1) solution provides, well, a solution to this problem. HAC-1’s capabilities have resulted in a real-life use case where a client used the software to find a loophole to the issue at hand.

HAC-1 provides organizations with complete visibility of all hardware assets within their infrastructure, including remote devices. In doing so, HAC-1 uses Physical Layer fingerprinting technology and Machine Learning to calculate a digital fingerprint from the electrical characteristics of all devices and compares them against known vulnerable and Rogue Devices. Additionally, the solution allows the system administrator to define a strict, (more granular), set of rules for the system to enforce.

When a device breaches the pre-set policy, HAC-1 automatically instigates a mitigation process that instantly blocks unapproved, or Rogue hardware, provided the software is in ARM mode. This is where the loophole comes in. With these administrative benefits, our client blocked all peripherals by setting the solution in ARM mode for the specific employee’s, or should we say ex-employee’s, device. Doing so rendered the machine useless. So whether they were a malicious actor or just a careless one, there were zero risks of a hardware attack originating from their device.

Just because many organizations struggle with wiping a device’s data remotely, that does not mean that there is not a way around the problem; and HAC-1 is the secret weapon.

March 14th, 2021