Employees continue to be a viable internal threat
Employees continue toThe InfoSec team for a business plan at length for attacks from the various sources, and compromises, if these were to occur, in the form of incident response. These external threats are from across the globe and take a significant amount of time to plan for. The teams may harden the network, provide training, and other measures against these external threats. One area, however, that has not been significantly examined has been the insider threat. This is difficult to plan for the defense. The Admins may attempt to limit the rules to the employee’s role, or other measures. There may however be an issue if this were to not be configured correctly. The system could log the workflow; however, this may be problematic as the logs require some level of analysis, which requires time. Also, certain persons may have access to the logs, and write access, which could modify these to show there had been no wrong-doing. A recent issue much like this involved the Chicago Public Schools.
Perpetrator
The issue started with Kim Sims, a 28-year-old contract worker. Her unauthorized access was discovered, she was fired, and later charged with computer tampering and four felony counts of identity theft. Her access was allowed due to her position with the Chicago Public Schools (CPS).
There are contract workers in the CPS in varying capacities, working with various data throughout the school year. Most of the time, there is not an issue.
Acts
The contractor’s responsibilities included conducting background checks on CPS employees. This would give the person access to gather certain germane data to upload into the system. This would not however give the person access to download data from other files. In this case, Sims was not authorized for this function as this was not part of her role. She unfortunately illegally downloaded the personal data of district employees she had access to. There were approximately 80,000 CPS employees, contractors, volunteers, and vendors affected by this. She was fired and the CPS Board of Education found that she had accessed and downloaded the personal data.
Data
The affected person’s data has value to many others, much to the person’s detriment. The data downloaded and exfiltrated included the employee’s name, addresses, date of birth, criminal background information and history, employee ID numbers, phone numbers, and potential information from the state Department of Children and Family Services.
Fortunately, this did not include the affected person’s social security number. The investigators noted they were not aware if the data had not been shared with other unauthorized parties. Once the law enforcement authorities executed their search warrant, the files were retrieved.
Follow-Up
As a result of the issue, CPS conducted a forensic audit. The focus for the audit was on the computers and cell phones.
The insider threat is problematic. The business wants to fully trust the employees, but this can be difficult in certain instances. When the company over-monitors the employees, there is a perceived trust issue. Although this compromise was rather low-tech, the issue still caused a mass amount of work to correct, and the contractor has legal issues for an extended period of time.
There should be a greater level of rules set in place to reduce the opportunity for this to occur in the future.
Resources
Chicago Sun-Times. (2018, November 4). Ex-cps employee steals info on 80,000 people in latest data breach. Retrieved from https://wsoe.org/ex-cps-employee-steals-info-on-80000-people-in-latest-data-breach/
Crews, J. (2018, November 2). Ex-CPS employee stole personal info on 80,000 people in data breach. Retrieved from https://wgntv.com/2018/11/02/ex-CPS-employee-stole-personal-info-on-80000-people-in-data-breach/
Dissent. (2018, November 2). Ex-chicago public schools worker accused of stealing info on 80,000 people in latest data breach. Retrieved from https://www.databreaches.net/ex-chicago-public-schools-worker-accused-of-stealing-info-on-80000-people-in-latest-data-breach/
Edwards, b. (2018, November 1). Fired CPS employee steals personal data of 70,000 people, charged with multiple felonies. Retrieved from https://chicago.cbslocal.com/2018/11/01/cps-employee-data-theft/
Spoerre, A., & Crepeau, M. (2018, November 3). CPS worker charged with illegally downloading personal data of district employees. Retrieved from https://www.chicagotribune.com/news/local/breaking/ct-met-crime-hickory-hills-woman-charged-school-identity-theft-2018-1102-story.html
The Associated Press. (2018, November 4). Worker charged with illegally downloading personal data. Retrieved from https://www.thestate.com/news/business/national-business/article221113415.html
Victory, L. (2018, November 2). Fired CPS employee charged with stealing database containing files on 70,000 people. Retrieved from https://chicago.cbslocal.com/2018/11/02/cps-data-breach-fired-employee-kristi-sims-charged-stolen-database-personal-information-identity-theft/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.