Revenge drives network sabotage

Insiders who sabotage their organisation’s network are almost always motivated by revenge, says a joint report from the US Secret...

Insiders who sabotage their organisation’s network are almost always motivated by revenge, says a joint report from the US Secret Service and the Computer Emergency Response Team (Cert).

Commissioned by the US Department of Homeland Security, the study focused on past network sabotage incidents at critical infrastructure organisations, such as banks, telcos, energy companies and government bodies.

The report looked at 50 incidents over a seven-year period and found that almost all were caused by current or former employees, with 60% caused by ex-staffers. Forty-six of the incidents were sparked by work-related events, such as sackings or demotions.

In almost every case the incident should not have come as a complete surprise, said the report, as those responsible were typically regarded as problem employees by either management or fellow workers. 

The report recommended that organisations tighten up on network access privileges, particularly after showing disgruntled employees the door.

One incident in the survey described how a sacked employee had gained access to the network after using a VPN account he had set up before leaving the organisation. No one knew about this access route as he had sole responsibility for setting up such accounts.

Key findings

  • A negative work-related event triggered most insiders’ actions
  • Most of the insiders had acted in ways that had already raised concern in the workplace
  • The majority of insiders planned their activities in advance
  • When hired, most insiders were granted system administrator or privileged access, but less than half had authorised access at the time of the incident
  • Insiders used unsophisticated methods for exploiting vulnerabilities in applications, processes and procedures, but used relatively sophisticated attack tools
  • Most insiders compromised computer accounts, created unauthorised backdoor accounts, or used shared accounts in their attacks
  • Remote access was used to carry out the majority of the attacks
  • Most insider attacks were only detected once there was a noticeable irregularity in the information system or a system became unavailable
  • Insider activities caused organisations financial loss, undermined their business operations and damaged their reputations

Source: Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors

Read more on Data centre hardware