The Risk Within: Could an Ex-Employee Be Responsible for the Sony Hack?

Monday, January 19, 2015

Patrick Oliver Graf


One month ago, we asked, “What network security lessons can we learn from the Sony attack?” Since then, new information has been slow to trickle out, save for the FBI’s mid-December statement that assigned responsibility to the North Korean government.

Despite the seeming finality of that announcement, many in the cybersecurity community are still not convinced of North Korea’s sole culpability. In fact, some have even gone as far as to construct counter-narratives to identify the responsible parties.

One of the more vocal opponents of the FBI’s North Korea theory has been Norse, a cyber-intelligence provider. Kurt Stammberger, the company’s senior vice president, recently laid out his case to the Huffington Post as to why he thinks that internal factors – specifically, an ex-employee of Sony – may have been central to the breach.

As Stammberger detailed, the malware deployed in the hack contained Sony credentials, server addresses and digital certificates. He said, “It’s virtually impossible to get that information unless you are an insider, were an insider, or have been working with an insider.”

While this evidence is compelling by itself, even if an insider is ultimately found not to have been involved in the attack, Norse’s assertion has already provided those in IT and cybersecurity with plenty to think about when it comes to the damage ex-employees can do on their way out the door.

The Risks Inherent to Network Privilege

On their first day at work, IT departments provide employees with all the tools they’ll need to do their jobs – the devices themselves, the necessary access credentials, remote access capabilities and more. The problem is, once ex-employees leave the company, they could use this knowledge – the same information they once used to help the company – to harm it.

It could be as innocent as an ex-employee logging into the network remotely to access a personal email from their old company email account, or as malicious as a terminated employee deliberately leaking privileged information as a means of enacting revenge.

In some instances, certain ex-employees, known as “privileged users,” could cause even more damage, because of how much more they know than the average employee. They’re the network engineers, database administrators and application developers who are responsible for network operations. They’re the users who control network resources and who may have less oversight or control over their actions. If an attacker is able to obtain these employees’ credentials, or if these privileged users become malicious actors themselves, the integrity of the network could be jeopardized.

That’s why employers need to ensure that the break with ex-employees is both clean and final. Employees cannot be permitted to have any of the same access to the corporate network that they did when they were employed. Even if just one of their credentials is still operational – be it for servers, networks or end devices – then sure enough, that will be the vulnerability that will be exploited.

Whether this type of oversight was a key element of the Sony breach is still yet to be determined – at least, if you don’t believe the FBI’s version of the hack. But if an ex-employee was involved, and was able to publicly humiliate one of the nation’s largest entertainment giants with just insider knowledge and some keystrokes – then network administrators will have officially been put on notice about the risk of their own workers and the grave potential of internal threats.

This was cross-posted from the VPN HAUS blog.

Breaches CVE DB Vulns US-CERT
Post Rating I Like this!
kyle cyle I really enjoy simply reading all of your weblogs
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked