It was just after 6pm on December 23, 2013, and Lennon Ray Brown, a computer engineer at the Citibank Regents Campus in Irving, Texas, was out for revenge.
Earlier in the day, Brown – who was responsible for the bank’s IT systems – had attended a work performance review with his supervisor.
It hadn’t gone well.
Brown was now a ticking time bomb inside the organization, waiting for his opportunity to strike. And with the insider privileges given to him by the company, he had more of an opportunity to wreak havoc than any external hacker.
Prosecutors described what happened next, just before Brown left the Citibank offices that evening:
“Specifically, at approximately 6:03 p.m. that evening, Brown knowingly transmitted a code and command to 10 core Citibank Global Control Center routers, and by transmitting that code, erased the running configuration files in nine of the routers, resulting in a loss of connectivity to approximately 90 percent of all Citibank networks across North America.”
“At 6:05 p.m. that evening, Brown scanned his employee identification badge to exit the Citibank Regents Campus.”
Seemingly unconcerned about being linked to the attack on Citibanks infrastructure, Brown sent a text message to one of his colleagues:
“They was firing me. I just beat them to it. Nothing personal, the upper management need to see what they guys on the floor is capable of doing when they keep getting mistreated. I took one for the team.”
“Sorry if I made my peers look bad, but sometimes it take something like what I did to wake the upper management up.”
Brown may now be regretting his rash actions, as he has been sentenced to 21 months in a federal prison for transmitting a command that caused damage without authorization to a protected computer. In addition, he has been ordered to pay $77,200 in restitution.
A moment of madness on Brown’s part caused the disruption of business systems, would have cost the company money to investigate and resume normal operations, and has cast a shadow over the rest of the IT worker’s life. After all, how many firms are likely to trust him with their IT security now?
In short, everyone loses.
And this should be a concern for any business. You spend so much time and effort worrying about online criminals and internet hackers breaking into your business to steal your secrets, have you considered the threat which might actually be on your payroll?
The truth is that the person hacking you may not be someone you’ve never met, wearing a hoody on the other side of the world. They could be sat right next to you, wearing a business suit.
I would wager that the threats posed by malicious insiders, people who you have invited into your company’s offices, who you have shared your network passwords with, who you have granted access to your systems, pose a large potential threat and could put your business at even greater risk.
Even if they’re not IT-specific staff, if you have let them walk into your building they may have opportunities to plant keylogging hardware to grab passwords, open backdoors for other hackers, or spirit away sensitive documents without you realizing.
Don’t ignore the risks posed by the insider threat. If you turn a blind eye to them and solely focus on threats coming from outside your network then you are making a big mistake.
Take precautions, restrict privileges, monitor unusual activity, and put policies in place in both IT and human resources.
It is never going to be possible to stop every insider threat. But what you can do is attempt to limit their impact, and reduce the opportunities for a rogue member of your staff to go off the deep end.