Separate duties for employees or end up like this…

With war in Ukraine raging on, the cyber warfare between the Russians and the West continues to see an increase in Russian cybercrime. We deal with a lot of clients that employ external developers for specific projects.

What we frequently discover is that these external developers and internal operations have little separations of responsibility.
For example: Here is an illustration of something we just experienced with a customer. They are a large manufacturing firm that specializes in construction materials and supplies. They had created their own software to be used for sales, process, material computations, CRM, billing, and many other aspects of their business, in one integrated package.

This piece of software was designed with the client in mind, but it needed frequent updates and modifications, as it was built and used in the field. Having an in-house developer is costly, so they out-sourced the job to an external contractor, (as many other businesses do).

To make life easier, the developer was given all of the tools and access to the production database, along with other shared resources. Their network permission level permitted them to view the entire database of clients, company shared documents, and business information, as well as the source code folder, (which was mostly accessed by the developer). For convenience, the developer had a VPN connection to their network which allowed them direct network access from their computer to these network resources.

separation of duties

Unfortunately for our soon-to-be client, the developer’s system was compromised. Unknown to them, the developer was a victim of a phishing attack that proved to be successful. The threat actors did not hit the developer’s system right away, they first hit all of the developer’s client’s networks, and topped it off by finally hitting their main machine.

Because the developer had unrestricted access to confidential information, and the ability to work directly from their computer, (via VPN connection without monitoring or standardizing security practices), hackers had a very easy time with this. They quickly gained access to the external network, and in the span of 3 days, (using the un-monitored VPN connection), off-loaded the entire database of sensitive client information, and encrypted one of their main servers and backups with ransomware.

Not only did this disrupt business, effectively stopping them from working for over a week, but it caused them a huge PR nightmare that they are still dealing with to this day.
Let’s analyze how this happened and what could have been done to avoid this issue all together.

Separate production with development

The developer and internal production should have been separated. The external contractor, (developer), should not have had such broad access to all elements of the client’s data. They should only have had access to what was essential in order to complete their task, (which was the source code folder and related files in this case).

The number of network permissions granted is where most of the issues arose. If the developer had not had access to the entire production database, the data breach would have been very minor.

Monitor Activity

Giving the developer direct VPN access to the entire network was a huge mistake. There should have been some form of activity monitoring in place, whether that be a syslog server, (monitoring all network traffic), or a separate IDS/IPS system.

This would have allowed the network administrator to see what was going on and potentially catch the malicious activity before it did too much damage. The way these intrusion prevention systems, (IPS), work, is that they monitor activity over a span of time to set the baseline for what is considered normal.

If an activity is detected that falls outside the norm of the defined baseline, the software would effectively disconnect the client from the network. If this is configured properly, it’s a very effective tool for restricting activity, (such as data breaches), which normally occur by uploading abnormally large amounts of information in a short period of time.

Limit Access

Most often times, we see that permissions are given out freely to make the administrators’ jobs easier. If you allow access to everything then that will cut down on the trouble tickets coming in asking for permission access. It’s a lazy way of managing a network and opens up many security holes.

We like to operate on the “as needed basis,” that is to only give access to essential and limited resources that are needed in order to perform the work. Limiting the attack surface is the easiest way to prevent breaches. If the target falls victim to a phishing attack or any other scheme, if that user does not have free range access to the network, there is little damage that threat actors can do.
By implementing these precautions, our soon-to-be customer might have avoided this entire scenario.

Cybersecurity is not a single solution; it also covers company procedures, employee education, software, and best practices. Everyone may be a victim of data theft or cybercrime, but the actions we take can significantly minimize this risk.

If your business needs assistance performing cyber security assessment AlphaCIS can help.  We are a Managed IT services Provider specializing in Cybersecurity in Metro Atlanta area.  Please schedule an quick discovery chat with our engineer here.  Or call us directly at (678) 619-1218