15
thoughts on this insider threat case?
(lemmus.org)
quick case study for the cybersec folks here. got this real story in my dpo class & wanted ur thoughts.
IT guy at a bank, last day of his notice period. a trainee saw him puttin some CD-ROMs in his bag & told security. they checked him at the exit and found a full export of the bank's top clients on the discs. guy got fired for gross misconduct & a police complaint was filed.
any red flags or stuff that stands out to u technicaly or otherwise ? i have my own ideas on this cas but curious what u guys think first?
thx ๐
And lastly, insider threats like this are really not easy to mitigate. You said that in this example it was an IT guy. There are lots of different ways to export data from a system when you have privileged access to servers.
There was a recent case in South Korea where it was bypassed by just writing it down with pen and paper manually.
That was one of the little things I remember from one of the various Warthunder leaks. The guy was sharing military secrets by copying the info by hand but only got caught after he started copying the documents in other ways because he felt like people weren't giving him enough respect for his handmade copies.
Hell, even a small camera would work great. It'd be faster too.
hey! thx for the reply. your points hit exactly on what i've been obsessed with lol.
"Why is the IT guy trusted...?" & "Why does he have access...?" totally agree, huge mistakes. but what if they actually didn't trust him? maybe they cut his privs to the bare minimum but since he knows the system, he found a loophole to bypass the DLP. in my class, everyone laughed bc CD-ROMs are "obsolete tech"... so did the sec team underestimate this attack surface? maybe they blocked USB ports & set alarms for external drives but forgot the optical burner? or maybe it was just easier to bypass optical media rules without triggering anything.
"Is access to the database monitored?" maybe he knew the exact threshold before a system alarm goes off? that would explain why he only picked "top" clients instead of the whole DB. plus, fitting a full banking DB on a few CDs is technicaly impossible anyway, so he had to cherry-pick.
my intuition is also on the trainee reporting it. why him/her? that's a break in the incident reporting process. where were the managers? the fact that it's neither a colleague nor a manager makes me wonder if it was a single-man job. any accomplices? i've seen enough teams to know that when ppl feel frustrated or abused, they tend to turn others against the board. keeping someone on notice after firing them is a massive danger for this exact reason.
what do u think?
--