alphaspirit - Fotolia

Companies failing to recognise the internal cyber threat

The focus at many companies is on external cyber threats, and internal threats are being overlooked as a consequence, a researcher warns

Businesses need to recognise that cyber threats can come from a wide variety of sources – and not all of them are external, says Graham Cluley, independent security researcher.

“Most often the focus is on external threats such as those posed by cyber criminals, state-sponsored attackers and hacktivists, but a significant threat is also posed by employees who can have authorised access to the company network from behind the firewall,” he told attendees of IPExpo in London.

A classic example of this insider threat is a scam carried out by US brothers Eddie and Tommy Tipton, who abused insider knowledge and physical access to IT systems to improve the likelihood of winning the lottery in the state of Iowa.

Eddie Tipton, a member of the IT security team at the lottery company, ensured that his brother’s company supplied the CCTV camera system that monitored the computer that was used to generate the random lottery winning numbers.

As a result, they were able to tamper with the CCTV’s software so that the camera monitoring the lottery computer recorded only one minute in every 10, which meant that Eddie was able to access the computer undetected to run a software script that would reduce the number of possible winning combinations to a relatively small number on a specific date.

Eddie was then able to give friends and relations the set of possible winning numbers to use when buying lottery tickets, but made the mistake of buying a lottery ticket himself in contravention of company rules.

Read more about the insider threat

When the ticket had a winning combination for a $14.3m jackpot, he tried to claim the prize anonymously through a lawyer, but the lottery company was suspicious and CCTV images of him purchasing the winning ticket eventually led to his arrest.

“This case shows that companies can’t always trust their IT staff, even those tasked with keeping systems secure and security strategies should take that into account,” said Cluley.

As much as IT staff are not to be trusted, he said companies themselves are not always to be trusted when it comes to cyber security matter either, he said, citing the example of dating site BeautifulPeople.com that claimed its approval process had been hacked to allow people to join the site who did not meet the company’s requirement of allowing existing members to rate and vet them.

The company issued a press release about an attack by the Shrek Virus that was reported by some news outlets, but investigations by Cluley and others failed to find any evidence of this malware in the wild and the press release was uncovered as a stunt to generate publicity for the company.

“It’s a crazy world,” he said. “But there is a nice little coda to this story. Shortly after the publicity stunt, the company was really hacked and 1.1 million user records were exposed, including a very wide range of personal details. Needless to say the company did not issue a press release on that occasion.”

Read more on Hackers and cybercrime prevention