Insider Threat Management

Ex-Employees and Malicious Insider Threats: Three Takeaways from the WPML Incident

Share with your network!

Disgruntled ex-employees can wreak havoc on an organization if they decide to retaliate and become a malicious insider threat. According to a recent report, a former employee at WordPress Multilingual Plugin (WPML) allegedly left a backdoor to the administrative console of their website, spamming the company’s more than 600,000 users and editing the site to include “Security Holes” as a feature of the product.

WPML said in a blog post, “Our data shows that the hacker used inside information (an old SSH password) and a hole that he left for himself while he was our employee.” The company took action by updating the site and securing access to the admin console using two-factor authentication.

This hack is a cautionary tale of what can happen when trusted employees become insider threats, but the good news is there are plenty of preventative measures organizations can take when it comes to keeping their data and systems secure.

1. Understand that Insider Threat Management is a Team Sport.

It can be hard to uncover an insider threat incident in progress (before it’s too late) without having a strong collaboration between the cybersecurity, HR, and legal teams. Regular communication between these groups is key in every stage of an evolving insider threat -- from the first potential indicators all the way through the conclusion of the investigation process.

For example, HR is often the first to know when an employee gives notice, and may have critical insight into the employee’s state of mind at the time of resignation or dismissal. These insights can help uncover key indicators that a soon-to-be-former employee may become an insider threat. Alerting the cybersecurity team to high-risk users can help stop potential incidents from taking place. Finally, a strong offboarding process that involves both HR and the security team can prevent outgoing employees from having unauthorized access to corporate applications and systems.

The factors motivating an insider threat can range dramatically -- from financial, to emotional, to political. In WPML’s case, they may have seen the employee exhibit signs of frustration, which would motivate him to leave a backdoor into the company’s admin console on the way out the door. A collaborative environment can help keep a company on its toes when it comes to monitoring a potential insider threat.

2. Know Your Insider Threat Indicators for Privileged Users.

The exiting employee at WPML seemed to be a privileged user who had access to administrative credentials and databases that contained user information. Privileged users can be the most risky kind of insider threat, because of their intimate knowledge of corporate systems.

There are many indicators that a privileged user may become an insider threat. For example, they may escalate their privileges to gain access to certain databases or areas of the server that have nothing to do with their day-to-day jobs. Or, they may grant liberal privileges to another employee without authorization.

In the WPML scenario, the company believes that the ex-employee used an old administrative password, and left a hole for himself prior to leaving the organization so he could execute the attack. The company’s response of deploying two-factor authentication on its administrative accounts was a smart move, as it can provide an additional layer of account security to thwart future attacks.

Companies with multiple administrators might also consider using temporary or rotating credentials to prevent unauthorized access, using a password vault  or identity and access management (IAM) software. Generally speaking, organizations should limit privileged access to only those that are absolutely required to have it. This best practice is often easier said than done; as an organization grows, the number of people with administrative credentials tends to trend upward. Regularly auditing privileged access is the best way to keep this “privilege creep” under control.

3. Deploy User Activity Monitoring to Ease Insider Threat Investigations.

The insider threat investigation process can be a lot more challenging without the right visibility to understand who did what, when, and why. User activity monitoring software like Proofpoint ITM can help cybersecurity teams detect suspicious activity before the damage is done. Teams can also quickly investigate previous insider threat incidents, since they can view the context into user actions on a single timeline.

Understanding user activity and patterns of data movement can be extremely useful to other teams involved in the investigation process as well, including HR and legal. These teams can help provide additional color to the cybersecurity evidence trail, and allow the proper legal action to be taken in a timely manner, if necessary. Often times, full context into the incident exonerates insiders who may have accidentally caused an insider threat.

Managing the minefield of potential insider threats can seem like a daunting task, but with the right people, processes, and technology in place, organizations can protect their customers, employees, and sensitive data from potential threats similar to the WPML incident.