Recently, while reading the news I found one interesting and, in my opinion, funny case about employee-privileged abuse. Long story short, Nicholas Berthaume, a former communications analyst of the board of governors of the Federal Reserve System has installed unauthorized software on a Fed server to mine bitcoins and was caught doing this. There are no statements about how much time he had spent mining and how many bitcoins he had earned for this; it was probably for some “not short” length of time…
This is a simple case, but why have I even bothered to write this article? The fact is that my predictions are that cybersecurity will be more and more essential in the future, and this case suggests that even in such organizations as Fed, cybersecurity is not that good as it should be, and here is why.
Berthaume’s role was communications analyst; this role supposes having admin (privileged) rights to manage servers, network devices such as backbones, routers, and firewalls. OK, you have access to all these and you think: “Let me farm some bitcoins!“(Is he greedy or is his salary is too low?) He probably knew that the cybersecurity in his organization was not that good (we are talking about Fed, not a village school, it should be!), and he simply installed a bitcoin mining software on a server (Do servers there in Fed contain a large amount of graphic cards or did he expect to farm for ages?) and created a VPN account to access the Fed network from home, probably watching on a big TV screen how fast he was becoming rich. But what made my day is that “Berthaume initially denied any knowledge of the wrongdoing. Later (how much “later” I wonder?), however, Berthaume remotely deleted the software that he had installed in an effort to conceal his actions.”
So, you are a Federal Reserve cybersecurity specialist, and you’ve spotted, somehow, installing some suspicious software (I think it wasn’t a momentary alert, it took some time), and you find a person who is a potential actor and just ask him – “Did you install this software?”(Of course, he will answer – “Yes, I just wanted to mine some coins for a beer!“). You don’t restrict his access, you don’t block ongoing traffic on a firewall from this server made by this software (by the way, why the hell are you allowing traffic to bypass through the 8333 port or did Berthaume reach the firewall’s access lists?), you just ask him and then wait until someone deletes it remotely to catch him? Oh, you are lucky (or you know that this person is not smart, then why did you hire him?)… Using these kinds of access rights, he could make “something more” than just delete his goldfish…
Well I hope that this the following are not just nice words: “Berthaume’s actions did not result in a loss of Board information, and we have been informed that the Board has implemented security enhancements as a result of this incident. This case demonstrates how my office will vigorously pursue Board employees who unlawfully abuse their positions and use government property for personal gain.” Real cybersecurity enhances the situation with proper alerts about any changes made to a firewall (with properly configured access lists), on servers, user session videos recording critical ones, and so on. Netwrix Auditor helps IT pros detect any critical change in IT environment.
Nowadays, there are many dangerous threats that are becoming more complicated and harder to track than this, which means all security specialists must be real professionals and must set up their IT environments properly. The insider threat detection is not a joke but is the most common security challenge, so you should be prepared!
