Most employees don’t expect to wake up to learning that payday has been postponed due to phishing. And you probably wouldn’t guess that the CFO is running his side hustle from a company computer, or that an employee’s corporate credentials are on the dark web due to work hours spent on dating sites.Lagging internet is no surprise, but discovering that bandwidth is being drained from a workers’ ‘adult-themed’ webcam show is a touch more alarming. Welcome to the life of an IT security professional.
It’s stories like these that can be surprisingly typical for IT security professionals. In fact, cybersecurity threats - -both from inside and outside of the company -- have become so large that cybersecurity has taken on a life of its own within the IT sector. It’s gotten so large that the demand for cybersecurity professionals is on the rise in a big way. According to data from CyberSeek’s data, a free cybersecurity career and workforce resource, in just the U.S. alone, “there were 301,873 cybersecurity job openings in the private and public sectors during the 12-month period between April 2017 and March 2018.” Corporate cybersecurity horror stories like the ones you’re about to read are a big reason why.
Hosting an Adult Show on Corporate Servers
While inappropriate online behavior seems to be the main issue in the IT world, many times it’s not demonstrated by hackers, but by internal employees. Raj Goel, founder of NYC-based managed service provider (MSP) Brainlink thought that, in his 20-plus years in IT, he had seen it all. But one recent incident was something he never imagined.
A customer’s CFO called in Brainlink to figure out why their IT department was constantly running out of bandwidth, even after they just spent money on an upgrade.
“These guys had what I would call a ‘fat pipe,” Goel says, “but for some reason, their IT guys kept saying they were completely full. So I looked and discovered that one of those same IT guys was running a webcam pay-per-view website off the company network. It was a porn site, and apparently his girlfriend and her friends were the talent.”
Even more shocking: This went on for more than two years, and no one caught it—even after this employee’s actions cost the company more than $180,000 and the need to upgrade its network every three months because it was running so slow.
So I looked and discovered that one of those same IT guys was running a webcam pay-per-view website off the company network. It was a porn site, and apparently his girlfriend and her friends were the talent.”
“The takeaway here was that the CFO should have been more proactive. He would inquire with IT, and they were just giving him non-answers to his questions,” Goel says. “The lesson here is that even if you have an in-house IT team or MSP, it’s important to (at some point) bring in a third-party to do an independent audit or assessment. You need to get a check that you are getting an ROI and that everyone is doing their jobs.”
CFO’s Side Gig
Goel also recalls an incident where a healthcare company called him to do a compliance and security check, and he uncovered the CFO was running a completely separate company from his office.
“I asked him and mentioned that I was seeing a logon to a remote connection every day, and as soon as he heard this, the guy looked stunned … I thought he was going to have a heart attack, when I told him. At first, he didn’t say, but then admitted he was doing some work on the side for his own business,” Goel says.
While Goel notes the exec wasn’t using company resources, he says the employee was still spending half his day running his private import/export business on company time by logging into his home computer remotely. Goel and his team found this out by assessing the network’s firewall traffic. At first, he expected that maybe the problems were stemming from an off-site data center. However, when he approached the CFO, he wasn’t expecting the reaction he got:
“I asked him and mentioned that I was seeing a logon to a remote connection every day, and as soon as he heard this, the guy looked stunned … I thought he was going to have a heart attack, when I told him. At first, he didn’t say, but then admitted he was doing some work on the side for his own business,” Goel says.
Phishing Postpones Payday
Sometimes business don’t realize a breach has occured. And even after discovering one, they don’t always take the necessary security measures.
“An external breach that’s highly publicized could damage reputations, and then the client doesn’t invest in security controls only to find out the hackers never left, and they are still infiltrating their network,” Bart Barcewicz, founder of Chicago-based MSP B Suite Cyber Security, tells Tom’s Hardware.
“If someone had set up rules and authentication, they would have been alerted that information had been changed,” Barcewicz says. “The biggest [problem] was that after this happened, they didn’t want to invest in a cybersecurity solution and didn’t learn from this experience.”
Take the large manufacturing/distribution company Barcewicz worked for at a previous job. He says about 10 employees there received a phishing email, which they fell for, sending their Office 365 credentials and other login information to unsuspecting hackers. The hackers then used the information to get into this company’s payroll accounts and changed all of the employees’ account information. Because the company didn’t have any alert or security controls installed, the breach wasn’t discovered until two weeks later when employees didn’t get their paychecks.
“If someone had set up rules and authentication, they would have been alerted that information had been changed,” Barcewicz says. “The biggest [problem] was that after this happened, they didn’t want to invest in a cybersecurity solution and didn’t learn from this experience.”
Dark Web Despair
Another situation, which Barcewicz has seen occur at multiple clients, is employees using corporate login information(ex: their work email addresses) to sign up for personal websites, such as social media and dating services. While accessing these sites is typically frowned upon during working hours, it becomes a security issue when a user’s corporate information is used on a site that is breached and those credentials end up on the dark web. Barcewicz discovered this exact situation after doing a dark web analysis for an engineering firm with 2,500 employees.
“They literally say they are recording the user’s every online move, say they have been watching them on webcam and that if they don’t pay in Bitcoins, they will let their contact list know everything they have been doing.”
Barcewicz also notes another dark web scam gaining popularity, where hackers hijack a user’s computer and threaten to report their inappropriate online behavior to everyone on their contact list:
“They literally say they are recording the user’s every online move, say they have been watching them on webcam and that if they don’t pay in Bitcoins, they will let their contact list know everything they have been doing.”
Barcewicz advises that employees refrain from using work information for anything personal.
“Someone could take that information and then use it for a scam, such as holding your information ransom in exchange for Bitcoin money,” he says.
Fighting the Insanity
One of the reasons demand for security professionals is so large is that they’re not just fighting a bounty of threats from the outside; they’re also managing a healthy amount of risks from inside the organization. This can come from an employee who has access to servers and other technology, and even more so after an employee leaves—especially if it's not an amicable parting. To remedy this, Barcewicz recommends taking steps like implementing two-factor authentication and installing a password manager.
“The minimum for any business is to use a two-step password authentication when possible, as well as using different passwords by way of a password manager tool,” he says. “We also recommend changing your password (for sensitive websites) every three to six months, but with two-step authentication, this usually doesn’t have to be done as often.”
And Barcewicz practices what he preaches to his clients. He personally uses a web-based password manager that automatically generates a distinct password for every web site he logs into (as well as two-step authentication). He says this is because auto-generated passwords are more difficult to breach. “Hackers aren’t always looking for the exact password,” he says. “They are trying to figure out variations and patterns because they know often they are used this way on other sites.”
Both Barcewicz and Goel say that the moral of these stories is that, for business owners, the best course of action is having a third-party IT security assessor who knows what they are doing.
“The minimum for any business is to use a two-step password authentication when possible, as well as using different passwords by way of a password manager tool,” he says.
“A good assessment never hurts, “Goel says. “But you have to spend the money; don’t use someone who is just going to download a free tool and then tell you what you want to hear. You need someone that’s going to look at things like patterns traffic, data, user behavior and other important areas.”
Barcewicz adds that resistance to change has held some clients back from investing in proper cybersecurity. In the case of the client whose payroll was hacked, executives still declined to improve their approach to cybersecurity. “They didn’t want to change how they worked, and money was not the reason at all,” he says. “It was more the resistance to change; that was the main driver.”
What’s your craziest IT security story? Can you top the webcam scandal? Let us know in the comments below.