One in a growing list of incidents is that of an Indian call-center employee  of London's HSBC who siphoned off close to a half of a million dollars from the banking institution. In this latest case the bank failed to properly verify the new employees background history before hiring him to the call-center.

A simple call to the phone number on his job application would have revealed the employee's false information, as it appears that he gave a bogus phone number, as well as a fake address so they cannot even track the perpetrator.

"But we are protected from hackers..." Are you really?  

Much about data loss and hackers is making the rounds in the news as of late. What is becoming more of a concern, but often overlooked, is the threat of rogue employees. Corporations and businesses have paid a great deal of attention to securing the network from external Internet attacks, but have largely ignored the possibility of an attack originating from within its trusted borders. As incidents that encompass everything from corporate spying and fraud to data mining and logic bombs rise at an alarming rate, employees are now becoming the threat to watch for. 

From deficiencies in the lack of background checks to flawed internal collaboration software, two seemingly unrelated items in terms of security, explicit trust within the corporate intranet is most to blame for these attacks. Employees may turn to the dark side for many reasons, lack of recognition in the workplace, financial difficulties, or just plain revenge. There are many ways to keep attacks at a minimum by proper screening and background checks of  potential, and current employees. Common sense and thoughtful planning through all areas touching IT infrastructures, even those seemingly unconnected, will help prevent losses to your reputation and bottom line. 

Just like the attack trends Zone-h sees on the Internet, web-applications are the leading vector of gaining a foothold. The possibility of your internal applications being the starting place for attacks is often overlooked as a security concern. Couple this with a bad employee, and your chances of loosing valuable assets increase exponentially.   

Often I add my experience as a penetration tester to my articles and this one is no exception.  During a recent audit, the target was indeed very secure from external attack, until I was given a  guest account on the SSL protected web-based application used for job duty queuing, to test internal integrity of the target infrastructure [something often overlooked in these types of tests]. The application was found to be vulnerable to javascript injection into several user supplied fields, which when viewed by other users, will execute the code of the attacker in the users browser. This activity can lead to complete compromise of your infrastructure, loss of confidential corporate assets and other losses by leveraging a flaw of this nature.  

Companies should remember to not only verify employee information and perform background checks, but also have internal applications tested during security audits just as much as any other IT asset. While there is no one single solution to stop this trend, thoughtful emphasis on security should be placed on all IT resources, both external and internal.  

" ... meet Joe, our new employee who will steal us blind." 

Comments Index (Total Messages: 3)

our new employee who will steal us blind Written by TheHorse13 on 2006-06-29 22:49:39 news? Written by Guest on 2006-06-29 23:39:48 Re: news? Written by Guest on 2006-07-05 15:33:12

Powered by a Zone-H(ified) version of AkoComment 3.0!