Insider Attacks: 5 Lessons Learned from Real Cases

INSIDER ATTACKS,
LESSON(S)
LEARNED

Thiébaut
DEVERGRANNE
Docteur en droit
Consultant

ISSA

INSIDER ATTACKS, LESSON(S) LEARNED
2

Who am i ?

 French expert on IT law
(cybercrime, data privacy)
 +10 years experience in that field ; 6
for the French Prime minister’s
administration (ANSSI) as legal
council
 French bar exam (CAPA)
 PHD on legal aspects of computer
fraud http://www.donneesperson
nelles.fr
 Double background : legal & IT : been
programming for +15 years
(Php, Python, Javascript, SQL, C, C#.
..)
© T. Devergranne –

3

Outcomes of this presentation :

 Observe real life cases of inside attacks
 How this has been managed from a legal perspective ?
 Is there anything we can really do to prevent this ?

5 lessons about inside
attacks…


4

What is an attack ?
 Traditionally and from a purely technical point of
view
 attack = computer hack
 And from a legal perspective ?
 Illegal access
 Data interference
(damaging, deletion, deterioration, alteration
suppression of data)
 System interference (hindering without right of the
functioning of a computer system)
 Analyzing these kinds of cases however only
allows us to observe a very small proportion of
inside attacks
 Why ? Because few organizations consider really
useful (profitable) to sue someone on these basis
 However they happen to lay-off people on these
basis !

5

 Attack = any information compromission
 That’s a little wild isn’t it ?

Protection of Confidentiality
correspondance breaches

Labour law
(breaches to
Computer
regulations of
hacking
information
systems)



6

LESSON 1 :
THEY WIIL
BREAK YOUR
RULES…

7

Provided you have any !
 How can you protect your organization ?
 Create a security policy (ok, nothing really
new…) !
 And use it...
 And communicate it to your employees
 And make sure they know what’s inside this 122
pages long document…

 How do we translate this legally ?
 Transform your security policy into legally
binding rules
 Hint : employee contracts are a good place to
do this
 Hint : there’s usually a way for the employer to
define globally binding rules inside the company
©
(France : « règlement intérieur »).
T. Devergranne –

8

 It protects you against security breaches
 Cass. Soc. 5 July 2011 :
 Ignoring the employer’s security policy, an employee
allowed another person to use her access code to
download confidential information.
 The Appeal Court ruled that this behavior made it
impossible for the employee to stay in the company.
The Cour de cassation approved the Appeal court
considered she legally justified her decision.

 The employee let her colleague use her computer with
her access codes only once. This is enough to be
characterized as a serious mistake and justifies the
employee’s lay-off

 A serious mistake in French labor law is one that make
it impossible for an employee to stay in the company
(Cass. soc. 26 feb. 1991).
 Examples : Being drunk on your workplace (Cass. soc. 22 may
2002), sexual harassment (Cass. soc. 19 apr. 2000),
© downloading unlawful contents from P2P (CA. Paris, 4 oct.
T. Devergranne –

9

 Or students’ misbehaviors (TGI Vannes 13 July.
2005)...
 In a French university 4 students downloaded "John the
ripper" and used it to access other university members’
accounts…
 The Court ruled that their actions fell under « fraudulently
accessing or remaining within all or part of an automated
data processing system » (art. 323-1 c. pen.).
 Interesting point : the students’ defense said they used
John the Ripper to do security tests for the sake of their
courses…
 The Court ignored the argument considering
 it violated the security policy,
 The initiative was ignored from their teachers
 they tried to access secure accounts which hold personal
space/data for each user.

 A security policy allows to avoid any discussion !

10

 Or just regular information theft (TGI Clermont-
Ferrand, 21 June 2010)...
 An Michelin employee tried to resell confidential data to
Michelin’s competitors (Bridgestone).
 His contract had confidentiality clauses
 Stated that he « would not communicate to anyone, except
for the strict working needs (…) any document related to
the Manufacture and its operations and take all necessary
measures to avoid unauthorized access to these
documents or information ».
 Condemned by the Court for « Breach of trust » : 2 years
imprisonment (suspended sentence), 5000€ fine and
10.000€ damages.
 « Breach of trust is committed when a person, to the
prejudice of other persons, misappropriates
funds, valuables or any property that were handed over to
him and that he accepted subject to the condition of
returning, redelivering or using them in a specified way.
Breach of trust is punished by three years of imprisonment
© T. Devergrannea fine of €375,000 »
and –

11

 Or just regular fraud (Cass. crim. 8 Feb. 2012)
 A dentist modified the billing software for
dental procedures so he could apparently bill
less than his colleagues
 And the less he apparently billed the less he’d
pay operational costs to his colleagues who
were sharing the office
 Court decision : confirms 5.000€ fine
sentence from the Appeal Court.

 Can we anticipate this ?


12

 Or even massive fraud (Kerviel’s case CA Paris
24 oct. 2012)
 Jérôme Kerviel’s case ; traded + €50B by hiding
his trades ; Société Générale lost €5B when
exited his positions.
 Appeal Court ruled:
 Breach of trust : Kerviel used his employer’s
resources he had no authorization for (lots of
documents in the case on that point).
 Fraudulent introduction of data into an automated
data processing system : in order to hide his
tradition positions he added fake data into the bank’s
systems
 Forgery (fraudulent alteration of the truth): forged
documents, emails, identities, in order to hide his
positions.
 Kerviel : 3 years prison, ~5B damages


METHODE 1 : LAISSEZ-LUI FAIRE DE L’INTELLIGENCE ECONOMIQUE
SAUVAGE
13

Some things to consider…

 Your security policy is essential !
 Do you have one ?
 Is it simple enough for employees to read
?
 Does it defines smart rules of usage of
your information systems
 Not good : « employees can only use their
computer for personal purpose 15 minutes
per day ».
 Better : « employees can use the computer
for personal uses, within reasonable
limits ».

 Can you anticipate resources
© misuse ?
T. Devergranne –


14

LESSON 2:
THEY WILL
ATTACK YOUR
COMPETITORS
FOR YOU
(WETHER YOU
WANT IT OR
NOT)…

15

1) They will draw your company with
them !
 EDF case against/ Greenpeace in
a nutshell (10 November 2011) :
 EDF fined 1.5 € million as a
company for it’s inability to manage
competitive intelligence contracts
 One year prison for the head of
security
 700.000 Euros fines & torts for all the
persons involved

 Some news !
 EDF fined as a company
 EDF condemned for « receiving »
(possession of goods that came out
of a crime – fraudulent access of an
automated data processing system)
© T. Devergranne – fine/damages
 Huge

16

Main facts
 Case is discovered by coincidence by the police
force (OCLCTIC)
 Originally police officers were investigating
another hack attempts
 They apprehended the hacker in Morocco
 Hard drives were deciphered by the French
ministry of defense
 They reveal a variety of intrusions, amongst
Greenpeace
 Reveals that one of the head of security ordered
the intrusion of Green Peace's systems(emails
hacks, documents…).
 The case is managed through a « competitive
intelligence » contract (4.600 € / month)
 The company that manages this contract is
owned by a former secret service agent (DGSE).
He’s playing middleman between EDF and the
hacker
 From a legal perspective the question is how
does the criminal offence, committed by the
head of security involve the company’s liability?

17

1) Being accomplice of a fraudulent access (323-
1)
 323-1 : « Fraudulently accessing or
remaining within all or part of an automated
data processing system is punished by two
year imprisonment and a fine of €30,000 ».
 Accomplice : « The accomplice to a felony or
a misdemeanor is the person who knowingly,
by aiding and abetting, facilitates its
preparation or commission. Any person who,
by means of a gift, promise, threat, order, or Source :
http://www.theinquirer.fr/2012/02/22/anonymous-
an abuse of authority or powers, provokes promet-de-bloquer-internet-le-31-mars.html

the commission of an offence or gives
instructions to commit it, is also an
accomplice » (art. 121-7 c. pen.).

 The Court’s legal reasoning is very simple
 EDF paid a competitive intelligence contract
 The object of this contract is to hack Greenpeace
systems without rights
 This contract is concluded for the exclusive
© interests of EDF
T. Devergranne –

18

2) Receiving

 Receiving : « Receiving is the concealment, retention or transfer of a
thing, or acting as an intermediary in its transfer, knowing that that thing
was obtained by a felony or misdemeanor. Receiving is also the act of
knowingly benefiting in any manner from the product of a felony or
misdemeanor. Receiving is punished by five year imprisonment and a
fine of €375,000. »

 Court’s decision:
 EDF willingly kept a CDROM containing emails and documents from
Greenpeace in its offices.
 This CDROM is the product of an illegal access of Greenpeace’s data
processing systems.
 EDF agents benefited from these products : « they had a « white card » to
ensure the security. They didn‟t act for their own accounts but to the
exclusive interest of EDF who benefited from this illegal CDROM ».
 EDF is guilty from receiving

19

3) The court’s rulings

 The head of security « acted in the
name and in the interest of their
employer ; EDF is guilty of receiving
and being accomplice of fraudulently
accessing a data processing system ».
EDF is fined €1.500.000 €
 Lack of management of it’s competitive
intelligence contracts
 No real control over internal resources
and their usage


20

Everyone does it anyway

The main risk is getting caught

It‟s a necessary
Our competitors do disease
worse
There are no consequences !
Adaptation phase Acceptation phase Crime


21

Information, official
documents stating the
company‟s position
External
audits
Training Sanction
s

Adaptation phase Acceptation phase Crime


22

2) See the magic they can do with their old
access codes !

 CA Paris, 27 mars 2002 :
 the former employee of an press agency used his
old access code to penetrate his systems
 He worked for his main competitor
 Used these access code to gather information
quicker
 The employee did this on his own account
 Art. 323-1

 PROTECT YOUR ORGANIZATION: deactivate
old access codes as soon as the employees
are gone !

 Beware, there’s a major legal risk if this kind of
behavior is tolerated inside a company.

Prohibit them…
©  Devergranne –
T.

23


 Anticipate misbehaviors
 Business Intelligence contracts : impose
only legal ways to gather information
 Transfer the legal risk to the contractor



24

LESSON 3:
THEY WILL STEAL
YOUR MOST
VALUABLE GOODS !

25

Consultants !
 TGI Paris 1 June 2007
 The CEO of a small company discovered that the press
published an article containing confidential information
from the company
 He files a criminal complain to the police for data theft
 The police investigates the case and discovers that the
CEO’s emails had been hacked for the last 2 years
 The investigations showed that the hacker was a former
(security) consultant that had been given an access to
the email access code when he worked for the
company…
 He kept using the codes and extracted confidential
information from the company for the last 2 years
 He sent these information to his brother who worked for
an competitor.
 Court’s decision : 6 month imprisonment (suspended) +
~ 8.000€ damages

26

Save the employer’s documents

 Well set security policies allow you to take action !
 CA Bordeaux, 27 march 2012 : it’s a serious mistake to
transfer 261 confidential documents to an employee’s
personal email address when you have signed a
confidentiality agreement (lay-off).

 Allows to stop employer’s data misappropriation !
 T. corr. Clermont-Ferrand, 26 sept 2011 : a former
employee stole client data (client listings) from his
former employer and used them for her own account (3
month imprisonment - suspended).


27

Employer’s cash

 CA Toulouse 15 June 2010
 The employer gave a credit card to one of
his employees
 The employee used the card to pay for
personal stuff online
 Court’s decision : the employee fraudulently
obtained the goods from the employer

Article 313-1 French penal Code
“Fraudulent obtaining is the act of deceiving a natural or legal person by
the use of a false name or a fictitious capacity, by the abuse of a genuine
capacity, or by means of unlawful maneuvers, thereby to lead such a
person, to his prejudice or to the prejudice of a third party, to transfer
funds, valuables or any property, to provide a service or to consent to an
act incurring or discharging an obligation.

Fraudulent obtaining is punished by five years' imprisonment and a fine of

28

Employer’s client files

 Cass. crim. 20 Oct. 2010
 An employee of a security company was tasked to
create 5 CDROMs of the entire client base. Every
CDROM is addressed to his superior, except
one, that got lost.
 After his lay-off, this employee was recruited by a
competitor as the head of sales.
 After investigation, it was found that the competitor
had the exact same client file than the original
company…
 The company filed a criminal complain for thievery
and receiving
 Art. 321-1 : “Receiving is the
concealment, retention or transfer a thing, or
acting as an intermediary in its transfer, knowing
that that thing was obtained by a felony or
misdemeanor. Receiving is also the act of
knowingly benefiting in any manner from the
product of a felony or misdemeanor. Receiving is
© punished by five years' imprisonment and a fine of
T. Devergranne –

29


 Did you clarify how your company
resources are to be used ?
 Anticipate misbehaviors !
 Any resource given to employees should
be clarified to what extend it can be used

 Protect your clients files !
 For companies : this should be one of
your main priorities
 Do you know precisely who has access to
your client file in your company ?



30

LESSON 4:
THEY WILL
REVENGE !

31

Claranet Case
 T. Corr. 20 feb. 2001
 A former employee of Claranet (French ISP)
launched a DDOS against his old employer
 He did that from his (new) work (France
Explorer, one of Claranet’s competitors)
 Using his company’s resources
 He sent email massively in order to DOS the
mail server
 The Court condemns him for obstructing and
interfering with the functioning of an
automated data processing system.
 Art. 323-2 c. pen. : “Obstructing or interfering with
the functioning of an automated data processing
system is punished by five years„ imprisonment
and a fine of €75,000”.
 8 month prison (suspended) & 3000€ fine
 50.000€ damages
 (Luckily) His employer was not fined for the
actions of his employee…


32

White knights !
 One of my clients (case is currently under police
investigation)
 Has an online business, the business is thriving !
 One of his former contractors heard about how much cash
gets in the business !
 He’s not too happy about it…
 Hacks multiple websites and destroy their content
 Leaves my client with dead websites

 Some lessons
 Beware who you work with
 Write a contract – add confidentiality agreement (amongst
other things)
 If that happens to you, analyze the liability of everyone who
worked on setting up your information system

 Vengeance cases are very classic (TGI 8 june 2006) –
DDOS example
 Not insider attack per say, but mail bombing from a former
client of a company (24.000 messages)
 The hacker during court hearings « I acted as self defense »
and « I had no bad intention »
 None of this makes sense…

33


 Vengeance is common
 Computer hacks are usually easy to set
up (especially if you have access codes)
 You NEED to set up a procedure to
prohibit any access to your systems by
any employee who leaves the company

 Anticipate potential conflicts
 Some information are bound to stay
secret (not all employees can handle it).


34

LESSON 5:
THEY WILL
SUE YOU !

35

 CA Paris, 11e ch. A, 17 déc. 2001 (école de chimie de
Paris) :
 The head of a laboratory asked the Network admin / CISO
to put a student who seemed to be at the origin of a security
incident under surveillance
 In particular the Network admin intercepted private emails
 One of these emails gave precise proof that the student
fraudulently accessed another student account and stole
data
 The head of the laboratory asked the student to end his
PHD in Germany
 The student took the proofs and filed criminal charges for
violation of his personal correspondence
 Both the CISO and the Head of the laboratory were
criminally convicted for violation of his personal
correspondence…

 Beware how you get your information.

36


 Let police officers do their jobs…
 CISO != police prerogatives

 Beware private correspondence !
 Protected worldwide !
 Establish clear rules to distinguish
private/company correspondence
 In case of doubt : consult your lawyers
right away


37

CONCLUSION

38

Regular trainings

Legal risks
Q&A services

Audits

39

Questions
?

Thiébaut
DEVERGRANNE
Contact : td@hstd.net

http://www.donneespersonnell
es.fr

Insider Attacks: 5 Lessons Learned from Real Cases

Recommandé

Recommandé

Contenu connexe

Similaire à Insider Attacks: 5 Lessons Learned from Real Cases

Similaire à Insider Attacks: 5 Lessons Learned from Real Cases (20)

Plus de Thiebaut Devergranne

Plus de Thiebaut Devergranne (6)

Dernier

Dernier (20)

Insider Attacks: 5 Lessons Learned from Real Cases