Posted on by Insider Threatin
IT sabotage has been an area of increasing interest and concern across government, research, industry, and the public sector. IT sabotage is defined as incidents wherein malicious insiders intentionally use technical methods to disrupt or cease normal business operations of a victim organization. What makes sabotage so compelling a concern is the notion that a few lines of code can put an organization out of business.
In the six years since the last blog post that provided a "deep dive" of IT sabotage was published, new incidents have been identified and recorded in the CERT Insider Threat Incident Corpus. Examples of IT sabotage incidents include the following:
There have also been some changes to the statistics we reported in 2010. As a result of sabotage incidents that happened since then, victim organizations experienced disruptions in business operations (119 incidents, 77.8%) and known reputational damage (10 incidents, 6.5%).
While 86% of insiders who committed sabotage held technical positions in 2010, today that figure is closer to 72%.
Of the 110 malicious insiders who held technical positions, only 19% held active administrator or privileged access at their organization at the time of the incident. An additional 20% of these technical insiders were former employees whose access had not be deactivated, enabling them to commit sabotage. The remaining insiders held authorized, unprivileged access (15%), unauthorized or revoked access (25%), or unknown access (21%).
The insiders who had unauthorized or revoked access in some instances compromised accounts to gain system access, which I will explore in Part 2 of this blog series. I will also include some IT sabotage lessons for organizations to learn. Further reading on real sabotage cases is available in the paper Chronological Examination of Insider Threat Sabotage: Preliminary Observations.