He is the nightly security guard. When he speaks, it is courteous, intelligent, and charming. His smile is disarming, yet you think nothing of it when you clock out, leaving him to guard the building overnight.
Part of his responsibilities is to operate the access control systems, including taking the backup tapes from the server room and delivering them to an overnight systems admin for storage. But what you don't know is that he has full root privileges to every system on the network, not to mention the administrative rights to every access control that can override any privilege as well as root access itself on your servers.
That person was me from 2007 to 2009 - just another day in my life. This is a lesson on the importance of maintaining a constant vigil against the possibility of insider threats.
The risk of an insider threat within a company or establishment can pose just as much a threat if not more than an outside threat actor. This is largely due to the proprietary and/or sensitive nature of the information that can be gleaned within the inner sanctum of a business.
While malicious insiders like myself statistically are less a threat than negligent employees who make up 62% of all incidents, the numbers only account for the threats that are known.
What about unknown factors? Well, let’s bring one to light. This one involves a true story about a fugitive hacker who slipped past United States Customs in an effort to leave the country by cargo ship.
When Physical Security and Access Controls Fail
After days of researching the best ways to flee the country, I discovered that leaving the country by cargo ship is one of the tried and true ways to exfiltrate the US without a trace. My target ship in question? The CMA CGM Coral.
I knew the captain's dirty little secret: he was disabling the ship's Automatic Identification System (AIS) tracking beacon in international waters. Essentially, turning it into an untraceable ghost ship. This is patently illegal. Disabling a ship’s AIS is a huge red flag that can indicate that the vessel does not want to be tracked because it is engaged in various shady activities.
The CMA CGM is one of the largest cargo shipping companies in the world and boasts of fighting illegal trafficking of protected species. However, I found a captain willing to smuggle a friend and me to Port Harcourt, Nigeria.
Why, you might ask? Because we were disguised as Israeli ivory dealers. Also, after mentioning his disabled AIS beacon, the statement alone constituted blackmail, and I am certain he knew I had him dead to rights.
If the look on the captain's face could spell any word, it was "impossible." He was abjectly shocked that I knew about the AIS beacon, and I hoped to use that to our advantage in fleeing the country.
While I cannot disclose the exact method I used to discover this ship, I did use marine tracking software in conjunction with a list of boats I knew would be making port at Dade Island in Miami. That gave me a point of reference and helped me narrow down the right ship we would use to leave the country.
Reaching the ship was a harrowing endeavor because I did not know which area of the port it was docked in. I also had no passport, no ticket, and no shuttle to take me to the ship. Nevertheless, we appeared as tourists and milled about a throng of people whose documents were being checked by US Customs agents, who then directed them to their designated shuttles.
We navigated around the agents in plain sight. Mind you, we were the only two people this side of Miami wearing backpacking gear towering over our heads. That is to say, we were not very inconspicuous. So, we had to sidestep, sit, stand, and maneuver around the agents while surrounded by tourists to keep from being stopped.
We went inside an information center to ask for directions, which did not turn up anything useful. A shuttle driver directed us to a nearby dock saying he thought the CMA CGM docked right ahead of our position.
The only issue was that it was guarded by a manned police cruiser parked facing a guarded checkpoint, a gauntlet of Customs agents with drug-sniffing dogs, and occupied by hundreds of shipyard workers. We were not tourists, and we were not passengers. We had no passports, no tickets, and no business being on the island.
We passed the police cruiser. The officer was too preoccupied playing Candy Crush to even notice us. Next was the guarded checkpoint. What is important about this particular dock is that it actually did not have passenger ships.
This dock was for freight, and we were the only two people who did not have a yellow hardhat and vest. Still, we managed to walk in broad daylight to the end of the dock and found ourselves at a dead end.
The police cruiser and checkpoint were access control components strategically positioned to deter authorized individuals and validate authorized personnel cleared to leave and enter this particular dock.
We just walked past everyone, without being stopped. Once we reached the end of the dock, we realized the directions were not accurate. We turned around and walked back, this time, past a line of Customs agents and their drug-sniffing dogs. Not one seemed to notice our presence as an irregularity.
When Employees Aid Unsuspecting Insider Threats
After gaining access to yet another protected area of the island, we found ourselves walking along train tracks leading into the center of the island where our ship was docked.
Unbeknownst to us, Customs had been receiving reports about two guys traveling out of bounds within the island, but they could not pinpoint our whereabouts. We were deliberately staying out of view of the surveillance cameras.
Suddenly, a Customs agent in a patrol car pulls over on the other side of the fence and orders us to stop. We kept going, ignoring him. Then out of nowhere, a shipyard worker driving a truck pulls up to the patrol car and shares a few words with the agent, before crossing to our side and stopping in front of us.
“Are you guys insane?” - he shouts out the driver's side window. “Don’t you know that Customs agent was going to arrest you? What are you doing over here?” He signaled us to throw our gear in the back and hop in.
I speak with my perfected Israeli English accent, telling him we are merely trying to reach the CMA CGM Coral. He takes us straight to the ship. This is a perfect example of when employees ultimately end up as a pawn in the game played by an insider threat.
We were foreigners from Israel, and we looked and sounded like foreigners. We did not know how things worked. Therefore, in an effort to quickly remedy the problem, he conveniently tried to help us knowing that we were supposed to be on a shuttle and not in his truck. This is where playing the Good Samaritan can expose a company to outside threats.
Now, the Coral is an English ship, and it was destined to make port in Spain. However, with my knowledge of their AIS beacon, the captain agreed to make a deviation to Nigeria after I generously promised to reward him with ivory.
He told us he would put us on the passenger manifest to avoid any issue with Customs, on the condition that we each pay him $1,500 a piece to compensate for the deviation in travel plans.
My traveling companion and I discussed the terms in Hebrew - by reciting prayers we knew in Hebrew, since we did not actually speak the common vernacular. This gave the illusion that we were having a discussion, though we both knew there was nothing to discuss.
The Moral of the Story
Well, the story ended there. We did not have that kind of money, and being a novice negotiator, I did not press the issue to escalate the blackmail. If this tale had involved two radical extremists motivated to hurt people, it might have unraveled very differently.
But we were simply two guys trying to flee the country. We knew how to avoid specific physical access controls when we could, play the roles of hapless foreigners, gain the sympathy of a Good Samaritan, and gain access to a ship without a ticket, with secret information to persuade the captain to do what we wanted.
If there's one takeaway here, it's this: never deviate from your security plan. But most importantly, maintain a constant vigil over your various over-access control systems. Security is only achievable if your access control points are being managed by competent individuals who consider security their priority.
This includes those assigned to enforce local security policies. If their attention to detail is insufficient, that could spell disaster when someone like me appears.
An article by
Jesse McGraw
Edited by
Ana Alexandre
