On Sunday night, Tesla CEO Elon Musk sent an email to all employees alleging there was a saboteur within the company’s ranks. Musk said this person had conducted “quite extensive and damaging sabotage” to the company’s operations, including by changing code to an internal product and exporting data to outsiders. IT security experts commented below.
Chris Morales, Head of Security Analytics at Vectra:
“Users on corporate networks are usually part of a “trusted” group. For example, while on a corporate network, employees typically don’t need to perform the same extra authentication steps necessary to connect to services and applications that they do when they are connected from home. As a result, they can move around fairly freely. Cyberattackers typically steal employee credentials in order to enjoy the same freedom of movement while they spy, spread and steal. In this case, an employee became an insider threat. In either the case of a cyberattacker or a rogue employee who is an insider threat, enterprises benefit from internal monitoring that can detect suspicious behaviour in order to prevent damage. We see an increasing number of organisations using AI and advanced analytics to address these use cases.
Trusted users always pose the highest risk as they have the means and only lack the motivation. In this instance, the motivation sounds personal, and that is quite often the case in corporate sabotage. It is not clear how this event was detected, but it sounds like it was discovered after the damage already occurred and there is still work to uncover the extent of that damage.
I see this as a problem between approved and unapproved behaviour as it was a trusted user who obfuscated their actions with fakes accounts that clearly should not have existed or should have been used to make changes to production code or to transfer large volumes of data to untrusted third party entities. The challenge is in understanding the difference in approved and unapproved behaviours as they occur and to prioritise the riskiest behaviours so that an immediate response can be formulated, before the damage is done.”
Joseph Carson, Chief Security Scientist at Thycotic:
“This is a major reminder to why Privileged Access Management is a must have for organisations that deal with sensitive information or personal information and why least privileged is a practice being adopted by many organisations. Most organisations, while they attempt to secure and protect privileged access, they continue to do it on what they know which in most incidents is not accurate. Organisations continue to fail at the most important aspect on restricting privileged access which is proactively discovering privileged accounts in the environment and it appears that Telsa have failed to do that most important step in least privilege which is discovering and detecting unapproved privileged access.
This will likely be a major lesson for Telsa and hopefully this is not related to the recent accidents with their vehicles which I am sure the regulators will be looking into if they are related, it shows why privileged access was moved to the top #1 project for organisations in 2018 according to Gartner so such incidents are less likely to happen in the future.”
Bill Evans, Director at One Identity:
“What do the numbers 17.95 and 4.84 have in common? I’ll tell you. Tesla stock has dropped $17.95 today which equates to 4.84% of the company’s value (and it’s only 10:30 AM ET). This is on the heels of Elon Musk’s email extolling the damage being done by an insider with perhaps too much access.
If ever there has been proof of the need for better cybersecurity, this is it. It appears that even Tesla has not completely solved this challenge. To be clear, the challenge as laid out here likely lives in two areas – first, access governance. Access governance is ensuring the right people have access to only the right stuff at the right time. By ensuring those that create code can’t also insert this code into production environments, organizations can limit their risk and exposure. Second is privileged access management (PAM). PAM is making sure that an organization can control, audit and secure those individuals with elevated or admin access.
While it’s impossible to determine exactly what happened at Tesla, smart organizations have already deployed access governance and privileged access management to help mitigate cyber risk.”
Thomas Richards, Associate Principal Consultant at Synopsys:
“Internal threats can produce a great deal of damage as they are already inside your company and authorised to access sensitive company data and assets. To counter any internal threats, organisations should fully test all code and track employee changes based on a bug tracking system or changelog. This provides answers to questions such as ‘did the person carry out what was required to resolve the issue at hand?’
“Although companies need to inherently trust their employees, all work should still be monitored and verified before code can enter production. Any unnecessary or unusual access to code and resources should be investigated. All login attempts both successful and not successful should be monitored and reviewed for inconsistencies. Sensitive data including code or other organisational assets should also be protected and segmented from general access inside the environment. Additionally, workstation controls should be put in place to prevent employees from moving data onto removable media. Account creation and authorisation should be handled by a centralised group who will vet and verify requests for account creation and access.”
Thomas Nuth, Director at Nozomi Networks:
“The recent allegations of internal sabotage from an employee of Teslahighlights the need for real time visibility and cybersecurity at all areas of critical operations. In the case of Tesla, reports allege that internal sabotage led to multiple fires within the painting of the Model 3, production inefficiencies leading to ramp up failures and possible IP leakage to external organisations. At Nozomi Networks we believe operational and cyber vigilance is as important for managing internal threats as it is against external threats.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.