The IT guy who shut down 90% of his network on purpose

Sometimes, the biggest threat to a business lies within – that’s the lesson that Citibank learnt when a disgruntled employee managed to shut down 90 per cent of its US network.

Lennon Ray Brown, who worked full-time for Citibank, was recently found guilty of causing intentional damage of a protected computer. According to the court report, he transmitted a code and command to ten core routers at the Citibank Global Control Center. As a result, nine of the routers had their configuration files erased, causing most of its North American network to go down.

Identifying and preventing insider threats is something that all businesses must think about, as an incident like that above could happen anywhere.

There are lots of different reasons current employees choose to attack a business from the inside. In this case, it seems Brown was an emotional attacker, as the text message from him to another co-worker sent just after he shut down the network indicates:

“They was firing me. I just beat them to it. Nothing personal, the upper management need to see what they guys on the floor is capable of doing when they keep getting mistreated. I took one for the team. Sorry if I made my peers look bad, but sometimes it takes something like what I did to wake the upper management up. [sic]”

Signs of a potential attacker

Other employees might just be opportunists who believe they can get away with it, or they could be employed to gain access to a company from the inside. In most cases, attackers want to achieve one of two things: to harm the company in some way, or steal/commit fraud for personal gain.

Luckily, there are a number of things organisations can look out for in order to prevent attacks from rogue employees:

Displaying signs of dissatisfaction, usually vocally
Error log evidence – some attackers may forget to cover their tracks by erasing log files
Poor social skills, addiction to drugs or alcohol, past history of rule violation
Evidence of collecting information – e.g. testing countermeasures
Unusual computer usage patterns

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

The IT guy who shut down 90% of his network on purpose

Signs of a potential attacker

Categories

Horsham Office: 01293 871971 | London Office: 0203 763 3919 | IT Support: 01293 876000