this post was submitted on 29 Jan 2026
9 points (90.9% liked)

Cybersecurity

9170 readers
43 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago
MODERATORS
kid@sh.itjust.works
Lanky_Pomegranate530@midwest.social
9
thoughts on this insider threat case? (lemmus.org)
submitted 2 days ago by Birdwants@lemmus.org to c/cybersecurity@sh.itjust.works
17 comments fedilink hide all child comments
 

quick case study for the cybersec folks here. got this real story in my dpo class & wanted ur thoughts.

IT guy at a bank, last day of his notice period. a trainee saw him puttin some CD-ROMs in his bag & told security. they checked him at the exit and found a full export of the bank's top clients on the discs. guy got fired for gross misconduct & a police complaint was filed.

any red flags or stuff that stands out to u technicaly or otherwise ? i have my own ideas on this cas but curious what u guys think first?

thx 😎

top 17 comments
sorted by: hot top controversial new old
[–] cron@feddit.org 13 points 2 days ago (2 children)
  • Why is the IT guy trusted with access to sensitive data after handing in his notice?
  • Why does he have access to data that is probably not related to his job?
  • Is access to the database monitored? It should trigger an alert if an employee accesses lots of data.
  • Apparently, he successfully bypassed the DLP (Data Loss Protection) systems in place by using optical media.

And lastly, insider threats like this are really not easy to mitigate. You said that in this example it was an IT guy. There are lots of different ways to export data from a system when you have privileged access to servers.

[–] Birdwants@lemmus.org 2 points 1 day ago* (last edited 1 day ago)

hey! thx for the reply. your points hit exactly on what i've been obsessed with lol.

"Why is the IT guy trusted...?" & "Why does he have access...?" totally agree, huge mistakes. but what if they actually didn't trust him? maybe they cut his privs to the bare minimum but since he knows the system, he found a loophole to bypass the DLP. in my class, everyone laughed bc CD-ROMs are "obsolete tech"... so did the sec team underestimate this attack surface? maybe they blocked USB ports & set alarms for external drives but forgot the optical burner? or maybe it was just easier to bypass optical media rules without triggering anything.

"Is access to the database monitored?" maybe he knew the exact threshold before a system alarm goes off? that would explain why he only picked "top" clients instead of the whole DB. plus, fitting a full banking DB on a few CDs is technicaly impossible anyway, so he had to cherry-pick.

my intuition is also on the trainee reporting it. why him/her? that's a break in the incident reporting process. where were the managers? the fact that it's neither a colleague nor a manager makes me wonder if it was a single-man job. any accomplices? i've seen enough teams to know that when ppl feel frustrated or abused, they tend to turn others against the board. keeping someone on notice after firing them is a massive danger for this exact reason.

what do u think?

--

[–] RobotToaster@mander.xyz 9 points 2 days ago (1 children)

There was a recent case in South Korea where it was bypassed by just writing it down with pen and paper manually.

[–] Sunsofold@lemmings.world 4 points 2 days ago (1 children)

That was one of the little things I remember from one of the various Warthunder leaks. The guy was sharing military secrets by copying the info by hand but only got caught after he started copying the documents in other ways because he felt like people weren't giving him enough respect for his handmade copies.

[–] Quexotic@sh.itjust.works 1 points 14 hours ago

Hell, even a small camera would work great. It'd be faster too.

[–] ZombiFrancis@sh.itjust.works 11 points 2 days ago (2 children)

Some operational security questions: What's this trainee doing? Why was it a trainee noticing things being put in backpacks? Why was the trainee the one notifying security?

Are there protocols in place for media being brought in or out of the facility and its workstations? Why or why not? Was the trainee the only one who reviewed them recently enough to notice a breach and alert?

But most importantly and at any rate you don't do the grand heist on the last day. Rookie move.

[–] Birdwants@lemmus.org 2 points 1 day ago (1 children)

Technically speaking, what kind of logs does burning a CD actually leave on a hardened Win/Linux workstation compared to a USB mount? If the DLP is only looking for 'Mass Storage Devices', does the burning process even trigger a file-copy event in the logs?

[–] ZombiFrancis@sh.itjust.works 1 points 1 day ago

The process that's being executed to run the burner would be a clue, based on my experiences (limited) and knowledge (also limited). For windows, if the outright windows burner was used then there'd be system logs for that. If another program were used, well, that begs more IT security questions about permissions.

I have whole months of experience using Linux, so, no idea there.

[–] Birdwants@lemmus.org 1 points 1 day ago

def a rookie move! ^^ thx for the reply, appreciate it! yeah this case raises so many questions & i'm just guessing here. clearly a ton of security issues.

"Why was it a trainee... notifying security?" totally agree. besides the CDs, my main trigger was the trainee reporting it directly to security, skipping any manager or coworker. why? and why did no one else notice anything? makes me wonder if it’s really a single-man job... accomplices in the team maybe?

"Are there protocols in place...?" i d assume protocols exist but were bypassed. plugging in an external burner would def raise eyebrows or trigger dlp/edr. so i bet the workstations had built-in drives. in my dpo class, everyone just laughed bc it’s "old tech" nobody uses anymore... maybe the cybersec team thought the same? blocked usbs & set protocols for ports but underestimated optical? i have gen z students in my opsec classes who don't even know what a tower's cd-player is if i show them a photo. or they know it’s a player but don't realize it's a burner too.

what's ur take?

[–] Birdwants@lemmus.org 1 points 1 day ago (1 children)

why cd's? less digital footprint? burnin a disc feels more 'mechanical' β€” maybe it leaves nothing on the host side compared to mounting a usb mass storage? is it off the grid coz its physical legacy tech and modern dlp/edr just ignore it? anyone ever seen optical media used as a stealth exfiltration vector like this?

[–] _stranger_@lemmy.world 4 points 1 day ago

it was probably a long time ago

[–] Thedogdrinkscoffee@lemmy.ca 8 points 2 days ago* (last edited 2 days ago) (1 children)

Why did the bank have CD Roms/writers? Secure institutions computers from those devices, locked cases and physically secured ports. Network alarms triggered if anything gets inserted.

Edit: also alarms and logs of anyone who accesses large volumes of data, let alone copies.

[–] village604@adultswim.fan 3 points 1 day ago

Not all banks are chains, and banks are kinda well known for using antiquated systems.

[–] Kolanaki@pawb.social 6 points 2 days ago (1 children)

First draft Raiden from Mortal Kombat looking dude.

[–] 01189998819991197253@infosec.pub 2 points 2 days ago

Came here to say this exact thing hahahahahaha!

[–] homesweethomeMrL@lemmy.world 0 points 2 days ago (1 children)

Trainees shouldn't be able to access the "top clients" anyway.

[–] boatswain@infosec.pub 4 points 1 day ago

The IT guy wasn't a trainee; the trainee is the one who noticed him.