by Paul Rudo on 16/08/11 at 8:06 am
He has over 25 years of experience in security and security programs, and his background includes everything from writing device drivers in assembler to running a world-wide network operation center for the US Government. Mr. Heimerl has also performed commercial consulting for a variety of industries, including many Fortune 500 clients.
Today, Jon-Louis has provided us with a number of real-world “war stories” that show the dangers associated with poor internal security and access control.
Could you be next?
- An employee terminated for poor performance at a high tech company. 14 months later, the entire employee (700+ employees) salaries all appeared on the public side of their website. The posting coincided perfectly with the remote login of the ex-employee. The top name on the posted list was the manager of the fired employee.
- An employee is laid off due to budget cuts, and the termination created much animosity. Access was terminated, and the person packed their desk. A little over a month later, I sat in on an engineering call that this person had previously participated.The call covered highly proprietary information, including product design and client issues. I was there to talk about security issues in their product and how to fix them.There were five remote callers on the conference call. We sat in the conference room at the end of the call, and heard all five people say “goodbye” and sign off, with five “disconnect” sounds, and about 10 second later we heard a sixth disconnect tone. The organizer called the conference call company, and was able to get caller-id numbers for all six participants on the call.The sixth number was the phone of the terminated employee.He had been calling back in to the biweekly engineering call for over a month, after his termination.They were unsure how much proprietary information he heard after leaving the company, but the potential was significant.
Case #2: When the System Administrator Leaves
- A system admin laid off for budget reasons. About two weeks later, a different admin cleared the firewall rules because he did not understand all the complicated rules in place, and he was rebuilding a more simple firewall rule set.Within 30 minutes, the laid off admin called in an wanted to know why his access was turned off – turns out he was hosting an on-line retail site on the employers web page – bad enough that it was against the company rules, but he had been let go two weeks earlier – AND HE CALLED TO COMPLAIN that his access was turned off.
Case #3: Not Protecting Intellectual Property
- An engineering employee for a manufacturing firm was laid off due to “personality issues” (he was impossible to work with). Within about three months, their main competitor released a product that competed directly with their newest R&D product that would have gone public in less than a month.The ex-employee had full access to this product information, and, it turns out, had started working there the same day he walked out of their building.By being second to market, they estimated that they lost something on the order of $80million in sales. They sued the ex-employee, but were unable to prove that he had stolen the information.
Case Study #4: Not Terminating Access Immediately
- At a high-tech company, a system administrator was terminated for cause, since he was also selling pirated satellite equipment on a webserver hosted on the corporate website.Before he left, as he “cleaned out his desk”, he deleted one file – the file that held all of the encryption keys for the employees, and the corporate escrow key for all the encrypted files held by the company.For the 20-25 employees who used the key from the server instead of having a local copy – they completely lost all access to all of their encrypted files – the key server was not backed up.Basically, he had the same exact effect as if he had deleted everything those employees had done for the previous 3 years, since it was all lost.
Case Study #5: Too Many Ways an Employee has External Company Access
- Many companies will rift a person but that person still has access to their email, corporate systems, and all manner of external access at times that they shouldn’t have.For many large scale companies it can be an extremely difficult thing to track all the access mechanisms into your systems, who has them, and then coordinate removing a user across all these systems all at once.For us, we get several calls a year to help monitor security because companies have been threatened by employees being asked to leave and they know it will take then 48-72 hours to completely “lock” that person out.We’ll come in and assist with the lock out process or more so the monitoring of that 72 hours period where they are at risk the most. But in some cases, the person could leave something behind (Trojan bomb etc).