One Response to “Former CIO director gets 2 years in jail for hacking”

1. JParr Says:
   August 4th, 2009 at 1:45 pm

   In the past, we have developed and leveraged special procedures for terminating employees with high levels of access, including HR, IT, Accounting, Sales and Facilities.

   Key considerations:
   - Consider ALL external-facing servers and services. Make sure access to VPN, web-based e-mail, ERP, and other internally and externally hosted systems is terminated immediately. Ideally, IT should have a script that can be executed to make sure the access privileges are removed automatically and correctly.

   - Consider ALL vendor access. This includes vendors for datacom, telecom, long distance, facility (if mullti-tenant), tape storage / disaster recovery, bank accounts, calling cards, teleconferencing, online / hosted services (such as WebEx), etc… Ideally, one person should be in charge of making sure all vendor access is terminated immediately. Having a single point of contact through an internal “Vendor Management Office” (VMO) can facilitate this, as well as business continuity.

   - Consider ALL customers. Being proactive in notifying customers of a contact change is much better than having a customer reach out to a terminated employee on their cell phone number that’s listed on an outdated contact sheet. Ideally, all customer communications should take place on company-owned resources, including cell phones, instant messaging, and e-mail.

   - Periodically scan for “back door” accounts and remove access privileges for accounts that are not being used. Likewise, change “system” or “service” accounts every 90 days. Ideally, IT should have a script for automatically changing the passwords and making the corresponding updates in order to ensure accuracy and minimize effort.

   Here are some nightmare scenarios that COULD have occurred:

   - She could have gone home and called the datacom / telecom provider to shut off all access lines. In today’s connected society, being “off the grid” for a couple of days trying to get the situation sorted out could mean “out of business”. Where possible, assign vendor contacts to roles, not people, and keep an approved vendor access list for each vendor, where THE VENDOR is responsible for making sure unapproved requests are rejected.

   - She could have called the tape backup / DR vendor and had backup tapes delivered to her house. All the company’s sensitive data is on those tapes, including employee vital information as well as customer contact information, and possibly trade secrets or other intellectual property. She could make some serious money selling her company’s customer list to an unethical competitor, or sell employee name / address / SSN info for profit so someone else can use them for identity theft. I have seen a lot of people who seem to think it’s OK to steal from the company for a “self-funded” severance program.

   - She could have called key customer contacts to let them know the company is financially unsound and is going out of business. It may be salvageable, but the company would take a serious reputation hit.

   - She could have logged in to a hosted customer system and erased all of the CUSTOMER’s data.

   - She could have ordered thousands or hundreds of thousands of dollars worth of equipment on a company account. How difficult is it to call a vendor you deal with often and say: “We’re setting up a new DR site, and we need 50 servers, 1000 laptops, 2 firewalls, and a router. We need it ASAP, and you can send the bill to my office — my assistant will authorize it. You need a purchase order on company letterhead? NO PROBLEM! Have the equipment delivered to XYZ address.”

   Other nightmare scenarios:

   - The Accounting manager could wire funds from company accounts. The money could PROBABLY be recovered, but not before all the company’s checks bounce.

   - The Facility manager could shut off water, electricity, or other utility services, or cancel a lease. This could put a small company or a specific office out of commission for a day or two while the situation is straightened out.

   - The HR manager could take an employee list and sell sensitive information. In a worst-case scenario, the HR manager might even have enough information in various employee files to blackmail key employees. Disclosure of sensitive information like records of certain types of medical procedures, wage garnishment due to legal troubles, or incorrect I-9 or W-2 information could be embarrassing or could even damage someone’s career.

   - The Facility or IT manager could use a key to gain access to external storage facilities and steal then sell equipment stored there….. it could be months or even years before the theft would be detected.

   - The facility manager could use a key to gain access to the building’s wiring closet and cut all the telecom and datacom circuits, and damage equipment such as telecom demarcation points. It could take a few days or even a couple of weeks to repair the damage, especially if new parts need to be ordered. Likewise, cutting all the electrical circuits requires a certified electrician and mandatory down time to repair.

   These are just some examples, not an exhaustive list.

   The best way to handle “sensitive” terminations is to, as the article mentions, have an IT person “on point” to handle logical access terminations and a facilities person “on point” to handle physical access. In addition, it’s beneficial to have a “VMO” contact who can handle vendor access lists. Maintain a termination checklist that lists all systems, facilities, and vendors that should be checked and who is responsible for checking.

   For certain highly-sensitive situations, I have sent out a meeting request for key IT / facilities / VMO staff to be on hand, took up cell phones and pagers at the conference room door, and had lunch ordered in.

Leave a Reply