A True Tale of How Arthur Created Chaos

The following is a true story of how one disgruntled ex-employee brought his old company down to its knees. “Arthur,” (obviously we have changed the name) and several of his colleagues were recently made redundant after the company they were working for began having trouble. Arthur used to work in the back office support department of a building firm and after 5 years of loyal service, they gave him the minimum redundancy payment he was entitled to. Arthur tried to find work, but to no avail. As time ticked past, he became more and more frustrated and channelled his anger at his ex-company.

Bored, he attempted to log into his old computer system and, unfortunately for his ex-employer, his VPN account had not been disabled automatically via an Identity Management solution. Arthur was then able to remotely connect to the environment which allowed him to access a management server where he logged into eDirectory with the administrator rights. Arthur then proceeded to delete accounts and critical objects in eDirectory, which began causing issues with Directory Services and resulted in the helpdesk getting inundated with calls.

Since Arthur’s rights and account had not been terminated, Arthur then began deleting sensitive financial records and all billing and credit control information was lost. He then moved on to the HR database and began deleting personnel files. Although this was eventually restored from backup, it caused a huge delay and resulted in lost revenue and a loss in faith when the remaining employees found out what had happened.

Even with all the damage Arthur was causing, no alerts were being generated because the company didn’t have a Security and Event Management (SIEM) solution in place. Although the helpdesk knew something was seriously wrong, they couldn’t figure out what was causing the problems because Arthur was covering his tracks by deleting logs and clearing out events. If the SIEM solution was in place, it would have been capturing and recording his activity.

Arthur’s last order of business was to change passwords to management exchange accounts, including the CEO’s, so he could access the accounts, go through each person’s contacts and send out abusive emails.

At this point, the helpdesk caught on to Arthur and disabled his access. As you can imagine, by the time the helpdesk was able to stop him, Arthur had caused a tremendous amount of damage. The company lost Gigabytes worth of sensitive and valuable data (that could also be potentially leaked) and were receiving emails from clients requesting explanations for the emails.

You may be wondering how this all happened. Although Arthur’s HR account had been changed to a “disabled” state and he was noted as having left the company, this change was not reflected on any of his IT accounts as the Moves, Additions & Changes (MAC) form had not been processed! This scenario could have been avoided by using IDM Identity Manager Role Based Provisioning. This allows for activities to be initiated by an event (like the HR account being disabled) and the event then be automatically synchronized out to all other connected systems (like eDirectory and Active Directory). Additionally, workflows could be initiated that pass through the various managers so they can approve the various deletion.

Should Arthur’s credentials not have been deleted and he was able to access the environment, alerts should have been generated when critical data and Directory Services objects were being deleted. If this occurred, then Arthur’s access could have been automatically disabled and potentially the change discarded by using correlation rules and workflows.

Arthur was not prosecuted as it was the company’s fault for not disabling his access and by the time it was discovered, it was too late! Additionally, there were minimal events recorded. If new technology had been taken advantage of, then all logs and events would have been stored and security reports run to show what Arthur had done, and there would have been evidence to prosecute.

This scenario could have been avoided if the company had implemented a comprehensive Identity & Security Management solution. Is yours good enough to withstand an onslaught of this magnitude?

b2Lateral is offering a free Identity & Security Audit for anyone registering in April*. Click here to register and we will point out your exposure to Arthur.

To find out more about security and identity management and how b2Lateral can help you Click Here

*Terms and conditions for this audit will apply and are available upon request.