Disgruntled Employee with Privilege Account Access

“In El Paso today Wednesday, July 19, 2017, a federal judge sentenced 42-year-old system administrator named Joe Venzor (who on March 30, 2017 pleaded guilty to one count of transmission of a program to cause damage to a computer) to 18 months in federal prison and to pay $57,397.76 restitution and be placed on supervised release for a period of three years after completing his prison term.“

This is a clear case of disgruntled employee, who for whatever reasons was fired and he decided to make sure the company paid for their action. He succeeded in his effort and that shows how powerful the sysadmins or any other user with privileged account access can be to any organization. After his termination from his position at the company’s help desk, he logged onto the company’s network through an administrator account and did the following.

1. shut down the company’s email server
2. shut down application server while
3. deleted systems files essential to restoring computer operations.

His actions clearly cost the company a lot, and because of the intrusion.

1. 300 employees in the production and shipping factory were unable to work for nearly three hours before the decision was made to send them home for the rest of the shift.
2. The distribution center was not able to ship any of their products and customers could not place orders online.
3. The IT Managing Director also had to hire a third party IT staff to assist with setting up a new application server for the company.
4. The company continued to suffer direct and indirect losses because of the intrusion into its computer server in the ensuing days and weeks, as they had to reconstruct files, and fulfill production and customer services issues.

Additional controls this company should have put in place to prevent the abuse.

1. Implementing multi-factor authentication for employees and third parties and ensuring that all account tied to the ex-user has a re-route for the MFA on phone and email.
2. Enforce strict policies for automatic password resets –Secure management of privileged accounts requires the use of strong, unique passwords that are periodically reset.
3. Add release controls for password retrieval –Establish a policy that forces users to send a request PAM administrator whenever they require specific account credentials to access a remote asset. provision users only with temporary, time-based access to these credentials, with built-in options to revoke access and forcefully check in passwords when the stipulated time expires.
4. Regular Audit – Comprehensive audit records, real-time alerts, and notifications are really what make life easier. Capture every single user operation and establish accountability and transparency for all PAM-related actions.

5. Off-boarding after termination- Offboarding is the removal of an employee’s identity from an IAM system once that person has left the organization. When a full offboarding occurs, whether as part of a fire /rehire transfer or a total termination, this process should include the disabling of all access and user account , revoking certificates and cancelling all access codes. This will also include terminating all other specifically granted access and privileges. It is a common practice to disable former employees account and not delete outrightly until after a few weeks or months in order to retain the identity for auditing and after the allotted time as stipulated in the policy, the account should be deleted.

   Leaving the account especially of a terminated system administrator even for just one dat after termination can be a big vulnerability and as such, more attention should be focused on these kinds of account from the offboarding team

   For this incident, this is where I strongly feel the company missed it in their offboarding process which eventually resulted in their having to litigate and spend thousands of dollars, rebuiding application servers,  which could have been avoided, had they put the right structures in place.

   The next incident might not be this mild, check all your privileged accounts and do reqular review of access and ensure that all outgoing techs / sys admins have their access disabled the moment they are stepping out of the building. The ones that are in the organizations should have their roles and access reviewed to ensure they only have what they need to work. 

   Be security minded and concious always, implement a zero trust architecture, you never know which company is next on the attack list, be warned!!