We Just Never Seem to Learn

This articledescribes how a disgruntled IT worker used a back-door account he had created to wreak havoc on his former employer. The story is notable not just in how familiar it is, but in all the ways basic identity and access governance (IAG) practices could have prevented the attack.

The story line goes like this (sing along if you’ve heard this one before): David Palmer, an IT administrator, was fired from his job at McLane Advanced Technologies, a military contractor and IT service provider. He had set up a back door account before he was escorted out. Some time later, he used his backdoor account to log into his former employer’s systems via the Wi-Fi at a local restaurant, and deleted the payroll files for one of McLane’s customers, and apparently accessed files belonging to another customer. The customer was unable to process timecard entry or payroll for a few days, and ultimately McClane contacted the US Secret Service to report that their computer systems had been attacked. Palmer admitted his guilt in Federal Court and stated that "The only reason for logging into any of these servers was to create general havoc and disorder for McLane Advanced Technologies the following day.” Just to add a little insult to injury, McLane advertises themselves as “… adhering to a strict set of values and ethical standards by doing what’s right for our customer” in the areas of (among others) “Software Development”, “Data Management”, and “Information Security”. Fine sounding words for a company that apparently couldn’t muster enough ethics to implement even basic identity and access governance processes. Thank goodness it was only a payroll system. What if it had been something more critical?

Ok, I’m being harsh. I don’t know the company, and perhaps there are some extenuating circumstances. But there are so many ways that this attack could have, and should have, been prevented, I can only conclude that no one was paying attention. Let’s see how many simple identity governance practices might have helped prevent this mess:

  1. Appropriate delegation of administrative rights – assuming that Mr. Palmer’s job didn’t require routine creation of user accounts, he shouldn’t have been able to create his backdoor account to begin with. Nor should the account he created had any access to customer files.
  2. Appropriate workflow around creation of a privileged account – apparently there was no review and approval for the creation of the back door account.
  3. Proper auditing and review of user account changes – the creation of a privileged account should have fired an an alert and immediate review.
  4. Privileged account management – privileged accounts should be normally disabled and “checked out” for use only after appropriate approval, and only for a specific amount of time.
  5. Functioning account deprovisioning – when Palmer was fired, all of the accounts he owned should have been immediately disabled.
  6. Access attestation and certification – no one attested to the validity and necessity of Palmer’s privileged back door account. To be fair, you usually do access reviews and attestations on some sort of a scheduled basis, e.g. quarterly, and he may have created and used his backdoor account within that period.
  7. Appropriate authentication technology – As a general rule, privileged accounts should not be usable by people logging in from non-company-owned devices from public networks without a second form of authentication like a smart card or OTP. I’m assuming of course that both his company laptop and any smart card would have been confiscated when Palmer was fired.
  8. Appropriate authorization technology – Smarter (e.g. dynamic and contextual) authorization technology would have saved the day here as well. An appropriate access policy for deleting customer files would have included rules like “only from a recently certified (attested to) account” and “not from a public IP” and “not from a public device”.

So that’s eight different IAG activities, any one or two of which would have prevented this attack. All of them are well-known practices, and all but the last one are implementable using commercial off-the-shelf software such as Quest One Identity Manager, Active Roles Server, Quest Privilege Manager, Change Auditor for Active Directory, and Defender. Some of these processes and controls are implementable (with effort and some scripting) just using what’s in the box with Windows. For a Gold Certified Microsoft Partner boasting a CMM Level 3 software development certification as McLane is, putting these processes in place should not have been a problem provided someone was actually paying attention. And there’s the point. If you host sensitive data on your computer systems (and who doesn’t?), someone in executive management has to be paying attention. Typically this would be the CIO or CSO, but at the end of the day it’s on the CEO to ensure that the company is taking due care to ensure that access to critical corporate assets is controlled and audited in a way that ensures the security of the data and of the company. Perhaps that’s something they should be teaching at Famous CEOs School.

In case you didn’t get that last reference, see Famous Artists Schoolon Wikipedia.