One rogue IT employee can do more damage than an army of hackers. Here's how three companies could have better protected themselves.
Pirating software - and worse
The US retailer's tale of woe began in early 2008, when the BSA notified it that Microsoft had uncovered licensing discrepancies, according to John Linkous. Today, Linkous is chief security and compliance officer at eIQ Networks, a security consultancy. His experience with the incident involving the retailer is from his previous job, when he was vice-president of operations at Sabera, a now-defunct security consultancy.
Microsoft had traced the sale of the suspect software to a client company's system admin. For purposes of this story, we'll call that admin 'Ed'. When Linkous and other members of the Sabera team were secretly called in to investigate, they found that Ed had sold more than half a million dollars in pirated Microsoft, Adobe and SAP software to his employer.
The investigators also noticed that network bandwidth use was abnormally high. "We thought there was some kind of network-based attack going on," says Linkous. They traced the activity to a server with more than 50,000 pornographic still images and more than 2,500 videos, according to Linkous.
In addition, a forensic search of Ed's workstation uncovered a spreadsheet containing hundreds of valid credit card numbers from the company's e-commerce site. While there was no indication that the numbers had been used, the fact that this information was contained in a spreadsheet implied that Ed was contemplating either using the card data himself or selling it to a third party, according to Linkous.
The CFO, who had originally received the call from the BSA, and others on the senior management team feared what Ed might do when confronted. He was the only one who had certain administrative passwords - including passwords for the core network router/firewall, network switches, the corporate VPN, the HR system, the email server administration, Windows Active Directory administration and Windows desktop administration.
That meant that Ed could have held hostage nearly all the company's major business processes, including the corporate website, email, financial reporting system and payroll. "This guy had keys to the kingdom," says Linkous.
So the company and Linkous' firm launched an operation right out of Mission: Impossible. They invented a ruse that required Ed to fly overnight to California. The long flight gave Linkous' team a window of about five and a half hours during which Ed couldn't possibly access the system. Working as fast as they could, the team mapped out the network and reset all the passwords. When Ed landed in California, "the COO was there to meet him. He was fired on the spot".
NEXT PAGE: The cost to the company