Over the past few years I have seen multiple news articles and stories about idiots who were unhappy with their job or were fired and decided to take revenge by deleting data, accounts or destroying company property. The common factor in all the stories was the fact that the person was subsequently arrested and jailed. The most recent story I saw was this one, where a genius decided to delete 1200 Microsoft Office accounts after being fired and ended up in jail for his troubles.
Destroying company property when you leave is a good way to ensure you are never hired again by any company. I mean if I was interviewing a candidate and I found out that the candidate had deleted critical data when they left the company I would probably never hire them. End of the day if you have demonstrated that you are not mature enough to deal with a loss but rather delete data/information then you are not a fit to work in my team. I know a lot of people will come and say that people should be given a second chance and what not but this is a serious issue. There would be a major lack of trust in play here and with that the person’s efficiency would be horrible and multiple other folks would have to keep monitoring what this person was doing on the servers which is an overhead I wouldn’t need.
So, now looking at this from the company’s side. How do you prevent something like this from happening? The basic step is to ensure that the access rights of the person are terminated as soon as they are let go. Secondly, they should not be allowed to access their system after they are fired. In one of my previous companies, the physical security team would escort a person off-premises without allowing them to log on to their computer or anything. By the time the person was off premises their accounts were already de-activated. They should also be removed from any company related mailing lists, chat rooms, telephone trees etc immediately. Any commonly known account passwords should be changed immediately and if the person had admin access a check should be made for any unauthorized accounts with admin access and for any backdoor’s being installed.
In the case of a threat where the person hasn’t been fired yet you need to have systems in place to perform regular audits of all admin/root activity. There are a lot of other steps that can be taken and out of scope for this blog post. SANS has a great paper on Protecting Against Insider Attacks and RSA has a list of best practices that you can check out as well.
If you need help securing your network/system please reach out and we can discuss in more detail.
– Suramya