A software company with around 100 data center customers ended up on the receiving end of a nasty surprise due to a disgruntled former worker. Using his uncle’s computer, the former worker logged into the data center system and erased all the clients’ stored information. The company tracked him down by following the audit trail that led to the IP address of the computer used to perform the data deletions. The suspect ended up pleading guilty as part of the criminal investigation that followed.

In an incident involving another company, a data center administrator who had been fired decided to get some payback. Using the WiFi at a local McDonald’s restaurant, the former employee logged into his former employer’s system and deleted data for 80 virtual machines. After the daring feat, he went to the counter, ordered some food and used a personal credit card to pay the bill. His decision to use a credit card proved to be his undoing as FBI agents, who tied the attack to the IP address at that specific McDonald’s location, ultimately watched the footage captured by installed surveillance cameras, reviewed the transaction data and tracked down the culprit.

According to Michael Fimin, CEO of change and configuration audit company Netwrix Corp. in Irvine, California, the two aforementioned scenarios actually happened. And these real-life situations clearly demonstrate the problems that can arise if former employees take things to eye-watering extremes. What companies should be doing, said Fimin, is adopting a proactive approach to prevent complications from popping up in the first place.

“The most common cause for those backdoors is just the user accounts do not get disabled, do not get deleted,” said Fimin. “People leave and nobody disables or changes passwords on the accounts they have access to. The other possible scenario is that people intentionally create a backdoor for themselves. So they create accounts not associated with any names and give themselves the highest user rights possible.”

Michael Fimin

Michael Fimin, CEO of Netwrix Corp.

As it turns out, the only way to prevent these attacks from happening – or at least to catch such situations sooner rather than later – is to audit every single action that admin users perform on the corporate IT systems. This will give companies the ability to efficiently revoke access privileges and to close the backdoors that people could otherwise use.

Fimin, whose company’s core competency is in charge of auditing of critical systems across the entire IT infrastructure, acknowledged that scenarios where people misuse passwords and credentials are not at all out of the ordinary. Truth be told, they happen all too often, particularly since the majority of businesses don’t have clear strategies in place to monitor either who has access to what or to how to ensure timely password changes whenever employees leave for whatever reason.

Perfect World Scenario vs. Real World Scenario

Looking for backdoors left behind by IT people can be a complicated task, to say the least. The goal is to ensure the timely deprovisioning of user accounts to prevent any problems that can pop up if undiscovered backdoors are used to facilitate unauthorized access.

“A common standardized approach is to have a central inventory of all user accounts,” said Fimin. “In a perfect world scenario, it would be a single sign-on system with just one account and all necessary access to different systems, so it’s as simple as just disabling that user account and that person immediately loses access to everything. But that’s the perfect world scenario.”

In the real world, however, there are many different credentials, and some companies use account inventories such as a root account for Cisco routers or an Active Directory domain admin account that is assigned to specific persons. What this means is that companies certainly need to keep track of all the credentials that users have access to.

According to Fimin, the simplest strategy to implement would be to use a spreadsheet or a database to document account users and their access privileges. KeePass and LastPass, password management applications, are two solutions some companies opt to use, he said.

What to do if Inventory of Privileged Accounts is in Place?

According to Fimin, what companies need to do really depends on whether they have inventories of privileged accounts set up. If they’ve been proactive rather than reactive, it’s as simple as going into the necessary inventories and changing the credentials or passwords of all the accounts or systems that former IT workers had access to.

“A more advanced scenario is called a privileged account management product,” said Fimin. “It’s not just the inventory of accounts and passwords, but it’s more an integrated approach. Let’s say you have an account to a router or a firewall. It’s not just assignment of this. It’s also integration with that target system. When someone leaves and that person had access to, let’s say, 20 different routers on the network, that privileged account system would go out and change the password on all those 20 routers automatically and then those people who stay with the company would get a notification telling them…to log into the privileged account management system and get the new password.”

This is the sort of approach that proactive companies will opt for, though doing so will require the discipline to implement the solution before rather than after a breach.

What to do if Inventory of Privileged Accounts is not in Place?

Companies that do not have inventories of privileged accounts set up may one day find out how much of a hassle the reactive approach can be. After the bad deed has been done, all companies can do is go back, check the audit trail, and figure out who did what and when they did it. They can then assemble a list of systems that were accessed and go about changing the passwords on those systems.

“Most systems have audit trails,” he explained. “You can log into each one and see. Let’s say you log into your Cisco router or firewall or Windows Server. You can look to see if the person has done anything on the system in, let’s say, the last 12 months. If that person has done something on those systems, then they had access and you have to check what credentials they used and then change the password for those credentials. So that person’s access basically terminates. Most organizations don’t have a list or at least they don’t have a complete list of systems that someone has access to.”

The Benefits of Regular Audits

There are more reactive than proactive companies when it comes to keeping track of user access to internal IT systems. In order to be better prepared to deal with such situations, it wouldn’t be a bad idea for companies to appoint someone to do regular internal audits, weekly for example, to review all the user accounts created within the organization. If unauthorized accounts are detected, the person in charge of the internal audits could delete them right away and question those responsible for creating the questionable accounts.

“If there’s no legitimate answer, they can terminate that guy or do any other action including criminal prosecution if they want to go that route,” said Fimin. “This requires extensive auditing. This is our company’s business. This is what we provide – change and configuration auditing. We just go out on all different systems in the IT infrastructure, collect the audit trails and other related change and configuration data and basically we answer one simple question – who did what, when and where? We look at all actions done by everybody, and we record the timeframe and location of the person, username of the person and specifically what was done.”