Last week Anastasio N. Laoutaris, a former IT engineer for a Spring, Texas law firm was sentenced to 115 months in prison and nearly $1.7 million in restitution for an attack he committed in December 2011 against his former employer, Locke Lord LLP. Per the court reports, he inflicted “significant damage to the network, including deleting or disabling hundreds of user accounts, desktop and laptop accounts, and user e-mail accounts.” He inflicted the damage four months after his termination of employment with the firm. How did he do it? He accessed the firm’s network, not once, but twice using his existing user account.
This scenario could have been averted by Locke Lord LLP with some simple controls but not knowing the control environment at Locke Lord LLP, I am left to opine on where there were specific breakdowns in the control implementation. Two critical controls stand out.
First, there should be a procedure in place to handle employee terminations. The procedure should require an accountable method for documenting the removal/disabling of a terminated employee’s account. One such method is a helpdesk ticket. In my opinion, a helpdesk ticket is a better process than email as it is easy to overlook a single email in the seemingly vast ocean of an inbox. Helpdesk tickets also provide visibility to multiple individuals, not just the one individual who received the email to remove the terminated employee’s account. If an email is sent to a group, there is also the potential for individuals to think that someone else on the email will take care of it. Additionally, it is easier to manage and track open helpdesk tickets than whether or not someone completed an action that was sent to them via email; helpdesk tickets are in most cases either open or closed.
Second, there should be regular user access reviews. While it is imperative to remove/disable the terminated employee’s access in the organization’s centralized identity assertion provider (e.g. Active Directory, OpenLDAP, etc), a review of all the accounts attributed to the individual is necessary as some access to corporate assets may not be controlled by the centralized identity assertion provider. Individual user access should be documented in the helpdesk ticket(s) used to initially provide the access to the individual or on the associated HR new hire form. In addition to ensuring terminated employees’ access is removed, user access reviews should include reviews for current employees that may have changed responsibilities within the organization. This is a little more challenging, but can also be addressed procedurally. Communication, follow up and accountability are key tenants to success.
Now back to the story. While Locke Lord LLP claims that no client data was compromised, it likely could easily have been based on the damage Mr. Laoutaris actually inflicted. In addition to the realized damage to the network, there is also un-calculated financial loss based on potential business that has now gone elsewhere.
Here’s the take away: Don’t make it easy for the bad guys. Implemented correctly, both of the two aforementioned controls would have prevented, or at least significantly reduced Locke Lord’s exposure to Anastasio Laoutaris’s attacks.