The perils of the insider threats are often talked about in abstract terms, probably because most organisations want to keep a lid on internally-based bad actors. Every so often, concrete details emerge to highlight what a thoroughly rotten day a rogue employee can inflict on everybody else though.
This is precisely what’s happened here, according to a release from the US Department of Justice.
A cunning plan, a destroyed network
The press release names one Casey K. Umetsu, a (now former) network administrator for a Hawaii based financial organisation. After roughly two years in his role of managing the network and assisting others with technical issues, he was let go.
Umetsu's response? A plan that to use his still-valid “key to the Kingdom” style credentials to make the network inoperable, with an end goal of being rehired by the now flailing organisation, and at a higher salary to boot. Here's a short run down of the chaos he unleashed via the non-retired credentials still in his possession, he: Accessed the site used to manage the organisation’s internet domain; altered the configuration of the company website, misdirecting both web and mail traffic to unrelated computers; and kept the shutout going for several days by “taking a variety of steps to keep the company locked out of the website”.
When we talk about insider threats, we routinely recommend that businesses keep a firm handle on who has what level of access for which systems, and this is why. With a proper system of accountability in place, someone would have been fully aware:
Who has access to which mission-critical credentials
When to revoke access
Where those credentials are handed when an employee leaves
There are so many bespoke systems and third-party platforms in businesses now that correct management of logins and permissions is essential. It only takes one solitary login to slip the net, and the chaos outlined above is the end result.
A rehiring-related mishap
It seems the plan backfired, as the impacted organisation decided to go to law enforcement instead of their former employee. As per the statement from FBI Special Agent in Charge, Steven Merrill:
This is a great example of a company partnering, and working with the FBI, to catch a former employee who sabotaged their network for their own personal gain. We encourage companies to include the FBI as part of their cybersecurity incident plan so we can assist when they have a cyber incident.
Things aren’t looking so great promotion-wise for Umestu, who is faced with a maximum sentence of ten years in prison, a term of supervised release up to three years, and a fine of up to $250,000. It remains to be seen what the federal district court judge decides, but the lesson here is clear. If you leave an organisation and you have any equipment, network access, or other logins still to hand? Make sure you give everything back, and dismiss any thought of coming back in a blaze of hand-crafted chaotic glory. There’s a good chance you may end up downsizing to an office of the “bare walls and prison bars” variety.