IT Security Horror Stories: The System Access Isn't Remote!
A Chief Technical Officer working for a large firm had gone to an out of city board meeting and left a junior technician in charge of monitoring the network. The rest of the employees had left for the day and the tech was working tirelessly testing the installation of a new Windows update when the network traffic monitor began to pick up some strange FTP traffic coming from a network backup server. The technician assumed the server had become infected with malware of some sort, remotely accessed the system and set it to sleep mode so he could deal with it later.
The technician went back to start testing the system update again, but after ten minutes the traffic monitor began to pick up FTP traffic again from the same system. Getting rather concerned the technician called up the Chief Technical Officer and explained the situation and how he had responded to it. The CTO told the tech, “Just turn it off, we can deal with it tomorrow”. So the technician remotely shut down the system and went back to work.
Ten minutes later the traffic monitor began to pick up FTP traffic from the same server. The technician called up the CTO and told him that the system had started up again, probably from some wake-event the malware had set on the system. The CTO screamed into the phone “That’s impossible! I built that system and disabled all wake events in the system bios. There’s someone in the server room! Call the police, get them out now!”
The police soon arrived and found that one of the employees had hidden away after work, logged into the server using admin credentials, and had uploaded gigabytes of valuable insider information to an off-shore FTP server. Thousands of confidential files on clients and projects were leaked, and the company was sued for the data breach.
While this story doesn’t work as well without a babysitter and a murderer, the point is pretty much the same. If the threat is coming from within the organization, then it’s already too late.
IT security is meaningless when anyone can walk into a server room and upload files to the web. Physical security is meaningless if a miscreant can use another person’s credentials to access a system they shouldn’t be able to.