Posted by Kurt Johnson - VP Strategy on Thu, Jan 29, 2009
Network World and Information Week recently reported that a fired computer engineering employee from the beleaguered mortgage giant Fannie May had allegedly planted a computer time bomb on the organization's systems. According to court documents, had it gone off it would have destroyed data on Fannie Mae's 4,000 servers causing millions of dollars in potential losses and shut down the mortgage lender's systems for a week. A Fannie Mae Unix engineer found the malicious script by accident.
This incident is further evidence of critical deficiencies that Courion has encountered in working with organizations across a variety of industries. There are often lax processes on quickly disabling employee access when they leave the organization, and it's often worse for privileged access such as system administration rights.
The discovery at Fannie Mae occurred on Oct. 29. The employee in question was a Fannie Mae contractor that was terminated on Oct 24. Although he was terminated in the early afternoon, his network access was not terminated until late that evening. Believe it or not, this time frame actually a lot better than many companies I've spoken to where it often takes weeks or months to disable employee access. In the case of Fannie Mae, a few hours was all it for this person to allegedly plant the malicious script.
It's a bit ironic that troubles at Fannie Mae kicked off the spiral of economic decline that had been brewing for some time. It was the government takeover back in Sept. that exposed much of the underlying weakness that has seen a significant dip in the Dow and worldwide markets, an increasing credit system crisis, and an ever increasing barrage of reported layoffs. Increasing layoffs mean a higher likelihood of disgruntled ex-employees. The lag time between when an employee is terminated and when their access is disabled is a critical area of risk for organizations. It's these accounts we have been calling Zombie Accounts. They are still alive, though the access is no longer appropriate.
There is a perfect storm of activity occurring. More data and information is online to a broader variety of user types (employees, contractors, partners, and customers) that can access it more devices (cell phones, PDAs, laptops, etc.) than ever before. The increasing layoffs lead to higher potential for disgruntled employees thus an increase in potential for malicious activity.
It is just these issues that Courion has focused its efforts to help alleviate for our customers. It's critical that organizations build an access assurance framework that starts with getting a firm understanding of which users have access to which systems, resources, and information. This process will identify any zombie accounts and immediately disable. Once this initial crisis has been averted, an ongoing process to automate employee terminations that include the immediate disablement of accounts (including privileged access) will reduce a current source of significant exposure. Ongoing access verification where managers understand and sign off on the access their employees have, ensure strong governance over this on an ongoing basis.
The last thing Fannie Mae needs at this time is more bad press. They should consider themselves very lucky that significant losses were avoided. It sounds like some of the government bailout money should go to a nice bonus to the employee that stumbled across the malicious script. They, and others, may not be so lucky next time. We've seen similar issues at Lending Tree.
In these times of increasing layoffs, it's essential that organizations assess their access assurance processes to ensure that access to critical information is shut off immediately. But, that assumes an organization knows what that access is in the first place.