Subscribe
Share
Share
Embed
Billions & Billions of eyeballs, six continents, 10k+ servers, and plenty of lessons learned over 2+ decades in IT. If you're looking for quick tips on optimizing tech, managing suppliers, and growing a business, 20 Minutes Max is the space for you.
Join me as I talk about things that come up during my day and share insights on taking your business to the next level. In less than 20 minutes, you'll walk away with actionable advice and strategies for success. Take advantage of this valuable resource for CEOs, CFOs, and business leader.
Imagine you have an employee remotely connect to your system and implant malware leave taunting messages for other employees in your code repos delete your code repos delete your logs break your config management and infrastructure as code systems lock other employees out of your AWS accounts email themselves proprietary code and impersonate co workers with other messages and nefarious actions not only did that all happen but it was 100% preventable. I'm Max Clark. I'm going to talk you through a really crazy story that started in March of 2020 and, just concluded recently with the sentencing of this person. So without getting into too many specifics, I'll tell you that this was a cloud engineer, a. K.
Speaker 1:A. DevOps engineer working for a bank who was just sentenced to 2 years in prison, plus restitution and probation, supervised parole, every I mean, supervised release. And the the actual charges were violations of the Computer Fraud and Abuse Act, specifically obtaining information from a protected computer and damaging a protected computer system. So those are charges 1 and 2. 3rd charge was making false statements to a government agency, in this case, the Secret Service.
Speaker 1:So so here's the timeline. I'm gonna I'm gonna talk through the timeline really quickly. I took some notes and then I'm gonna talk about the absolute complete and utter failures here by this bank which is even more crazy to me. This isn't some story affecting some hapless small medium business. This is happening to a bank who just showed known better.
Speaker 1:In early March 2020, the infosec team gets a notification that this person using their work laptop to plug in and transfer files off of USB drives. So company issued device, it's a laptop and he's taking and plugging in USB drives and copying files on and off the USB drives. In addition to that, they have detected and figured out that he is downloading stuff off the Internet which is bad. Prior to the content including pornography. By the way, this is probably going on for a long time.
Speaker 1:They just finally noticed it. So he gets called into a meeting with his HR team and meeting doesn't go well and from reporting, he later that day sends what I would just describe as a crazy email to the to the HR team. Just this rambling nonsensical email that's been posted in news reports. And mind you, the next day he's called into the to another meeting. He's called into the office for another meeting.
Speaker 1:They tell him to bring his his stuff, which he does not. The second meeting the next day and then he's fired and escorted off the premises and is told to mail his MacBook to them. Interesting choice. So from here he goes home and decides to completely just wreak havoc. It just goes for it.
Speaker 1:Right? So he opens up his fires up his laptop, VPNs into their system, gets on the jump box, starts implanting malware. Now, again, this is probably the timeline is interesting of just what was going on. He's probably prepping for this since the previous meeting. When you get called in to HR to discuss why you're downloading porn onto your work computer and then given you probably have a pretty good indication of where the story's going, VPNs in, implants malware, makes code changes, deletes code repos, deletes logs, tries to cover abstracts, changes AWS credentials, lock people out of it, sends himself code, and decides to also, impersonate a coworker apparently who's pissed off got a promotion when he didn't.
Speaker 1:Around this time so so hours later, the bank finally revokes his credentials or they discover, excuse me. This yeah. This this timeline, I'm I'm I'm incorrect. So they they at this point, somewhere along this line, they they disable his credentials and, which which which stops. So he he can't do anything else.
Speaker 1:And then at some point after that, they discover that he's so it's so crazy. They discover the break in and damage and call him demanding he returns his equipment to them, which starts this game of cat and mouse of him dodging them for the next couple of weeks. It's a bank, so they have to report the intrusion. The Secret Service gets involved. Secret Service reaches out and asks him, these these what's going on?
Speaker 1:He gives them a cock mac cockamamie story. They ask him for the equipment. He says the laptop was stolen out of his car. He doesn't have it anymore, which ends up a charge for lying to a government agency. So o m g.
Speaker 1:It's it's so crazy. Okay. So let's let's unpack this for a second and just talk about I have some really, really basic questions here. The infosec team receives a notification that he's plugging in USB drives into his laptop and transferring files and downloading pornography. That signifies that he's running an EDR.
Speaker 1:They're running an EDR and the EDR is present on the laptop. Why really basic thing here. EDRs are great. And here's a good example of kind of stuff like you get off of them. But, like, why was the USB ports active on a laptop that was issued to an employee that had access to sensitive information?
Speaker 1:Forget the sensitive information stuff. And when you talk about it from, like, layers of threat, just of, like, at least great stories of, like, red teams going in, leaving USB drives and flash drives in the parking lot, just seeing which employees are gonna plug them in so that way they can get out of the network. Disable USB drives. Oh, we don't know how to disable the USB drives. Yes.
Speaker 1:You run a this functionality that you can do and deploy via MDM or UEM systems. And and as part of the enrollment into the MDM and UEM, by the way, it's this was a MacBook which means that shipped from Apple would auto could be configured to auto enroll into the MDM or UEM platform. And by the way, MDM is mobile device management and there's unified endpoint management And really MDM was what it started as and then somebody decided to relabel it because they wanted to introduce mobile and non mobile devices and cell phones and everything and laptops into one platform and decided we have to call it UEM now. So I kinda like my brain. Doesn't associate that still because I'm so old that I I think MDM.
Speaker 1:So anyways, so you enroll your your devices into an MDM or a UEM platform and you disable USB drives. Like, you just don't make it a thing that's even avail I mean, okay. Look. This guy should not have been using his work laptop doing what he was doing in the first place, but you remove that as a just a thing. Like, just just disable access to your USB drive.
Speaker 1:So you need an MDM or UEM tool that gives you support for that, and you go and you configure it and you say, no USB access. Boom. Gone. It's eliminated. Threat factor gone.
Speaker 1:People cannot plug in USB drives into your laptops and potentially put malware onto them, ransomware, etcetera, or at the same time download stuff to their laptop and then exfiltrate data off of your system via just plug in USB drive. That's my first question. My second question is is why wasn't there some kind of web gateway in place here? Right? How how how is he downloading and this was this was shaky because I'm reading news reports, but how are you pirating content slash visiting porn sites slash downloading pornography onto a company device?
Speaker 1:Really basic rudimentary web filtering would detect and would block this. And so very strange to me that, like, why wasn't there a, a web gateway? Okay. So it's like precursory just massive failures and policy and and systems. Next one, you call somebody in for an HR meeting to discuss the fact that they violate a company policy by using their work electronic device to transfer pirated content on and off of company equipment slash download and access pornography I I'm I would be fascinated to understand the logic of the HR process here at this point because you have a meeting with an employee you then receive a crazy CYA covering your tracks email from that employee.
Speaker 1:You decide the next day to then terminate that employee and then you let the ask the employee to show up at the office and bring their equipment with them for their termination. And okay and you and you then terminate that employee and you haven't disabled their credentials like just mind explosion here like it's just this is like rookie level stuff here If you're terminating an employee that has access to sensitive system if you're terminating an employee that doesn't have access to sensitive systems, first off, I would probably argue that you wouldn't wanna necessarily lay your cards on the table and tell them that they're being terminated before they show up to the meeting where they're being terminated. But other than that while they're in the meeting with you with your HR team being terminated the second they step foot in that room disable credentials like immediately deactivate accounts this needs to be there becomes a small thing of like how do you let people go gracefully and and what what the process is like and and how do you conduct the actual termination process and I'm not advocating to not be sensitive in the process but I there is a basic thing here of you disable their accounts and again, this is a bank we're talking about this isn't the point here is even outside of a bank the risk reward of not doing it there is no good reason not to do that just disable the accounts this is also a really good argument for why you want to use some sort of, IDP or a single sign on system some sort of centralized account provisioning and deprovisioning platform that you can go and click a button and have, credentials deactivated and removed across all of your systems.
Speaker 1:So that way it doesn't require a lot of work, but even within this, he logged into the VPN and then got onto a jump box so if the VPN had been disabled credentials on the VPN had been disabled it wouldn't have been able to do any of this stuff it would have it that this wouldn't have been a new story More than likely and what my assumption is at this point based on everything else I've read is that the VPN didn't have shared credentials with whatever the rest of the system. There probably wasn't a centralized I'm or IDP platform in in play that probably weren't running something where they could go in and just say click and deactivate. They probably deactivated his email and thought that that was perfectly fine except it says that he emailed himself. So I mean that could mean that he used the the work system or he used his Gmail account or Yahoo account or some other email account to email himself. So who knows what actually happened here other than it's just a failure and I've gotten completely gotten sidetracked a little bit.
Speaker 1:And then to continue the insanity, after discovering that he's done that he's been a naughty boy and done naughty things, they go back onto this tangent of insisting that he brings his laptop and gives his laptop back to them. I I mean, at this point, I'm just I'm gonna try to get the benefit of the doubt. Assumption here is that they were they wanted the device back to be able to do forensics to prove that he had done bad stuff. Right? But I mean, this goes back to why you want an MDM or UEM platform in play because what do you do?
Speaker 1:You go like this. You go click and you say the machine goes and just gets deleted. Right? So in terms of, again, that separation process, immediately deactivate accounts, credentials, etcetera, remotely wipe devices, ship your ship your equipment back to us. But in the meantime, you it's it's gone.
Speaker 1:Like, you can't turn it on. Like, you turn it on, you get the screen that says your your device has been been disabled. Now, again, he's rightfully going to jail for for doing this and there's even more craziness. There's even more craziness after all of this this person ends up working as a DevOps engineer for 2 other firms So he's been employed for the last three and a half years since this event took place with 2 different companies Which means those companies hiring processes need serious introspective no reference checking at all. No background check at all.
Speaker 1:No Google search at all. Like, I mean, that's the first one. Okay. Maybe they didn't. This hadn't broken yet.
Speaker 1:Fine. But the second one's timeline is really bad. And and and and if I was doing business with the second company, I'd really question a lot about what's going on with there. I mean, whoo. Anyways, so a couple of morals of the story here.
Speaker 1:The first one, of course, is don't do illegal things and break the law. And I guess there's I guess there's 3 morals of the story. Right? The first one is is, don't use your work equipment to do stuff that's gonna get in trouble, but that's gonna violate work policy or or make your employer have to make employment decisions. Right?
Speaker 1:So, like, if if people need to understand that they I mean again just don't use work devices go out and buy yourself your own laptop. The you should assume at all times that your work device is being monitored by your employer. It's like it just is. So don't use work devices. Don't break the law and then go decide to go vandalize your employers work platform after you've been terminated because that's gonna just it's gonna not be worth it in this case 2 years in jail but for for a company if you're if you're employing people and you're giving them computer resources I mean seriously, basic rudimentary controls on these platforms.
Speaker 1:Right? Disable USB devices, web filtering. Right? EDR. Fantastic.
Speaker 1:They have one. Great. Value. I mean, what's your separation termination process? Disable credentials.
Speaker 1:You don't wanna have an I'm You don't wanna have identity access management. You wanna have control of your identity. You wanna be able to deactivate immediately. Right? And the even if the assumption here that the VPN was not connected to the identity platform, that's a that's a big no no.
Speaker 1:Like, immediately antiquated, non connected, I mean, this this was colonial pipeline. Like, just just get rid of it. There are excellent VPN secured remote access platforms, ZTNA systems, session defined perimeters. I mean, there's lots of different acronyms that go with this one, but core with all of those platforms is that they link in and connect with your identity system or your single sign on system. So that way when you disable the account, they can't VPN into your system anymore.
Speaker 1:And if you're giving people devices, again, an MDM have the ability to remotely wipe that device. And and that's not even from, like, a separation termination thing. This is also from, like, a I mean, what happens if the laptop was stolen out of the back of the car? You wanna have your company data just floating around and, like, lose control over it. I mean, how many times do we have to hear these stories of, like, some laptop being stolen with all social security numbers for a company because an HR person had them on his on an Excel file.
Speaker 1:Right? Half control of your devices if they're not in your physical control, even if they're in your physical control you want to have to this gives you manageability at scale right but maintain control of these devices. So yeah. I'm Max Clark. This is one of the crazier things I've read recently and it shouldn't have happened on both sides.
Speaker 1:And if you haven't and you're running a business protect yourself. Make sure that you're not part of these headlines because you can protect yourself with very basic systems and prevent it from happening and not even having this a possibility, a concern. And maybe they still do something stupid and you find them and you fire them, but, like, the amount of damage that was done here was completely unnecessary and completely unavoidable. Anyways, I'm Max Clark. Have a fantastic day.
Speaker 1:Hope this helps. Good feeling.