Page 1000 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1000

that he was being fired at about 10:30 a.m. on September 1, 2016.
                  It apparently took company employees about an hour to get him

                  out of the building.

                  At about 11:30 a.m., authorities state that he used a previously
                  created backdoor account to shut down the company’s email and
                  application servers. The application servers managed the
                  production line, warehouse, customer orders system, and
                  warehouse activities. After three hours of downtime and no

                  resolution in site, management sent 300 employees home.
                  Other damage occurring at the same time included the deletion of

                  core system files, preventing IT personnel from restoring the
                  servers. Additionally, many staff account passwords were changed.
                  Lucchese hired an outside contractor to help them recover and said
                  it took them weeks to catch up with lost orders and production.

                  The backdoor account Venzor created was named “elplaser.” This
                  looks like an office laser printer account. However, an office laser

                  printer does not need the high-level administrator privileges
                  required to cause so much damage. An account review can detect
                  excessive privileges and may have prevented this attack.

                  Police arrested Venzor on October 7, 2016, and he pleaded guilty
                  on March 30, 2017. He was sentenced to 1½ years in prison on
                  July 19, 2017.




               Account Revocation


               When employees leave an organization for any reason, it is important
               to disable their user accounts as soon as possible. This includes when
               an employee takes a leave of absence. Whenever possible, HR
               personnel should have the ability to perform this task because they are
               aware when employees are leaving for any reason. As an example, HR
               personnel know when an employee is about to be terminated, and they
               can disable the account during the employee exit interview.


               If a terminated employee retains access to a user account after the exit
               interview, the risk for sabotage is very high. Even if the employee
               doesn’t take malicious action, other employees may be able to use the
   995   996   997   998   999   1000   1001   1002   1003   1004   1005