This article talks about the conviction of Pryavrat Patel for actions he took after his long-term contract employment with Pratt-Read was terminated.
Now, what Mr. Patel did was definitely wrong, but frankly, Pratt-Read should probably put some thought into how they dealt with the situation too. It took them two weeks to recover from the actions of Mr. Patel and, per the article, were actually using paper and pencil at one point to keep the business running.
So, how do you bake a fail-cake?
Ingredients:
- Long-term system administrator.
- No apparent backups.
- No apparent disaster recovery plan.
Directions:
Have system admin work on systems for 8 years. Terminate said administrator. Leave remote access available to administrator and also leave access rights in place. Wait one month and break out pad and pencil to manage business when the systems can’t be used after administrator visits via remote access.
This isn’t the first story of a fired employee/contractor retaining access after being fired and causing mischief, nor will it be the last. However, it does drive home a few things we really ought to be doing in order to protect our business. Not only from situations like this, but in general.
The short list of failures I see in this story are:
- No process to terminate remote access and revoke access rights.
- Apparently, no backups.
- Apparently, no disaster recovery plan or a very poor one if it existed
So kids, make sure you change those passwords and disable the accounts of your departing personnel. Make double sure you change the administrative user passwords on all systems that said individual accessed, have a business continuity and disaster recovery plan, and backup your systems. Finally, test those plans and backups. If they don’t work, you are still in the same spot as if you didn’t have them in the first place.
Kevin
Posted by Kevin Riggins 
Infosec Ramblings 