Who watches the admin

I must be the only Infosec blogger in America not to have blogged about the Fannie Mae IT contractor….until now
For those who don’t know, a IT contractor at Fannie Mae was fired, but he was allowed to finish out the day. An indiictment alleges that he then planted malicious code inside a script. The code was placed at the bottom of a regularly scheduled script, with a page of blank lines designed to obscure the addition of new code from anyone who happens to look at the file. If run, it would have securely erased files and critical applications from the system. It would have replaced the shadow file to prevent their password management appliance from logging in. Lastly it disabled remote power-on, and shut the machine down.
A good writeup on the incident is provided by Larry Dignan at ZDNet. The complaint is located here.
I was thinking about that article this week because of a rumored RIF (Reduction in Force) occuring where I work. I’ve heard one person was informed on Monday that Friday is their last day. It seems to me that when you are allowing continued access for people layed off or fired that it would be a good idea to keep a close eye on what they are doing. If people are disgruntled, that is when they are going to plant logic bombs, create back doors or download all company files.
Even if you know who is disgruntled (due to layoffs, promotion denial or bad performance review), how do you track them? Varonis is one product that I’m interested in. From product pitch I saw, it would do a good job of letting me know if someone is trying to download everything on the file server or otherwise acting out of the ordinary.
Real change management would catch the malicious attacks. Something like Tripwire would report on the addition/modification of a file.


  1. Perhaps flow analysis will become sophisticated enough to detect the anomaly merely by the unusualness of activity in the miscreant’s ssh connection. http://www.darknet.org.uk/2009/02/flowmatrix-free-network-behavior-analysis-system/
    For Fannie Mae now, monitoring all logs and tracking critical files with an event correlator like ossec http://www.ossec.net/ that can alert on changes and store diffs could have covered them.
    The problem in the small business is that no one can understand that someone needs to have the time to be able to watch all the logs..

  2. I really don’t think this is something that needs technology thrown at it – it needs process and management.
    Being laid off is a very emotional experience. Being fired, even more so. Advocating anything technical when dealing with human emotions just isn’t smart.
    Every time I’ve ever released someone, even if they are going to have a few more days at the job site, it was with the understanding they had just lost their admin privileges. We just couldn’t afford to take the chances of letting them retain rights.

  3. That’s a really popular sentiment right now in infosec. “technology doesn’t solve people problems.” Technology does catch lapses in the process and management. It also is a tool that provides visibility into things that would otherwise not have been caught.
    Am I ok because I have a change management program where all changes need approval? No because there is no technology making sure someone doesn’t make unapproved changes. Processes break down. Mistakes happen. Tools are needed to provide oversight.
    What process or management would catch a disgruntled employee downloading the data equivalent of the keys to the kingdom because his next job is with our competitor? Least privilege only goes so far.

Comments are closed.