I was reading the other day one interesting article. It was about a sysadmin that went bad, really bad: he was working for a quite large online retail company, but he also had a small company of his own. He used his small company to sell his employer pirated software for an amount of several hundred thousands dollars.
When BSA checked the company, they had a big surprise. This made them call some consultants, because they feared to confront their sysadmin. He had all the passwords, he had control over their hole infrastructure and they were afraid of him holding it as a hostage. The consultants also discovered that the company servers were hosting a medium-sized porn site. And, there is more: the sysadmin had a list of credit card details of several hundred of the retailer's client.
Of course this is a situation. After the consultants analysed and assessed the situation, their plan was the following: they came up with a reason to send the sysadmin to the other coast. This way, they assured that they had a window of opportunity to reset all the passwords during the sysadmin's flight. After they did this the bad guy got fired, of course.
Happy ending. But is it? How long is to long to have such a person working for you and not noticing that something is wrong? How long is it ok for an online reseller to host a porn site? And many other questions like this..
I always like to consider the worst case scenario when I make an assessment and take a decision. I wouldn't want to have a fight with my sysadmin. I would keep him happy and if necessary make a clean break-up and remain friends. It's not a good idea to have a fight with your car's mechanic. Maybe you find yourself without brakes or a wheels fells off.
Anyway, I really don't agree with the things this man did. It's just not right. But we all have to realise what are the possibilities, what could happen. This is a funny story to tell. But I bet no one would feel that good in the retailer's shoes.
And I continued reading about this kind of stories. I feel that there is a simple cause for all these kind of incidents: management fails to see people. They only see and manage resources. You can handle resources quite easy. There are no feeling, resources don't get angry and don't want revenge. Equations seem simple: you want the best security, you buy the best product. Well, if you don't see the people, you might get hurt, no matter how much you pay for your security products.
No comments:
Post a Comment