Attack of the Disgruntled Network AdminBy: Secureworks
In a CLM of epic proportions (and with possible legal consequences), a network administrator for the City of San Francisco cut off access for some of the 'higher ups' in the city's Department of Technology. Courtesy of SFGate:
"A disgruntled city computer engineer has virtually commandeered San Francisco's new multi million-dollar computer network, altering it to deny access to top administrators even as he sits in jail on $5 million bail, authorities said Monday."
"Childs created a password that granted him exclusive access to the system, authorities said. He initially gave pass codes to police, but they didn't work. When pressed, Childs refused to divulge the real code even when threatened with arrest, they said."
The result? A big headache for the city, which now has to crack Childs pass code effectively breaking in to their own system to regain access.
Further down in the article we find that the accused administrator was already on the hot seat:
"Childs has worked for the city for about five years. One official with knowledge of the case said he had been disciplined on the job in recent months for poor performance and that his supervisors had tried to fire him."
To state the obvious, insiders with privileged access can do a great deal of damage if their activities go unchecked. Adhering to the principle of least privilege is ideal, but it can only go so far to reduce the risk of insider abuse especially when it comes to locking down administrative access for some network and IT systems. That's why it's always good practice to have other controls in place, such as reviewing access privileges before or immediately after potentially volatile events (like disciplinary measures or terminations) and monitoring root and administrative activity on critical systems. It's also a good idea to have a qualified 3rd party periodically audit your access controls to determine if they sufficiently minimize the risk of insider abuse.