The disgruntled employee – a security risk

Published on 27 June 2017

Disgruntled employee

Everyone in  IT security knows this term, at least when preparing for the CISSP exam. But the first time you come across one in real life is shocking. Back in the 2000s, I worked for an IT security company (no cybersecurity in those days 🙂 ) which also dealt with ethical hacking. Our customer was a well-known university. We had to wake up early to arrive at its facility before 8 AM. Our project was to secure the whole IT infrastructure in 1 hour before the CIO fired the (I mean THE) administrator.

disgruntled employee a security issue

Our first step was to overwrite his administrator credentials which was not a big deal that time if you had local access to the systems. Naturally, we suspended all of his credentials. We found several SSH servers and remote access tools on the Windows servers. With deeper analysis, we also found some privileged user accounts that shouldn’t have been there. It was obvious that THE administrator had taken some steps for accessing the system in worse times.

Everything went well, the university revoked physical access to the premises from THE administrator who had to leave his workplace by noon. We constantly monitored remote access attempts and late in the afternoon, we noticed that someone was trying to reach the previously disabled remote accounts. Not a big surprise, THE administrator tried to take revenge on his previous employer.

Security Issue at Verelox

That story came into my mind when I read that there was a security issue at Verelox, a provider of dedicated KVM and VPS servers based in The Hague, Netherlands. The company suffered a catastrophic outage after a former administrator deleted all customer data and wiped most of the company’s servers. At Balabit, we promote the supervision of privileged users because they have the potential to cause devastating harm to enterprise IT environments with just one click.

With Balabit Privileged Access Management, you can easily centralize and control all remote access, e.g. on SSH and RDP, therefore a former privileged user won’t able to circumvent the central security enforcement point, meanwhile, revocation of their access becomes much easier. Moreover, with Balabit Privileged Session Management you can blacklist some dangerous commands, e.g. rm or shutdown or applications on a Windows Server that can’t be used and the remote session can be terminated instantly if those are issued. If you can’t specify such a blacklist, Balabit Privileged Account Analytics helps you identify unusual privileged user activities as soon they happen, therefore you can stop rogue internal attacks before they escalate.

While these disgruntled employees are few and far between, the risk they pose is too great to simply hope for the best. Advanced Privileged Access Management tools can streamline workflows making privileged users’ work easier while keeping your IT systems from someone out for revenge.

by Csaba Krasznay

Csaba Krasznay is Balabit's Security Evangelist. He is responsible for the vision and strategy of Balabit's Privileged Access Management solutions. He was elected to the “Most Influential IT Security Expert of the Year 2011”.

share this article
Mitigate against privileged account risks
Get in touch

Recent Resources

The top IT Security trends to watch out for in 2018

With 2017 now done and dusted, it’s time to think ...

The key takeaways from 2017’s biggest breaches

Like many years before it, 2017 has seen a large ...

Why is IT Security winning battles, but losing the war…?

When a child goes near something hot, a parent will ...

“The [Balabit] solution’s strongest points are the privileged session management, recording and search, and applying policy filters to apps and commands typed by administrators on monitored sessions.”

– The Forrester Wave, Privileged Identity Management, Q3 2016, by Andras Cser