A senior Unix administrator known only as “SK” admitted she got lucky when she found the malicious script planted in a development server on the network.  “The malicious script was at the bottom of the legitimate script, separated by approximately one page of blank lines, apparently in an effort to hide the malicious script within the legitimate script,” states an affidavit filed against Rajendrasinh Makwana, an Indian citizen living in the United States under a work visa.  Makwana is accused of illegally accessing Fannie’s network after being fired from the job. Had the script executed as planned, 4000 servers at Fannie would have been wiped clean tomorrow, January 31st.

According to an InformationWeek article here:

The discovery occurred on Oct. 29. Makwana had been terminated as a Fannie Mae contractor on Oct. 24, around 1 or 1:30 p.m., the affidavit says, but his network access was not terminated until late that evening. Makwana was fired for allegedly creating a computer script earlier that month that changed server settings without the permission of his supervisor.

Makwana was not required to turn in his badge or Fannie Mae-supplied laptop until the end of the day on Oct. 24. According to Nye’s affidavit, it was during that afternoon that Makwana is alleged to have planted the malicious script.

Makwana had planted his script by using his existing credentials over an encrypted channel.  Since his accounts were still active and his access rights still in place, no technological solution could have prevented or stopped such an attack.  But it clearly highlights the threats posed by internal users.

Information security is sometimes more about enforcing procedures than policies.  In Makwana’s case, the policies were followed for a termination in that accounts were disabled by the end of the employee’s last working day, but the procedures perhaps could have included building security escorting the employee and  the timely confiscation of corporate equipment.

Everyone wants to trust their employees as friends and colleagues.  And enforcing a procedure that requires a security guard to watch the employee pack his things and turn in building passes, credentials, laptops, phones, and other personal items just makes your company look like a cruel, bullying entity.  However, not following such a process could jeopardize your data.