Former IT Manager, Current Security Threat?

In the wake of the dot-com crash and numerous financial scandals that have rudely ushered in the new millennium, we’ve become accustomed to seeing corporate executives sentenced to prison.

Martha Stewart, of course, just completed her stay in a federal facility, while former WorldCom CEO Bernie
Ebbers may soon trade pinstripes for a different kind of striped attire.

But, for me at least, it was a little jarring last Wednesday to read this headline: IT Manager Sentenced to Prison in Hacking Case

The case involves a network professional, Mark Erfurt, who pleaded guilty to breaking into the IT system of his former employer, Manufacturing Electronic Sales Corp. (MESC) of Santa Clara, Calif., in January 2003, eight months after MESC terminated its contract with him.

Erfurt, 39, admitted in a plea agreement to using Symantec’s pcAnywhere remote software to breach the MESC network. Once in, Erfurt confessed, he deleted data, perused the company president’s e-mail and downloaded a proprietary database. He also tried to cover his tracks by overwriting backup tapes documenting the hack. This earned Erfurt an obstruction of justice charge, to which he also pleaded guilty.

Erfurt now faces five months in prison, plus five more months of home detention and three years of probation, along with $45,000 in restitution. Given that he could have gotten up to 20 years for the obstruction of justice charge alone, Erfurt should feel relieved.

At the time of the break-in — and even now — Erfurt was employed by Irvine, Calif.-based Centaur, another manufacturing company and a MESC competitor. Centaur’s CEO has stressed that Erfurt’s hack was a solo effort (even though he used Centaur equipment to perpetrate the attack) and not a case of corporate espionage. But it easily could have been.

Indeed, this case underscores the near-universal mantra of network security experts — the biggest threat to an enterprise comes from within. And “within” doesn’t necessarily mean the guy in the cubicle down the hall — it also can include former employees who have the means of access and motivation to break into a network. Like Erfurt.

That’s why smart companies, when terminating a person’s employment, will immediately shut down the departing worker’s access to the network, from e-mail to IM to VPNs. It may seem callous to empathizing colleagues (“he didn’t even get to say goodbye”), but there’s no other responsible choice.

And though usually the worst that might happen is the boss will get flamed
in a company-wide e-mail, it would be foolish to allow an angry, and perhaps vengeful, fired worker even temporary access to important documents.

Those measures may not have stopped Erfurt, who in his plea agreement said he had “administrative-level access” to MESC’s password-protected system. That, however, raises another important point: MESC apparently wasn’t fully utilizing the security features of pcAnywhere. In this
article, a Symantec product manager says pcAnywhere can be configured to restrict network access to specific computers.

MESC went out of business last June. Erfurt’s attack — which obliterated sales records, non-disclosure agreements, proprietary technical information and back-up data, according to the company’s former CEO — may have ensured the company’s demise. And all because its network wasn’t as secure as it could have been.

That’s a tough way to learn a lesson.