An ex-employee of Energy Future Holdings logged on to the corporate VPN and caused $26,000 in damages related to lost business, reports say.
A company spokesperson told InternetNews.com that the company could not comment due to an ongoing FBI investigation, but added, “at no time were any of our operations at risk, and the employee under investigation did not have access to customer data so it has not been compromised.”
The security of the U.S. electrical grid made news in a bad way last month when it was reported that spies had compromised its security.
Today’s news vindicates security regulators, said one commentator.
“This breach is likely to be considered a major win for NERC CIP, demonstrating that good overall security policy and standards can protect an organization in the event of procedural error,” Eric Knight, senior knowledge engineer for log management vendor LogRhythm, said in an e-mail to InternetNews.com.
“This provides evidence that security for the U.S. power companies are improving and not as uniformly weak as many might have been led to believe,” Knight said. “Employee sabotage is difficult to prevent, especially given the alleged perpetrator appeared extremely skilled, but the measures in place successfully identified the actions of this individual in great detail.”
The news comes shortly after a report from identity management specialist SailPoint said that most IT departments are unprepared for layoffs because they cannot get a complete view of a terminated employee’s access privileges from any one tool.
Efforts to consolidate management can also go awry. Companies can end up with five tools, each of which is supposed to deliver single sign-on to all enterprise apps, according to Nitin Mangtani, lead product manager for Google (NASDAQ: GOOG) enterprise search.
Why did the employee still have VPN access after termination? Why was he able to alter the data used to forecast demand, shutting down part of his former employer for a day?
The IT environment is complex at large companies because business managers rather than IT managers choose what applications are deployed, according to Guy Mounier, CTO of enterprise search enhancer BA Insight.
“A centralized IT department can impose rational portfolio consolidation, but the reality is that most divisions have strong profit and loss (P&L) responsibilities, and if they value a piece of technology, they will use it regardless of the rest of the company’s strategies and goals,” Mounier told InternetNews.com.
The complexity is growing, according to Brian Cleary, vice president of marketing at identity management company Aveksa, and makes handling layoffs harder.
“During a workforce reduction, the first thing the IT department does is pull network access control, but they forget to turn off any back door. Think of all the applications that present themselves via a Web interface. Organizations are missing those and leaving themselves exposed,” Cleary told InternetNews.com.
The problem of orphan accounts, which are credentials that are still valid even after their user has gone, is usually discovered during audits, such as those for Sarbanes-Oxley compliance, Cleary added.
He said that most IT managers focus on the threat within the IT
department, paying less attention to the challenge of managing key experts. “Losing corporate intellectual property (IP) is a big deal,” said Cleary.
Cleary challenged IT managers to track the changes to access requirements for joiners, movers and leavers. He noted, for example, that when a database administrator (DBA) becomes a developer, IT departments need to prevent the developer from retaining the DBA credentials for both practical considerations and because that separation is required for compliance purposes. He said that as IT managers focus on handling joiners and leavers, the complex changes required by movers might be ignored.