Tuesday, February 13, 2018

[Cyber-Security Awareness Series] The Delay


YourDomain.com was a big name in the domain management of various fortune 500 companies. Whenever a person or an organization wanted to buy or renew a domain name, “yourdomain.com” was the place to be for everyone. In a way, it was the market leader in this industry holding a 90% market share.

It was the early morning of 13th February, when Jason, the lead engineer noticed something strange in the name servers of the company. The domains owned by the various customers were not reflecting on the administrative page. He immediately called his boss informing him of the problem. He also called the help desk of the company inquiring if any issues had been reported to them. Jason was surprised to hear that a number of customers had called and logged in grievances. The domain names and websites of various top customers were either being redirected to objectionable websites or reported as offline. The messaging services were also affected as the domain was not reachable.

Jason’s boss, Yurik, hurriedly entered the office. He was on a call with the top management when Jason waved him to come immediately. The incident management team had also been called immediately. While everyone was trying to understand as to what had happened, a person of the incident management team declared that he no longer has access to the company's main application administrative page. He told that he had been shut out of the system because someone else had logged in as the administrator and locked him out.

Yurik wondered as to how the incident management team could be logged out of the system. Yurik asked the team if they could check as to who had logged into the system. While the team was checking, Maya, the PR manager called Yurik. She had to release a statement to the media as multiple websites had reported about the offline domains of companies around the world. The number was mind-boggling. Around 333,000 websites had been misdirected or offline because of the domain name fiasco.
“Hacked” – what came to the mind of Yurik when he responded to Maya. 

While the incident management team was trying to log in back again into the administrative server, Jason suggested to shut down the server and remove it from the network. In that manner, the administrator would have had to wait to log in again until the time the server was back online. The incident management team decided to give it a try to this crude solution as they would be able to at least login into the system and shuffle through the logs to identify the person behind this. However, they warned that this may lead to a loss of data. Yurik gave his go ahead as no one had any other ideas.

Jason and Yurik looked as the server rebooted. It took around 20 minutes for the incident management team to identify who had logged in to the system. The result was shocking.


What happened?

Around a week back, Yurik had signed a release form of a team member, Madhav. He had been suspected of some wrongdoing in the company. Madhav was quite angry about this and had warned his manager of dire consequences in that regard. Yurik and the HR had completed all the formalities the same day itself. His card was also taken back so that he could not enter into the organization.

While nothing would have happened if Yurik and his team had also revoked his logical access. (Ideally, Madhav’s credentials would not have worked if his access had been revoked). Madhav logged into the server using the VPN credentials which were issued to him. He then switched his account by logging in as the administrator and revoked the validity of a lot of domains managed by the company and redirected many others. 

The delay in revoking the access of Madhav cost a lot to the company. Not only did they suffer a huge brand loss, it also led to a market share erosion for the company in coming months.

It is often seen that access revocation does not happen on time. Managers or team leaders often cite various reasons for this delay. It is always advisable to grant least privileges and revoke those privileges immediately as soon as the person is released from the project or the organization. Delays can be quite costly sometimes.

It is quite important to manage the timely access of all employees and there are multiple products available in the market to manage the identity and access management.

Be Smart, Be CyberSafe.

This story is complete fiction and published to spread security awareness. Any resemblance to any character or situation is purely coincidental.

No comments: