A former employee of Baltimore Substance Abuse Systems Inc. compromised his boss’ computer during a presentation and replaced some of the content with pornographic material. It is customary to have policies in place that require terminated employees to be escorted out of the building by either a security officer or member of upper level administration.

However, when it comes of terminating employees, this case highlights the importance of having a solid corporate termination policy. The actions of this former employee embarrass the company during a presentation but what if he would have deleted business critical data and trashed the backups? Or copied the business critical data (i.e. financial data, client credit card data or employees’ information) and sold it to the highest bidder?

It is important to have a policy for limiting access to corporate technical resources after an employee has been terminated. Some basic step include: disabling user account(s), changing or locking all the passwords the former employee had access to, disabling corporate e-mail access and locking down access to their personal workstation.

An email from HR using a pre-configured template to all key stakeholders with a mean of reporting back to HR, confirming the work has been completed, would help prevent this kind of malicious activity. Of course, the account(s) should be monitored to detect potential unauthorized access. Do you have similar horror story to share?

[1] http://www.dailymail.co.uk/news/article-2006962/Fired-IT-manager-hacked-companys-swapped-boss-digital-presentation-porn.html?ito=feeds-newsxml
[2] http://www.baltimoresun.com/news/maryland/baltimore-city/bs-md-ci-computer-hacking-sentence-20110621,0,857376.story
[3] http://nakedsecurity.sophos.com/2011/06/22/hacker-ceo-presentation-porn/
 

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu