Upset by an adverse performance evaluation, BOFH Jon Paul Oson resigned from his job with the Council of Community Clinics (CCC) in San Diego, a non-profit that provides medical services to the poor, uninsured and under-insured. But simply resigning did not satify Oson's desire for revenge. On 23rd December 2005, more than 6 months after he had tendered his resignation, Oson accessed the CCC network and disabled the automatic backup processes. On 29th December, Oson again accessed his former employer's network and systematically deleted data including thousands of patient records. Oson's actions put patients at risk and left CCC with a substantial remediation bill.
Oson didn't get away with his crime. He was recently sentenced to 63 months in the chokey and ordered to pay more than $400,000 in restitution (see FBI news release).
Commenting on the case Assistant US Attorney Mitch Dembin said, "Despite the fact that Oson left unhappy, he remained a friend and trusted colleague of the IT staff. Consequently, although they should have changed all their admin passwords, and had in the past when admins left, they didn't do so in Oson's case. So, the lesson here is that businesses need to protect themselves not only from their trusted employees but also their trusted ex-employees. My experience as a cybercrime prosecutor dates from 1991. The vast majority of the cases I see involve depredations by former and current (soon to be former) employees. That threat vector should be high on the list of companies evaluating their security posture."
Mitch is absolutely correct. Too many businesses are simply too sloppy when it comes to hiring and firing their admins. Let's face it, admins enjoy almost unfettered access to the network and can, if inclined to do so, cause a significant amount of damage.
So, how can you safely sack a BOFH? Well, for one, it's important to remember that BOFHs are sneaky and that, if Operation Terminate is to be executed successfully, you'll need to be even sneakier. You should never give your BOFH advance warning that he's to be terminated - and you should be extremely careful not to do so unintentionally. Don't, for example, send an unencrypted email to your PA saying, "I'm going to can the BOFH ... schedule me an appointment with him for a week on Thursday." BOFHs often read other people's email - especially those of management - and, the moment he discovers that he's to be given the order of the boot, he may very well start demolishing your network. Once you've actually delivered the bad news, you should immediately frog march your BOFH to his desk, supervise while he empties its contents into a cardboard box, frog march him to the exit - and make absolutely sure he goes through it. At no point during the frog march should the BOFH be allowed to touch - or even look at - a computer that's connected to the network.
Handy Hint 1: Courts and industrial tribunals tend to take a dim view of phrases like frog march. Should matters ever get to that stage, it's far better to say that the BOFH was escorted from the premises.
Handy Hint 2: Prior to speaking to the BOFH, ensure that there is a supply of cardboard boxes in the office and arrange for somebody to place one on the BOFH's desk while he's in your office being canned. This can help you avoid the embarrassing silence that will invariably occur if you have to wait with the BOFH while somebody is sent to look for a box (I mean, waddaya supposed to say in such circumstances?).
Some additional Handy Hints for dealing with - and avoiding hiring - BOFHs can be found in our article How to protect your business from rogue administrators.
Published
by
Brett Callow
(4,676
pts
)
on
Jul 11 2008, 11:36 AM
to
Computer Security Blog