Behind Locked Doors: Part 2

batphoneThis time, it was my turn to call someone for help.

The phone rang half a ring before I heard a familiar “Hello?” on the other end.

“Hi, James, it’s Mack. I need a favor from you, and I need today, before 5 pm.”

“Not urgent, huh?”, James teased.

“Not really, I just need it today. And I need you to keep it quiet,” I warned.

This is the second post in a series. See Behind Locked Doors: Part 1.

“Sure Mack, anytime. I still haven’t forgotten how you saved my backside during the Merkelt acquisition.”

James was the head email administrator, a bright, tall, energetic guy that I’d worked with on several projects in the past 5 years.

“Your mistake was saved by another mistake, James,” I said. “not by me. You know that.”

James laughed, but it was not a funny, ha-ha laugh; it was the kind of laugh that meant you didn’t know what to say at the moment.

After 2 moments of awkward silence, James said, “Well I also appreciate you keeping my error under your hat. You saved my career at this company.”

My mind traveled back about 9 months, when our company was in the midst of an acquisition. My team was asked to do a security check of the company’s network, servers, and key applications right after we had purchased the company, but before the acquisition was announced.

During the pentest, we found several problems, including the email server, which I quickly compromised. As evidence that I compromised the server, I created an innocent-sounding admin account..

Once the pentest was over, I directed the server team to fix the vulnerabilities. After all the vulnerabilities were fixed, the server team turned the server over to the email team to reconfigure the server to work with our email domain.

Shortly after that, James made a serious error.

He called me frantically that night, at home. Late.

“Mack, sorry to call so late, but I’m in a bind. I was finishing the reconfiguration of the Merkelt email server, and I screwed up. I’m not sure what to do. I’m hoping you can pull a rabbit out of your hat for me.”

I looked at my watch, which read 10 PM.

“What type of hat do you need, James?”

“Mack, I’m not sure how I did it, but when I changed the Merkelt admin account password, I wrote it down wrong. I can’t log in. When you compromised the server, did you create your own admin account? You usually do.”

“Yes, I did, James, but it should have been removed when the server team hardened the server. That’s a key procedure.”

James sighed. “Can you give it to me and let me try it?”

“Sure, I said, “But if it’s still there, heads will roll on my team.” I gave him the account and password.

Fortunately for James, the account was still there.

“Your career was worth saving, James; you’ve proved your value many times over since then,” I continued, looking at my watch, which was still moving quickly toward 5 pm.

The time brought my thoughts back to the project at hand.

“Well, James, here’s what I need you to do in the next 30 minutes,” I said as I explained the details.

“Not a problem, Mack. It will take about 14 minutes.”

James didn’t wait for my reply, but hung up and got to work.

Read Behind Locked Doors: Part 3

6 Comments

Filed under Audit, Case Files, Security, Technology

6 responses to “Behind Locked Doors: Part 2

  1. Kyle

    It sounds like a lot of circumvention of controls! Haha!

    Like

    • Kyle,
      What are you referring to? I had the appropriate approvals to direct James to provide the mailbox access to Leeda.

      If you’re referring to the original hack, I had the approvals for that. My security team erred in not removing the admin account or vetting it.

      If you’re referring to my providing that admin account and password to James, remember he was the admin and already had full admin access before the screwed it up.

      So where is the circumvention? The only sleight of hand occurred in James using ANOTHER admin account to do his work. If that’s what you mean, then let’s debate that…

      Like

      • Kyle

        Mack,

        I think you’re right there, it just didn’t felt right to me when I saw that a dummy account that should’ve been removed was used. Anyways, I’d reckon that anyone would’ve approve such usage as a workaround to fix the issue since all concerned already have the authorization.

        It just feels kind of awkward, aha.

        BTW, organizations can dig through employee’s emails just like that? Though I understand where it came from, it’s kind of distasteful…

        I don’t have any related experience on audits, just an individual that’s interested in such. Do correct me if I’m wrong! Love your stories!

        Like

        • Kyle,
          While I change and add details to these Case Files, the events really happened. Some of them happened a few years ago, so I have to fill in the dialog gaps. But the essentials are all true (like the admin account being used to save James’ rear end; it really happened that way).

          As for handing over email for review, absolutely it happens. Most companies have a privacy policy that states that anything entered or done over company systems are property of the company. If they don’t have such a policy, they can get sued if they access that data. That is one reason I never access my blog from company systems or any personal accounts.

          Also, I always get approvals. Note that as a security manager, I personally don’t have access to the email; James, the email admin, gives it to Internal Audit.

          Today, as an internal auditor, I have access to all the data and people at the company I’m contracting at. That is the basis of internal audit. Of course, I need a business need-to-know and I have to provide that with my request. It’s a big responsibility that I never take lightly.

          Three months ago I finished an email system audit where I had access to 2 different peoples’ email (a copy was provided of a range of emails; i would not accept access to someones email box itself) as part of the audit.

          Another time I went through someone’s email based on hacking tools I found on their hard drive…see the Internal Attacker Detected case file series. It happens all the time, so beware.

          Also, some companies do analytics on employees to determine who might leave the company. I know for a fact that one of the companies I worked for includes all the URLs you visit at work in those analytics. They are looking for people who go to job hunt sites and their competitors. Beware, beware!

          Back to the using the admin account I created. You’re right, it was awkward and it felt that way. But it was the right thing to do. It benefited the company, James, and me. And those benefits continued for a long time. That email admin is still with the company.

          Appreciate your comments and feedback. Mack

          Like

  2. TT

    A mistake was saved by another mistake.
    Should an internal auditor audit an system acquisition project at its every stage?

    Like

    • TT,
      Not sure what you mean. My team definitely erred in not removing the original admin account that I created. I don’t think audit should review each server that an acquisition brings to a company; they should review the process used to harden and verify the applications, functions, and files on a server, not each individual server.

      The process for hardened and reviewing the email server was sound. One of my guys just skipped a step, which I consider a one-off error (an error that occurs once in a while, but is that due to a systemic failure).

      One could argue that someone should review a server after my team thinks they are finished with it, but that’s a whole different conversation.

      Please clarify your comment.

      Like

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s