Who Controls The Cloud?
This story is fictitious, but probably something very similar has happened way too many times to someone.
The CEO/CIO of the company tries to log in to one of the cloud services that the company uses and it says that the password is incorrect. He or she calls customer service and explains the situation. I was able to log in two days ago, the CEO says.
The rep says that Mr. Disgruntled, the person listed as the primary contact, logged in two days ago and changed the master password.
The CEO says that Mr. Disgruntled was fired six months ago. I own the company. Make me the primary contact and remove Mr. Disgruntled.
The rep says can’t do that unless Mr. Disgruntled approves it. In fact, since you are not the authorized owner, I can’t really say anything else to you, but have a nice weekend.
What the rep might have said but never would say is try not to worry about Mr. Disgruntled destroying your data, contacting your customers and stealing your proprietary data.
But that is the reality of it and we do see cases of this across the country Maybe Mr. Disgruntled told customers that he is still associated with the company, accepting orders and promising deliveries. However, he is not associated and the orders did not arrive. And, not surprisingly, customers are not happy.
We have also seen cases of Mr. Disgruntled destroying data and costing companies tens to hundreds of thousands of dollars to recover.
You say that you are good because you have backups. Maybe so, but does Mr. Disgruntled control those backups? Could they be deleted?
The FBI and DHS issued an alert this week saying that there has been an increase in disgruntled ex-employees exploiting networks and disrupting them.
The article says that the Computer Fraud and Abuse Act protects employers in this case. In concept that is true. Employers can sue their former employees. Maybe in a few years it will come to court. Let’s say you win – how exactly are you going to recover that money from someone who likely is “judgement proof”. In theory criminal charges could be filed, but that still won’t get your networks working again and those cases take a long time as well.
All that assumes that you can prove that Mr. Disgruntled did what you think he did. Juries are unpredictable.
The FBI says they have seen costs as high as $5,000,000 to recover.
So what is a person to do?
First, work with your cloud service providers to make sure that you can’t be locked out of your own accounts. That is often harder than you think because the cloud provider will say that if you make Mr. Disgruntled an administrator, he can remove you from the account. As I say, it may be hard, but it likely is possible. Remember that you have to do this for every critical account. And every important account. Whatever accounts you DON’T do this with is an account that you could possibly get locked out of. Make that is an outcome that you can live with. Remember that Mr. Disgruntled might not be who you think it is.
Next, manage passwords and permissions. That means tracking accounts and permissions for every service that you use. That list has to be kept current. Making sure that Mr. Disgruntled is not in charge of recording Mr. Disgruntled’s permissions is also difficult – but important.
When Mr. Disgruntled leaves, make sure that you disable his accounts but also change passwords on other accounts. The challenge is knowing EVERY password that Mr. Disgruntled might know. Two factor authentication might make this easier, but it is not a silver bullet.
Make sure that any vendors who Mr. Disgruntled might have a relationship with knows that he has been terminated.
The article has even more suggestions, but this is not a simple problem.
Remember, too, that Mr. Disgruntled might not show up on your radar screen until he wipes out your accounting data.
You can deal with this now or deal with it later – your choice.
Information for this post came from JDSupra.
Another excellent piece from the best cybersecurity blog writer in the country! Thank you Mr. Tanenbaum!