Thursday, January 29, 2009
Good example of flawed process
I've just read about an Unix engineer from Fannie Mae being sued for trying to deploy a time-bomb script on their servers after being fired. The guy was able to access the servers after being fired, so it's a very good example of a flawed termination process. An interesting thing here is that he was a contractor, so what probably happened (and I'm just expeculating here, based on what I've seen before) was that they had a process for doing that for employees but not for contractors. Here is a strong evidence for that:"[...] access to Fannie Mae's computers for contractors' employees was controlled by the company's procurement department, which did not terminate Makwana’s computer access until late in the evening Oct. 24." (he was fired based on facts on Oct.11)People with access and privileges are people with access and privileges, no matter if employees or contractors. Always verify if you are not letting one of those groups out of your security procedures, from background checking to termination.