Here’s how the story goes: A talented system administrator, whom we’ll call J.C., joins a major pharmaceutical company. J.C. is told to leave after an internal dispute but then later brought back as a consultant. His good friend, who also works for the company and was instrumental in J.C.’s hiring, is fired. In an act of retaliation, J.C. uses his network credentials to shut down several of the company’s virtual machines, destroying the company’s infrastructure – all via a Wi-Fi connection at a local McDonalds.
While it sounds like fiction, the events are all too real, as detailed in: “How to Fire a Sys Admin: When IT Pros Go Rogue”, part of Spiceworks’ popular Spotlight on IT series. The author highlights the many “what not to do” lessons from this incident, such as do not re-hire an individual with a grudge. But, he also shares important recommendations about IT security monitoring:
- It’s good to be paranoid: The author, a system administrator himself, believes that keeping a close eye on what’s happening within the network perimeter is even more critical than what’s happening outside. “A little paranoia when applied to security is a good thing. Often times the enemy isn’t outside, he’s on the inside – he’s someone we trust.”
- Get aggressive with Active Directory: It’s critical to ensure that disabled accounts and unused/“zombie” accounts are properly deleted. Plus, an organization should be actively tracking when new accounts are created, changed or deleted as modifications could be a telling sign that something is amiss.
- Invest in a proven set of eyes: Keeping a close eye on infrastructure activities can be daunting when done manually. Therefore, the author recommends automating the process with a proven tool, such as Netwrix Change Reporter. That way, you’ll be on top of any unauthorized, unwanted or malicious changes that could negatively impact operations.
We’re big believers in keeping a close eye on IT activities, as are our customers. Knowing what’s happening within your IT infrastructure right now is a key piece to maintaining business continuity, infrastructure reliability and required security.