CENARTECH SECURITY CASE

Following his meeting with the vice president of human resources, Brian returned to his
department and turned his attention to important IT projects. At the top of his list, he was setting
up a virtual private network (VPN) to help the Cenartech’s sales staff obtain remote access to
client information. The client information resided on databases maintained by the staff in the
firm’s business office, so the VPN terminated in Cenartech’s financial systems network. Brian
had to customize the restrictive firewall rules on this network to support the operation of the
VPN. With his focus on completing the VPN project on schedule, several weeks went by during
which Brian had no time to analyze log files. During this period, he also received no complaints
from employees about account lockouts.

Part of the complexity of the VPN project was that the laptops of most members of the sales staff
did not have an installed capability for remote management. An IT employee had developed a
scripted installation that could run from a CD, but when Brian had sent this to a couple of the
salespeople, they had complained that it failed to work. As a result, several of the installation
CDs that the IT staff had created lay unused on a stack on a table in the IT department. Brian had
to wait until each member of the sales staff came to the company’s headquarters in order to
physically access their laptops and install the VPN client.

As Brian began to deploy the VPN clients and send the salespeople back into the field with their
updated laptops, he also began to monitor security logs again. He was surprised to find a greater
number of incoming VPN connection attempts than he had expected. When he followed up some
of the originating IP addresses, he also found that a number of the connections originated from a
local cable Internet Service Provider (ISP). He had expected most of the connections from more
distant locales, because the salespeople provisioned with the VPN client were all from other
regions of the country. Brian ran more log analyses and found that after a brief lull two weeks
earlier, that the failed log-in attempts had begun again. Further, he found that while some of the
attempted log-ins had again occurred from the engineering cluster around lunchtime, other failed
attempts had occurred during the VPN authentication process, mostly after hours, and mostly
from IP addresses originating with the local ISP.

Given the recurrence of the original problem, plus the new issues that had arisen with the VPN,
Brian requested another meeting with Jim and reported the problems he had seen. This time, Jim
got very serious and said, “I’ll go back down there to engineering and read them the riot act.
We’ll definitely get this issue cleaned up. You can leave it to me.” Brian felt reassured that Jim
was taking the issue more seriously now, and he returned to his projects.

A month went by without incident, but one morning around 7:00 AM, Brian received a frantic
call from an accountant whose habit was to arrive at work early. The accountant reported that
although she could log in to the network, none of her applications would work. Brian rushed into
work and found utter chaos. Several database tables had become corrupted, a large number of
files had been deleted, and application configurations had been tampered with. Looking at the
date stamps on some of the corrupted files, Brian concluded that much of the damage had
occurred late the previous evening. He quickly restored a number of files from backups in order

Raste studimore 1
to get key users back up and running. Then he organized his IT staff to get to work on restoring
everyone else who had been affected. Fortunately, Brian’s attention to standardizing backup
procedures and related disaster recovery capabilities meant that his staff had the knowledge and
resources to restore almost everything that had been lost and to accomplish this restoration
relatively quickly.

The whole process of repairing the damage took about a week, and during this time, Brian
collected as much forensic data as he could. Several important findings emerged. First, he found
that user accounts existed on some of the financial systems for employees who no longer worked
with the firm. Further, these accounts had extensive histories of recent activity from workstations
all over the business office. When Brian chatted “off the record” with some of the individuals
who worked in the business office (recall that the official policy was that Brian was supposed to
address such matters through HR first), he found that many of the employees shared the use of
archaic, still-active accounts. When previous employees had left the firm’s business office
several years ago, they had given their username and password information to their colleagues
for the sake of convenience, so that the employees who remained could access the departing
person’s files and applications. Previously, no one had disabled the user accounts of these
departed employees. Now, however, Brian backed up all of the files that remained in these
archaic accounts and then he disabled them. Next, Brian traced the damage to a connection that
had occurred through the VPN. The originating IP address showed that the connection was not
from a local ISP, nor was it from an ISP in a locale where any of the company’s salespeople
lived. The account that the attacker had used to disrupt the operations in the business office had
used one of the “shared” accounts of a departed employee as mentioned above. Additional
analysis of the log files showed that the attacker had used the same archaic account through the
VPN in the same timeframe to try to gain access to engineering systems, but the firewalls
between the different networks had prevented the attacker from connecting. Related, three weeks
earlier the same archaic account had been accessed at lunchtime from within the engineering
cluster.

In the aftermath of the attack, Brian met with every member of Cenartech’s senior management,
and he realized that his job was on the line. He explained everything that he had ascertained
about the attacks, and he tried not to sound defensive when describing his existing security
measures and what he knew about how they had been circumvented. Brian realized that, with
their limited understanding of the technology involved, most of the senior managers seemed to
lay blame for the attack on Brian’s deployment of the VPN. When Brian met with Jim, and they
reviewed the situation together, Jim resolved to interview personally each member of the
accounting department and the engineering department to see if anyone had further information
that would shed light on the attack.

Discussion Questions
1. Give an analysis of the attack. Given what the case describes, what can you determine
about the attacker, his or her motives, and/or the way that the attack was conducted?
2. The goal of the VPN project was to provide remote access to important information for
members of the sales staff. Taking into account your analysis of the attack, did the VPN
project represent excessive risk for Cenartech?

Raste studimore 2
 3. Imagine that you served as a consultant engaged to analyze this case. What would you
recommend to the managers at Cenartech for next steps? In other words, how can
Cenartech avoid attacks like this one in the future?
4. Taking the previous question into account, what, if any, specific organizational changes
would you recommend for:
a. New technology?
b. Personnel or staff changes?
c. Policy or procedural changes?
d. Other changes?

Raste studimore 3