In 2013 a disgruntled Citibank employee decided to get even. Lennon Ray Brown, 38, who worked for Citi during 2012 and 2013 in the Dallas area, decided to teach the bank a lesson.
On December 23, 2013, Brown sent a set of commands to 10 of the Citi global core routers. Those commands erased the running configurations in 9 of those routers. It is not clear what happened with the 10th core router.
The result of this was to take 90 percent of Citi’s network down two days before Christmas at 6PM. Right in the prime shopping and dinner hour.
At the time, he sent a text to a coworker that read:
“They was firing me, I just beat them to the punch. Nothing personal, the upper management need to see what they guys on the floor is capable of doing when they keep getting mistreated. I took one for the team. Sorry if I made my peers look bad, but sometimes it take something like what I did to wake the upper management up.”
Clearly, this guy was not a happy employee. Equally clearly, he didn’t show any remorse and didn’t care if he got caught.
And, likely, at most companies, an unhappy IT guy could do this amount of damage or more.
Ricky Joe Mitchell, Security Architect at Home Depot at the time of the breach there pleaded guilty to sabotaging his former employer’s network and causing them a million dollars in damage. His former employer, EnerVest spent 30 days recovering from the sabotage.
In the grand scheme of things, the most likely cyber risk that any company has to deal with is the insider threat. Most of the time it is not as dramatic as shutting down a bank’s network or sabotaging a former employer, but little attacks hurt as well.
I do not mean to single out IT employees; it is just that they can make a pretty flashy entrance. It really does not matter what department the employee works in.
When the Chase banker took data on 76 million customers, HE had no plans to post that data on the Internet. But someone else did. On top of it, Chase was fined a million dollars for not having the right controls in place to stop him.
Lennon was sentenced to 21 months in prison and $77,000 in restitution, but I suspect that for Citi, two days before Christmas, that penalty, three years later, doesn’t mean much.
So, sometimes, working on the easy stuff is what we should do first. Monitoring. Dual controls. Alerting. Keeping an ear to the ground.
Nothing is perfect when it comes to security. We just want to continuously make things incrementally better.
Information for this post came from SC Magazine.