I talk a lot about the insider threat problem because it is prevalent and hard to stop.
Cisco learned about that the hard way.
Sudhish Kasaba Ramesh resigned from Cisco in April 2018. OK, good, time to move on.
FIVE MONTHS LATER, he accessed Cisco’s infrastructure at Amazon and deployed code that shut down 16,000 Webex accounts and deleted 456 virtual machines. He did this via Google’s cloud infrastructure.
Cisco spent over $2,000,000 in customer refunds and labor to fix the problem. While $2 million is a lot to you and me, it is merely embarrassing to Cisco.
Some customers were down for several weeks as a result of the attack.
Sudhish pleaded guilty and was released on bond. He is scheduled to be sentenced in December. He faces a maximum of 5 years in the slammer and a $250,000 fine. Since he is here on one of those visas that companies like Cisco use to give American jobs to foreigners to save money, he could also be deported (in case you wondered where I stand on those visa programs, that should be clear 🙂 ).
In this case, the former employee could have likely done a lot more damage than he did. He was, for whatever reason, upset with Cisco and decided to take it out on them. What if, instead deleting 456 virtual machines, he deleted 10,000 VMs or 50,000 VMs. Or instead of deleting 16,000 accounts he deleted 16,000,000 accounts. He was merely toying with Cisco.
On the other hand, how come he was able to login at all?
And why did it take Cisco two weeks to recover? What happened to their disaster recovery solution?
This does point out that it is hard to secure your infrastructure when an I.T. person leaves if you have not designed your security to take that into consideration.
I am sure (I hope) that Cisco has improved both their security and their disaster recovery since then.
But could could a disgruntled ex-employee do this to you? I am sure Cisco didn’t think so. Credit: Bleeping Computer