Company's Former IT Admin Accused of Accessing Backdoor Account 700+ Times

An anonymous reader writes: "An Oregon sportswear company is suing its former IT administrator, alleging he left backdoor accounts on their network and used them more than 700 times to search for information for the benefit of its new employer," reports BleepingComputer. Court papers reveal the IT admin left to be the CTO at one of the sportswear company's IT suppliers after working for 14 years at his previous employer. For more than two years, he's [allegedly] been using an account he created before he left to access his former colleagues' emails and gather information about the IT services they might need in the future. The IT admin was fired from his CTO job after his new employer found out what he was doing.
One backdoor, which enabled both VPN and VDI connections to the company's network, granted access to a "jmanming" account for a non-existent employee named Jeff Manning...

Re:Poor Governance

[rickb928]

Security based on access control alone is inadequate. It must be supported by auditing and reporting.

Then you can audit enabling and use of services and access, justification and documentation of users and their accesses, and confirmation of declined/terminated access.

Re:Poor Governance

[mindwhip]

He didn't access his own account. He set up a "fake" account for a 'fake' employee that didn't exist which could be done even using the HR link if he he had access to add records to that database. Or he could have set up additional access on some other employee (say a driver) who rarely used the wider computer systems and wouldn't notice the extra access.

But HR links like that don't really work in the real world anyway. It doesn't allow for most large corporate set-ups where mainframe needs to talk to linux box that needs to talk to an oracleDB that needs to be accessible by a java batch job that needs to write output to the windows domain server file system so a human can check it before uploading it to an SFTP gateway box for an external customer to collect.

You don't just have accounts that are pure user accounts. You need mechanisms and accounts to allow system to system communications and logins for moving data between automated systems and for a large company it would be easy for an admin with sufficient privileges to hide a back-door amongst all these inter-system communication accounts (or even just hijack one or two legitimate ones, having copied passwords and other keys).