Apparently disappointed with his bonus, UBS Paine Webber IT admin Roger Duronio wrote 50 lines of code and rolled it out to thousands of systems using the same standard Unix admin tools used to deliver legitimate files to systems on the UBS/PW network.
Then he quit.
But his logic bomb didn’t. It faithfully counted down the weeks, giving Duronio time to place $20k in orders to short UBS/PW stock.
Then on March 4 at 9:30am at the exact moment trading begins, it detonated. The payload was reportedly “rm -rf /” which means “delete EVERYTHING”.
It was pure pandemonium. UBS/PW was “bombed back to the Stone Age”, resorting to pen and paper to do trades. I think they spent $3 million in IBM consulting fees alone to get systems restored from backup. Who knows what the total costs were.
This is just one example. In a Windows/AD-centric environment, it’s arguably easier for a disgruntled privileged user to wreak havoc. Everything relies on Active Directory. If Active Directory is down your entire network is down even if there’s nothing wrong with all those servers and applications.
In this real training for free event, we’ll provide several examples of how AD can be maliciously taken down and with it the rest of your network.
Then we’ll discuss how preventive controls to reduce the risk from disgruntled privileged users in the first place.
But there’s no way to eliminate 100% of the risk. So how do you prepare?
First, you need an audit trail. This isn’t about assigning blame, although accountability is a powerful deterrent. You need the audit trail to understand what happened. When the phones light up and nothing is working, and you don’t know what’s happening or the scope of the problem – much less that a disgruntled insider has just acted out. For all you know, you’ve been hit by weaponized malware or are experiencing some kind of outage.
And of course, a privileged user doesn’t need to be disgruntled in order to take down AD – it happens accidentally as well.
So the audit trail is crucial to quickly determining what happened and how extensive is the damage. But do your audit tools still work if AD is down?
Once you know what happened, how do you repair the damage? You’ve probably heard nightmare tales of trying to rebuild AD over the weekend. AD is recoverable but it’s not as simple as restoring some files that got deleted. And it’s not easy to test or simulate. And the right AD recovery procedure depends on the disaster scenario.
So we will review AD recovery methods and provide tips on being ready to put them into operation.
Quest is sponsoring this real training for free session, and Brian Hymer will briefly show you technology that provides that crucial audit trail as well as a recovery solution that can rebuild your entire AD forest with a single click.