Want to Steal $11 million? Use Orphan Accounts.
I first met Alan Norquist back in 2000 while we worked together at Ponte Communications, a dot-com startup that lured me away from my first stint at Oracle. Ironically, Alan came to Ponte directly from Sun Microsystems; I would later join Sun. At Ponte, we developed and sold technology to provision and configure a wide range of network infrastructure devices. The company didn’t succeed, but it allowed me to focus for awhile on the issues involved in using a centralized application to provision multiple connected devices – a capability that was central to the growth of Identity Management Provisioning market a few years later.
In the ensuing ten years, Alan has been a successful serial entrepreneur. He is now Founder and CEO at another emerging company, Veriphyr, which uses advanced data analytics to automatically discover user access policy exceptions.
Again, our lives have converged because of common professional focus on Identity Management and Information Security.
In a recent blog post, Alan pointed out a recent Colorado legal case:
“A three person process for approving payments did not stop a lone insider from stealing $11 million by playing puppet master. The thief’s unauthorized access to the unused computer accounts of two other employees allowed her to pull the strings and make it appear financial payments had the necessary three ‘independent approvals.’â€
A report from TheDenverChannel.com further elaborated:
Michelle Cawthra, who was a supervisor at the Colorado Department of Revenue, had testified that during the scheme, she deposited unclaimed tax refunds and other money in [her boyfriend’s] bank accounts by forging documents and creating fake businesses.
How did she do it? Rather than de-provisioning access for a few employees who had reported to her, she allowed the orphan accounts to hang around. Ms. Cawthra had convinced the departing employees to share their passwords with her, so she had multiple unfettered channels of access to complete her nefarious schemes.
Interestingly enough, preventative Separation of Duties (SOD) controls were in place. But with appropriate orphan accounts within her grasp, Ms. Cawthra was able to circumvent those controls and complete her work. In addition to preventative controls, a method to detect illicit use before the case got out of hand was really needed.
So if you want to steal $11 million, perhaps you can leverage orphan accounts. However, if you are on the right side of the law, I’m sure Alan would be delighted to discuss how Veriphyr can help catch schemes like Ms. Cawthra devised.