An insurance company in Europe had hired a consulting ﬁrm to do network
and system administration for their Internet perimeter devices.This included
tuning, patching, and general maintenance of routers, ﬁrewalls, proxies, e-mail
servers, and web servers.
While the consulting company managed the devices, the insurance com-
pany monitored them internally with their ESM, and the ESM alerted the
company to what seemed to be suspicious account activity. Somebody was
logging in back and forth between their e-mail server and their web server.
Since there was no reason for these devices to directly communicate, and
especially no reason that somebody logged into one would need to access the
other, this was cause for alarm.
After receiving the page from the ESM, their first thought was that
somebody had compromised one of the servers and was using that server to
compromise other servers on their network. Upon investigating these events
further, their ESM displayed the user account being used. A quick compar-
ison of the user ID with the user IDs that were held by their outsourcer,
confirmed that the consulting firm was in fact not doing this. Based on
their service level agreement, only a select group of individuals were
allowed access to manage their devices, so the insurance company deter-
mined that this was an attack.
When they called the consulting company, they found a tangled web.The
insurance company had outsourced their device management to the con-
sulting company, but the consulting company had outsourced the service to
another company without telling the insurance company. So engineers the
insurance company hadn’t approved were running performance checks on the
servers—hence the unusual activity and the ESM alert.
The excuse given by the consulting company was that all their engineers
who understood the insurance company’s server architecture were on vaca-
tion. So they needed backup for a few weeks.They had added new adminis-
trative accounts and handed the server’s administration tasks over. While no
one was doing anything malicious, the consulting ﬁrm had breached their
contract with the insurance company by not informing them of the change.
Insiders Abridged • Chapter 12 167
424_Wtr_Clr_12.qxd 7/27/06 1:47 PM Page 167