A recent incident highlights serious security oversights within a municipal network, where a former employee’s account remained active, granting unauthorized access to critical systems, including the city’s water utility.
Incident Overview
The situation came to light through an investigation led by Nicole Beckwith, a senior director for security engineering and operations at Cribl. Beckwith, who previously consulted on breaches, discovered that a threat actor exploited an account belonging to a former employee, referred to as “Greg from Auditing.” This account, which had not been disabled after Greg’s departure, retained extensive privileges, including domain admin rights and access to SCADA (Supervisory Control and Data Acquisition) systems.
Unauthorized Access and Potential Risks
The intruder initially engaged in minor disruptions, such as altering settings on conference room projectors. However, they later accessed the water utility controls, switching off critical settings that could jeopardize the water supply. The implications of such actions are severe, as they could endanger public health and safety.
Account Management Failures
It remains unclear how long the account had been active post-employment and whether anyone from the auditing department required such elevated access. Beckwith noted that the account was likely compromised due to Greg’s use of his work email for various online services, which may have been exposed in previous data breaches. This situation underscores the importance of maintaining strict account management protocols.
Lessons Learned
Beckwith emphasized the necessity of conducting regular audits of user accounts to prevent similar incidents. She stated, “The lesson, beyond the obvious ‘please, for the love of all that is holy, audit your dormant accounts,’ is that every forgotten user is an easy ticket to being on the 5 o’clock news.” Regular access reviews should be mandatory, as many organizations fail to terminate access for former employees, leaving systems vulnerable.
This incident serves as a critical reminder of the importance of robust cybersecurity practices, particularly in managing user accounts and access rights.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
