when disabling terminated accounts is not enough

Last year Gucci had some drama in their networks as a former employee wrecked some havoc in their systems after being terminated. This brief from the New York DA’s office goes over the quick details.

What I find interesting is that Yin had enough rights to make himself a fake employee account before the fact, and then used that fake account to remotely connect to the network and do his thing. Being able to track and stop that sort of thing is definitely a step up from the obvious recommendation to disable/audit terminated employee accounts.

You need to track changes and map those changes to valid requests.
You need to regularly audit accounts to make sure they’re needed and legit. (ask boss?)
You need to audit VPN access to make sure they’re allowed.
You need to catch any weird VPN setups, like a regular user mapped to servers or a service account appearing in the list.
You need to audit any users who aren’t locked into certain targets for VPN access (i.e. their existing desktop or a virtual system).
You need to educate help desk persons on SE and procedures/challengebacks.
You need to monitor and audit VPN logs on access/activity.
You need to regularly change service account passwords (those can be usurped too!).
You need to regularly audit any account with elevated privs (domain admins!)

As a privileged person, myself, sitting back and wondering at all the ways I can sneak in a fake account to pose as a fake person in the absence of my normal access is quite intriguing. Definitely don’t forget that I have the ability to create service-type accounts in addition to regular users, or have access to service-level passwords!