Years ago when he worked for an ad agency, Troy Davis hired a young sys admin because he was reputed to have "mad Linux skillz." But Davis had to let the admin go after six weeks because he had accomplished nothing.
"A few days later a client called me to tell me his website was down," says Davis, who's now CTO at CoupSmart, a company that lets small to medium-sized businesses create coupon campaigns and distribute them via Facebook. "I logged into their server, and sure enough, every file related to the website had been deleted entirely."
A search of server logs turned up the few history files the attacker had neglected to delete, which recorded his IP address, log-in times, and complete shell history. When Troy contacted the service provider that owned the IP addresses, it confirmed the recently discharged admin was the guilty party.
"The local sheriff paid him a visit and let him know how close he was to serving time in prison, had I decided to press charges," says Davis. "We ultimately lost the affected client over the site deletion incident because they simply didn't trust us any more."
Schwartau says he was consulting with a financial services firm about six years ago that fired one of its database administrators after it discovered the DBA was using company computers to hack into systems at his previous employer. The problem? The DBA was the only person who knew the firm's administrative passwords, and he refused to turn them over until his bosses promised to write him a good recommendation. The firm agreed.
"They could have involved the police, but they didn't want the publicity," he says. "They wanted it kept quiet so as not to encourage others to do the same."
Stephens says he once worked for a major U.S. telco that fired a network engineer for violating its HR policies.
"The engineer got wind of what was about to happen, so before he was escorted out he changed all the passwords to our core routers and wouldn't give them up," he says. "It was ugly. It took us quite a while to reset everything and make sure he was actually locked out."
But the champion avenger may be Roger Duronio, a former sys admin for UBS Paine Webber. Unhappy with the bonus he received, Duronio planted a logic bomb on 1,000 of the brokerage house's computers in March 2002, designed to take them offline. He then shorted the company's stock in the hope that negative publicity following the Paine Webber outage would drive its share prices down, putting money in his pocket.
It didn't work, says Keith J. Jones, a senior partner with computer forensics firm Jones Dykstra & Associates, and an expert witness in the case that resulted in Duronio's conviction. The avenger was sentenced to eight years without parole in December 2006.
"If you have a disgruntled employee in a company with wide access, such as the type Mr. Duronio had, it is a high-risk combination for the company," says Jones. "IT personnel may generally work behind the scenes and out of sight, but you have to remember the power they can hold over your company if they decide to go rogue."
Anti-rogue defense: According to studies by Carnegie Mellon, most insider damage happens 10 days before an employee's last day. Be sure to lock down key systems and have audit and password recovery systems in place before wielding the ax, says Ammon.
A better strategy may be to keep employees from becoming disgruntled in the first place, says Peter Hart, CEO of Rideau Recognition Solutions, which helps organizations implement rewards programs. Peer-to-peer recognition systems work particularly well for IT personnel, where even a virtual atta-boy (or girl) from a colleague can make a huge difference, he adds.
"All companies, good and bad, experience rogue behavior," he says. "But you can really mitigate it with a good rewards system."
This story, "IT admins gone wild: 5 rogues to watch out for" was originally published by InfoWorld.