NCS Insider Prison Sentence Highlights Enterprise Risk Flaws – Source: www.databreachtoday.com

Geo Focus: Asia
,
Geo-Specific
,
Governance & Risk Management

Enterprise Monitoring Systems Failed to Detect Ex-Worker’s Unauthorized Logins

Jayant Chakravarti (@JayJay_Tech) •
June 14, 2024    

A Singapore court sentenced a former employee of Singapore-based NCS Group to two years and eight months in prison for accessing the company’s software test environment and wiping 180 virtual servers months after his employment ended.

See Also: Strengthening Defenses with ISO/IEC 27001 Standards: The Frontier of Canadian Cybersecurity

Kandula Nagaraju, an Indian national, joined the Singtel-owned IT services company as a hybrid cloud consultant in November 2021 but returned to India 12 months later, after NCS terminated his services.

After his return, Nagaraju started applying for a new job but also felt “confused and upset” over the way NCS ended his employment. According to court documents, he used his personal laptop to access NCS’ QA computer system at least six times in January 2022.

He returned to Singapore in February 2022 to start a new job but continued to use his credentials to access his former employer’s systems. In March 2022, he logged on to the system 13 times and eventually ran a programmed script on the system between March 18, 2022, and March 19, 2022, to delete 180 virtual servers that stored application code for software applications under testing. NCS suffered S$917,832 in losses from the deletion.

The company told the CNA news site that Nagaraju continued to gain access to the test environment as a result of “human oversight” because his access to the system was not terminated when his employment ended.

NCS is a leading technology services company offering application, infrastructure, engineering and cybersecurity services to organizations across the Asia-Pacific region. The company said the unauthorized access in early 2022 was an isolated incident.

Singtel, NCS’ parent company and Singapore’s largest telecommunications conglomerate, reported a loss of S$1.47 billion in financial year 2023 as a result of Australian subsidiary Optus experiencing a major cyberattack that affected up to 10 million current and former customers. The remediation costs lowered Singtel’s net profit by 64%.

Singtel’s Australian IT consulting subsidiary Dialog in September 2022 experienced a data breach that involved a threat actor stealing company data, including data associated with 20 clients and 1,000 employees, and posting the dump for sale on the dark web.

Zero Trust and MFA Key to Securing IT Assets

NCS discovered the unauthorized access a day after Nagaraju deleted the virtual servers. Venkatesh Thanumoorthy, identity and access management architect at a leading technology consulting company, said NCS could have prevented the unauthorized access and data deletion if it had aligned its cybersecurity strategy with broader risk management strategy. The Ponemon Institute Cost of Insider Risks Global Report from 2023 says organizations lost $16.2 million globally to insider threat incidents.

“Periodic rotation of credentials/passwords/SSH keys through a PAM platform and user behavior analytics is a good option to implement to avoid this situation in the future. With the implementation, the user doesn’t even need to know the target credentials,” Thanumoorthy said.

A Stronger Risk Management Posture

Raina Verma, programming director and executive board member at the Association of Certified Fraud Examiners, said large organizations such as NCS must make their employee offboarding processes as meticulous as the onboarding process for critical roles.

It is clear that Nagaraju’s termination was immediate, not staggered, and the rushed offboarding resulted in a human error in which an administrator forgot to deactivate Nagaraju’s access to critical systems. The company’s alert management system or detection systems also failed to give out alerts when the ex-employee accessed the testing environment multiple times.

NCS did not respond to Information Security Media Group’s request for comment at the time of publication.