We are in 2017. Tristan is hired as Project Manager for a large local authority. This is his very first job and he is determined to make a lasting impression.
He is tasked with the implementation of a software package very recently purchased by his employer, which gathers all the personal data of the agents, the audience, etc. – in other words, everyone – in order to be prepared for the GDPR.
Tristan is well aware of the importance of this mission and knows that failure and delays are not an option.
Tristan has always been a model student, diligent, and scrupulous. He contacts the software company that won the tender and starts reaching out to the technical department.
His project is rolled out on a server provided by the network system administrator. He hits off with his fellow project managers who help him to connect it to the HR management system, then to the system managing the general public’s Social Assistance requests, to the financial third parties, to the institutional contacts, etc.
The board did not deem it necessary to hire a real independent and qualified CISO, given the fact that the system administrators had assuredly proven their skills. As a testament to that, Tristan is asked to create a unique separate account identified in the directory for each login.
The passwords include 16 characters and are highly protected. All accounts are neatly classified in the configuration files of the application.
The project is slowly put together, piece by piece; Tristan will be ready for May 2018. He prepares for his presentation to his boss and his director. He works till late in the evening and overtime to be ready for the following day. But suddenly the demo crashes.
Slightly panicked, he contacts the software publisher:
“This project is due tomorrow morning; I can’t afford to crash the demo!”
He is good friends with the publisher. It lends him a hand on the spot:
“I’d need a visual of the Front server. Do you have a TeamViewer account?”.
“I’ll open one up right away.”
At that very moment, Tristan is more worried about the success of his presentation than about security matters. He downloads the 12th version of TeamViewer and installs it in the Front server, as requested by the publisher. He sends them the remote access codes immediately.
Fast forward to two hours later, and everything is back to normal, with a functional demo. Tristan can return home to sleep peacefully. He is ready for the following day.
The demo goes without a hitch; the project is a success. As the years go by, he is tasked with more and more important projects and is regularly promoted.
On 24 February 2020, chaos reigns in the office when he shows up at work. The newly hired CISO stops him:
“I need every project that has access to payroll software. It seems you have one.”
Tristan catches up to speed after a few explanations and conversations with his co-workers: all HR, social, and financial systems and databases have been breached and encrypted, with a sample of all the board member’s salaries sent from an untraceable email address. They are asked to pay a 230 Bitcoin ransom, or the data will be made public and the systems will remain inaccessible.
After a few days of forensic analysis, the consulting firm reports that the hackers entered through the TeamViewer access that he had been left open on his app’s server and exploited CVE-2018-16550 to force their way in. The data logs show that they had made several login attempts since last December before succeeding late January. Subsequently, they traced their way up to the other devices connected to the app and were able to block them, since all the passwords had been stored unencrypted in the configuration files.
Conclusion of the analysis report: “Never leave open and unsupervised access to TeamViewer, LogMeIn, remotePC, or any other Remote Desktop software!” Signed: Camille.
End of the story: Tristan is punished for having done a good job, and his current employer still fails to understand that the fault lies in organizational issues related to project management. He should never have been left alone to handle his project, and the installation of any software program capable of opening a breach in the system must involve the consultation of a specialist aware of cyber risks.
Yet, this conclusion is not present in the report. Indeed, even if Camille is aware of such an issue, her job is not to report that kind of problem… to avoid offending the egos of some customers in the relevant Department…
Tristan exists in every one of us, and very few managers listen to Camille’s advice.