Don’t Be the Next NCS: How to Stop Disgruntled Employees From Deleting Your Servers

Frustrated employees leaving a company is a reality. But what happens when they retain access to sensitive information?

An incident involving NCS, a major infotech company, shed light on how much damage can be done when termination procedures fail to completely cut off access for departing employees.

Former NCS contractor Kandula Nagaraju, 39, recently made headlines when he was sentenced to 18 months in jail after being found guilty of unauthorised access to NCS’s computer systems. But Kandula didn’t just access these computers; he also implanted a malicious script he had programmed himself to delete the company’s virtual servers.

It turns out, Kandula felt wronged by NCS, believing he didn’t deserve to get fired for what the company cited as poor performance. The Indian national felt he had “made good contributions” to the company and he naturally felt “confused and upset” by his termination.

In all, Kandula’s code deleted 180 of NCS’s virtual servers—doing so one at a time, just as he had designed—in just two days, March 18 and 19. By the time the NCS team realised what was going on, they were too late, one-upped by the same person the company had fired in October 2022 and whose official last day was 16 November 2022.

It was an act of vengeance, to say the least, and it cost NCS SGD $917,832.

‘Human Oversight’ Turns Into Point of Attack

An investigation later revealed Kandula repeatedly accessed the NCS system in the months after his termination using the same admin credentials he used as part of NCS’s 20-member Quality Assurance (QA) team. The company admitted as much, though the realisation took far too long.

“Due to a human oversight in administering the standalone test environment, the perpetrator’s access to the test environment wasn’t terminated immediately upon departure from the company,” NCS admitted. “Once the unauthorised access was discovered, all access was immediately terminated, and a police report filed.”

In other words, somebody forgot to terminate Kandula’s access credentials upon his firing. And this boo-boo circles back to something so basic it tends to get overlooked: Cyber hygiene is critical to cybersecurity.

Why Cyber Hygiene Matters

Cyber hygiene, the umbrella term encompassing practices and steps organisations and individuals must take to keep their digital assets healthy and secure, is foundational to effective cybersecurity. It’s the fabric that supports all these fancy cybersecurity tools, weaving together technology solutions and best practices into one unified security strategy.

Without it, even the best innovations won’t be nearly enough to prevent a cyber attack because there is always going to be a weak link—a weak password, a phishing victim, an unpatched vulnerability, and, in the case of NCS, unauthorised access due to mismanaged credentials.

“Proper authentication and authorisation to systems is a base security requirement. Unfortunately, it is also the one that often can get exploited due to improper implementation. It is not enough to create accounts and assign them access rights to resources. No. The accounts and their access to resources must be also constantly monitored and in case of irregularities, the responsible person or system needs to be alerted,” noted Boris Cipot, Senior Security Engineer at Synopsys Software Integrity Group, in an email to Cyber Security Asia (CSA).

Proper implementation of users and their rights on systems, Boris added, is “a basic part of cybersecurity hygiene that every company needs to get right” to not only prevent incidents similar to NCS’s but “to also prevent other forms of exploitation from happening.”

“What if such access was stolen from an employee through a phishing attack? The same thing could happen. Therefore, it’s important for organisations to monitor accounts and their actions and to make sure that no account has too broad of access rights on systems and their networks,” Boris explained.

But, in this case, it appears NCS committed two fundamental mistakes: It gave Kandula broad access rights and kept those rights active even after Kandula’s controversial termination.

This human oversight of something so basic costs NCS SGD $917,832. It could easily have been worse.

Securing Your Digital Assets: Enhanced Cyber Security + Cyber Hygiene  

The NCS incident highlights the need for organisations to take cyber hygiene seriously—very seriously. And the ways to do it can be as simple as:

• Using strong, unique passwords.
• Enabling multi-factor authentication.
• Keeping software updated.
• Using antivirus and anti-malware.
• Backing up data.
• Monitoring accounts for suspicious activity.
• Using encryption.
• Continuing education on cybersecurity and phishing avoidance.

Along with these ways is a pressing need to enhance cybersecurity—but with a renewed emphasis on access management and offboarding protocols, according to Darren Guccione, CEO and Co-Founder of Keeper Security.

“The recent incident of a disgruntled ex-employee deleting 180 virtual servers highlights the critical need for organisations to prioritise robust security measures, particularly in regard to access management and offboarding protocols,” Darren told CSA via email.

He also pointed out that “there’s a heightened risk of malicious actions” when an employee leaves under adverse circumstances, and this scenario necessitates taking a few critical steps that will prevent such malicious actions from happening.

“To mitigate this risk, organisations should adopt a zero-trust architecture with least-privilege access. This includes giving access to only what employees need to do their jobs, not granting access indefinitely, periodically checking who has access, and monitoring activity,” Darren advised. “Access management software, like a unified privileged access management solution, can help with privileged account and session management, secrets management, and enterprise password management.”

Offboarding: The Often-Overlooked Part of the Employment Cycle

The Keeper Security Co-Founder also highlighted the criticality of offboarding, noting how, for instance, “a single forgotten thumb drive containing sensitive data can fall into the wrong hands and result in a data breach.” In the case of NCS, it was a case of forgotten access credentials.

“Offboarding is an essential component of privileged access management and should actually start at the beginning when the employee is onboarded. By tracking and recording all digital and physical assets associated with each employee, recovering physical equipment issued throughout their employment with the company becomes easier,” Darren explained.

So, what should have NCS done after firing Kandula? According to Darren, the infotech firm should have promptly deactivated his accounts and revoked his access rights—all while closely monitoring for any continued activity post-employment. It appears NCS did not do all of the above, and it cost them nearly SGD $1 million.

This incident should serve as a cautionary tale for the entire information technology industry. Companies must recognise the significant power and trust placed in their employees, especially in an era where controlling information flow is more challenging than ever. A single dishonest or disgruntled employee can inflict considerable damage, so it’s crucial to implement stringent security measures and foster a culture of respect and trust.