Security issues come in all sizes and shapes. When I was a young IBM Systems Engineer, I was assigned responsibility to install a Payroll system for a large hospital.
As it would happen, the CIO of the hospital was apparently in hot water with the new Hospital Administrator, the CEO of the hospital. During this time I was “camped out” day and night working on the Payroll installation, the CIO was fired.
Word came down from hospital management that the CIO was terminated, barred from the Data Center and that the locks and security codes were being changed right away. This is common practice when management wants to “lock down” the computer systems if they are concerned with the possibility of sabotage by an outgoing employee.
The next day, we were asked to review the systems access logs. To everyone’s surprise, the CIO had logged onto several key systems between midnight and 1:15am in the morning. This was in the days when remote access was not possible, , , you had to physically be in the building using one of the networked workstations to access the hospital’s systems.
The locks had been changed, the security codes were changed, , , but the former CIO still managed to access the hospital’s systems.
How did he do it?
Hospital management told everyone about the CIO leaving the company except for the 3rd shift Computer Operator. When the outgoing CIO tried to get into the building, he no longer had keys, , , so he buzzed in as he normally would do and the Night Operator let him into the Data Center, , , also just like he normally would do. It looked like ‘business as usual’ to the Night Operator.
Fortunately, the fired CIO wasn’t there to do anything malicious. He was there to retrieve a few personal files and to follow-up on a technical issue that he knew about. He was actually very conscientious in his “night maneuvers”.
The morale of the story is that when you think you have all the doors locked, check again to be sure you’ve notified all who need to know, , , including your Night Operator.