Chapter 2: Ethical Hacking and the Legal System
35
that continually cause these types of issues? That is why we wrote this book. We illus-
trate the weaknesses in many types of software and show how these weaknesses can be
PART I
exploited with the goal of the motivating the industry to work together—not just to
plug holes in software, but to build the software right in the first place. Networks should
not have a hard shell and a chewy inside—the protection level should properly extend
across the enterprise and involve not only the perimeter devices.
Disgruntled Employees
Have you ever noticed that companies will immediately escort terminated employees
out of the building without giving them the opportunity to gather their things or say
goodbye to coworkers? On the technology side, terminated employees are stripped of
their access privileges, computers are locked down, and often, configuration changes
are made to the systems those employees typically accessed. It seems like a coldhearted
reaction, especially in cases where an employee has worked for a company for many
years and has done nothing wrong. Employees are often laid off as a matter of circum-
stance, not due to any negative behavior on their part. Still, these individuals are told
to leave and are sometimes treated like criminals instead of former valued employees.
Companies have good, logical reasons to be careful in dealing with terminated and
former employees, however. The saying “one bad apple can ruin a bushel” comes to
mind. Companies enforce strict termination procedures for a host of reasons, many of
which have nothing to do with computer security. There are physical security issues,
employee safety issues, and, in some cases, forensic issues to contend with. In our mod-
ern computer age, one important factor to consider is the possibility that an employee
will become so vengeful when terminated that he will circumvent the network and use
his intimate knowledge of the company’s resources to do harm. It has happened to
many unsuspecting companies, and yours could be next if you don’t protect yourself. It
is vital that companies create, test, and maintain proper employee termination proce-
dures that address these situations specifically.
Several cases under the CFAA have involved former or current employees. A pro-
grammer was indicted on computer fraud charges after he allegedly stole trade secrets
from Goldman Sachs, his former employer. The defendant switched jobs from Gold-
man to another firm doing similar business, and on his last day is thought to have
stolen portions of Goldman Sachs’s code. He had also transferred files to his home
computer throughout his tenure at Goldman Sachs.
One problem with this kind of case is that it is very difficult to prove how much
actual financial damage was done, making it difficult for companies injured by these
acts to collect compensatory damages in a civil action brought under the CFAA. The
CFAA does, however, also provide for criminal fines and imprisonment designed to dis-
suade individuals from engaging in hacking attacks.
In some intrusion cases, real damages can be calculated. In 2008, a hacker was sen-
tenced to a year in prison and ordered to pay $54,000 in restitution after pleading
guilty to hacking his former employer’s computer systems. He had previously been IT
manager at Akimbo Systems, in charge of building and maintaining the network, and
had hacked into its systems after he was fired. Over a two-day period, he reconfigured
