Most of the story, about a programmer who abused his access to plant a “server bomb” in Fannie Mae’s servers, is straightforward.
The lessons are the usual ones. Remove access immediately upon terminating an employee, including remote access. Make sure you get their equipment, such as laptops and mobile devices, back before they have left the premises. Review all code before it is pushed to production.
Nothing jumps out as hard to handle with security management…except for this part:
Makwana’s employment record was a matter of some confusion last year, with various contractors denying that he worked for them, but was instead a “pass-through” employee paid by another company.
IonIdea, an IT contractor with offices in the Washington D.C. area, acknowledged that it had billed Fannie Mae for Makwana’s work, but argued that Makwana was actually employed by yet another firm, N.J.-based Marlabs.
I remember how Dvorak questioned why Makwana was ever hired in the first place. It still is a compelling question and probably not one answered by security (yet).