Carillion’s untold cyber security story: what happened during the liquidation process

December 20, 2018

by James Hampshire Cyber Security Senior Manager

Email +44 (0)7841 467312

When Carillion entered into an insolvency in January, one of our key worries was its underlying cyber security. With the significant transfer of business, contracts and people, not only could systems be exposed to attack from opportunistic attackers, but the risk of accidental data breaches could dramatically increase.

The responsibilities of the cyber security team were three-fold: monitoring access, ensuring business as usual security and mitigating threats. The following is an account of some of what we did to protect the IT systems that worked behind the scenes, including some of the numbers involved.

During any insolvency or restructuring, let alone the most complex one in UK history, the project can require specialist skill sets and knowledge.

PwC’s AccessAble tool helped us to monitor and manage access to Carillion’s IT systems and critical applications including those managed by outsourced service providers. We monitored and reviewed access rights of the users (for both those transitioning on to new contract and leavers by reason of redundancy or resignation) semi-automatically. We also risk-assessed users based on their access entitlements, and closely monitored the actions performed by high-risk users.

We identified and removed c.27,000 entitlements, c.1,000 high privilege access entitlements from normal users and 350 accounts (both dormant and test) from all critical applications including c.1,000 users from third-party cloud-based systems. This helped reduce the risk of leakage of information due to unauthorised or excessive access entitlements.

As part of security monitoring, we monitored and reported on the key network devices and points on the IT landscape. We also restricted auto-forwarding and access to cloud storage for a large number of accounts, restricting the leakage of commercially sensitive information.

We also used Tanium, an endpoint monitoring tool and part of our threat detection capability, to support security monitoring. Installed on over 1,500 endpoints (servers, laptops and desktops), Tanium provided visibility over endpoint behaviour and scouted for indicators that Carillion systems had been compromised.

We identified and addressed more than ten ‘Priority 2’ events, including malware attacks and ransomware attempts. We also used Tanium’s service management capabilities to identify over 62,000 critical and high vulnerabilities across 560+ unique hosts and removed more than 400 unique potentially unwanted programs from the network estate.

by James Hampshire Cyber Security Senior Manager

Email +44 (0)7841 467312