At the conclusion of their conversation, Brian remembered to ask Jim about the second dialog that Jim had had with the manager of the engineering department. Jim offhandedly said, “Oh, after I chatted again with the manager of that group down there, he caught the guy at it. When all the other folks in his group had gone out to lunch, that guy stuck around and was trying out all kinds of different passwords. So we fired him three weeks ago.” At this revelation, Brian nearly fell out of his chair. Mustering as much calm as he could, he asked Jim why no one had mentioned the firing of the engineer to someone in the IT department so that they could deprovision the fired employee’s account access. Jim said, “You’re right, that would have been a good idea, but you know, we’ve rarely had an employee leave the firm on bad terms, so it’s not something that’s really come up before.” “But the attack we had last week used an account of an old employee,” Brian replied. “One that had apparently left on good terms. So you see how it doesn’t matter whether the person is fired or just resigns, we have to know when they leave so that we can deactivate their account.” “Sure, that does make sense,” Jim agreed, “but it wouldn’t have saved us in this case. The hacker who did this didn’t use the account information from the engineer we fired.” Brian then patiently explained to Jim that indeed it might not have prevented the attack, but if they had consistently removed archaic accounts from the company’s networks, that the attack might have been avoided. Brian concluded the meeting with several new ideas in his mind about the attack, which he shared a few days later in a one-on-one meeting with the CEO of the company. A few weeks later, a few shake-ups occurred in the management structure of the company, and the CEO issued several new policies that Brian had drafted. One of the new policies pertained to greater coordination between HR and IT, particularly regarding notification of changes in the status of employees—hiring, firing, promotion, etc. In reflecting on the attack later, Brian believed that the fired engineer was the attacker who caused all the damage. The engineer had apparently used his lunch hour over the past few months to probe the accounts of current and former employees, looking for a username/password combination that would give access to key information systems in the company. The engineer had probably taken a VPN installer disk from the stack on the table in the IT department and installed the VPN on his own system to continue his probing from home or another location on the Internet. Brian believed that the engineer had eventually hit on the correct password for the archaic account at some point either just before or just after he left the company. Brian was unsure of the engineer’s original intentions for the account probing, and was unsure as to whether the termination of the engineer’s employment had been the trigger for the actual attack. Finally, Brian believed that with records obtained through a legal request to the local ISP that he might obtain enough evidence to bring a criminal case against the engineer, but Cenartech’s CEO decided not to pursue that course.