How identity detection solved credential mystery in Howard County, Md.

Former county CISO John Bruns said identity detection software helped him find an employee using a deceased colleague's credentials for greater network access.
John Bruns, second from left, recounts discovering a "ghost employee" at the CrowdStrike Government Summit in Washington, D.C. on April 11, 2023. (Scoop News Group).

An identity-centric approach to cybersecurity helped uncover the truth behind some mysterious network activity a few years ago in Howard County, Maryland, its former chief information security officer, John Bruns, said at a cybersecurity conference on Tuesday.

Bruns, who is now the acting statewide CISO in Maryland, said that two days after implementing new identity threat detection software on the county’s network, he started noticing some unusual activity.

In reviewing data on a colleague’s remote desktop sessions, Bruns noticed that one employee, whom he called “Steve,” was particularly active in the virtual environment.

The issue was, Bruns said, was that Steve had recently passed away.


“What is happening here?” Bruns said, recounting his response to this discovery for the CrowdStrike Government Summit in Washington on Tuesday.

After some digging, Bruns found that Steve’s remote desktop sessions were associated with a device that belonged to another employee, whom Bruns referred to as “Diane.”

“I call Diane,” Bruns said. “I say, ‘Diane, Steve’s on your device.'” She replied; “‘No, no, that’s just me. I’m using his account.’”

“Why are you using his account?” Bruns said he asked.

Diane’s reply: “He has more rights than me.”


Looking into Steve’s permissions, Bruns found that Steve had extensive administrative rights on hundreds of devices – permissions that he began to rescind.

The story is a cautionary tale of the importance of identity management, Bruns said.

By just looking at how and why his colleagues were working in certain ways, Bruns was able to address a big potential security vulnerability.

Rather than treating identity management as something that should be reviewed annually, Bruns recommends “continuous monitoring of what is going on in your environment” to avoid staff login information being compromised.

“You have to be monitoring who has invalid passwords that have been compromised, and which accounts are inactive. We’ve been doing this daily, and the numbers have dropped,” Bruns said.

Latest Podcasts