Get Started

She Had Her Password on a Sticky Note.

BlogUncategorized

CLIENT CASE STUDY — SECURITY OPERATIONS CENTER (SOC)

AO IT Consulting | Portland, Oregon | aoitconsulting.com

A hacker spent the weekend in an employee’s computer. This is what happened — and why a SOC would have stopped it within 2 minutes of the attack beginning.

Attack Type

Weekend Remote Access

Entry Point

Password on Sticky Note

Attack Duration

Entire Weekend

SOC Response

2 Minutes (If Active)

It Started with Strange Behavior on a Monday Morning

A company called AO IT Consulting to investigate something unusual. An employee had a routine: every Friday as she left for the weekend, she rebooted her computer. When she returned Monday morning, something was wrong. Someone had been on her computer over the weekend — and they hadn’t been browsing casually.

They had attempted to order a replacement credit card and have it sent to a different address. They had accessed her saved personal email. They had been thorough, methodical, and patient.

The investigation revealed exactly how they got in — and it’s a story that will sound uncomfortably familiar to a lot of business owners.

🔍 ACT ONE: How the Hacker Got In

Three Vulnerabilities. One Catastrophic Weekend.

1

The password was written on a sticky note on her monitor. Physical access to the office — or even a photo — was enough to obtain it.

2

The hacker installed remote desktop software on her computer. With her password in hand, they gained access and installed a tool that would let them return remotely — at any time — without needing to be physically present.

3

Her credit card login and personal email credentials were both saved in her browser. Once inside the computer, the hacker had everything they needed: the credit card account to steal from and the email account to verify the fraudulent request.

The hacker spent the entire weekend on her computer. They had her password, her financial accounts, and her email. They used one to verify the other — a perfectly executed attack that exploited three completely preventable vulnerabilities.

🛡️ ACT TWO: What a SOC Would Have Done

2 Minutes. That’s All It Would Have Taken.

Here’s the critical point of this story: with a Security Operations Center (SOC) in place, this attack would never have reached the credit card account. It would have been stopped at the moment the remote desktop software was installed.

⚡ The SOC Response: What Should Have Happened

• Hacker installs remote desktop software on the employee’s computer

• SOC detects the installation in real time

• AO IT receives a phone call within 2 minutes

• AO IT denies the installation — software is blocked

• Computer is immediately isolated from the network until the threat is investigated and cleared

The credit card account is never accessed. The email account is never touched. The fraudulent order is never placed. The employee comes in Monday morning and her computer is exactly as she left it.

The only difference between what happened and what should have happened: a SOC.

What Is a SOC and Why Does Your Business Need One?

A Security Operations Center — SOC — is a 24/7 monitoring system that watches your devices, your network, and your software in real time. It doesn’t wait for something to go wrong and then respond. It detects threats as they develop and acts before damage occurs.

The SOC isn’t a replacement for your other security tools. It works in tandem with them to create a layered, proactive defense:

SOC

24/7 real-time monitoring — detects and responds to threats as they happen, before they take hold

EDR

Endpoint Detection & Response — advanced threat detection at the device level, catching attacks that bypass traditional antivirus

Antivirus

Baseline protection against known malware, viruses, and malicious software

Behavior Monitoring

Identifies unusual patterns of activity — like remote desktop software being installed on a weekend — that don’t match normal user behavior

The Sticky Note Problem Is Bigger Than You Think

It’s easy to hear the sticky note detail and think “that would never happen at our company.” But password hygiene is one of the most persistent and widespread vulnerabilities in business IT security. Passwords written down, saved in browsers, shared between accounts, never rotated — these are the entry points attackers exploit every day.

A SOC doesn’t fix a sticky note. But it catches what happens next. The moment an attacker uses that password to install unauthorized software — the moment behavior deviates from the norm — the SOC sees it and the response begins.

“The hacker had her password, her computer, her credit card, and her email. They had everything they needed. A SOC would have stopped them the moment they installed that remote access software — before any of it mattered.”

— John Rivers, AO IT Consulting

By the Numbers

Weekend

Time the hacker spent undetected on the employee’s computer

2 Min

Time it would take a SOC to detect and flag unauthorized remote software

3

Preventable vulnerabilities that combined to enable the attack

0

Damage if a SOC had been in place when the software was installed

💡 Reactive Security Is Not Enough

Traditional IT security waits for something to go wrong and then responds. A SOC doesn’t wait. It watches constantly, detects instantly, and acts before the damage is done. In cybersecurity, the difference between a near-miss and a disaster is often measured in minutes. A SOC closes that gap.

And While We’re Here: Stop Doing These Things

The SOC would have stopped this attack. But the attack also exposed several security habits worth fixing in any organization:

  • Never write passwords on sticky notes — or any physical paper near your workstation
  • Use a password manager instead of saving credentials in your browser
  • Never use personal email accounts for work-related verification on work computers
  • Enable multi-factor authentication on financial accounts — especially those accessed from a work device
  • Reboot computers at end of day rather than leaving sessions active over the weekend

Does Your Business Have 24/7 Eyes on Its Systems?

If not — your business is relying on luck. AO IT Consulting provides SOC monitoring as part of our managed security services, working alongside EDR, antivirus, and behavior monitoring to give your business proactive, around-the-clock protection. Ask us about adding a SOC to your security stack today.

🌐 aoitconsulting.com

📞 (503) 257-3332

✉️ aoit@aoitconsulting.com

Serving Portland and the Pacific Northwest since 2003 | Managed IT • Cloud Services • Cybersecurity • SOC • EDR • Network Infrastructure