One Man… $1Billion… Stolen.

A former Intel employee has been charged with attempting to steal $1Billion worth of information. Wow. Turns out that while he had resigned and officially left, he still had access to the computer systems - and guess what… he decided to copy stuff, which he freely admits he would use to further his career in the future.

While I have written about the decline of implicit trust before, this is yest another case, although this time it shows up a poor corporate process relating to shutting out individuals from company systems when they leave.

I was with a customer this week and they are about to change their policy on password changes to every two weeks. Every two weeks… we change our passwords every three months and even then I can have problems trying to (a) find something that fits the policy, uppercase, lowercase, numeric, punctuation, not this or that and then (b) remembering it… let alone having to do it every two weeks. The reason that passwords used to have to be changed frequently was because companies were not good at shutting people out of systems when they left… but now there is no excuse.

Time to revisit that employee leaver policy… and examine how you can prevent falling foul of a malicious insider - after all he was just copying restricted data onto removable media… something technology can help you spot.

November 7, 2008 | Filed Under Insider, security | Leave a Comment 

One Man, One Password, One Cell

So just how important can one person be? If they happen to the the IT administrator and they have a grudge, then perhaps the answer will scare you. In a recently reported incident one employee locked out a whole city from the computer system - and then refused to hand over the password. Implicit Trust fails once more. If that had been your company what would you have done? In this case they threw the individual in jail and are waiting… and trying to crack the password themselves!

More to the point, what could you do to prevent it from happening? This is a tough one - obviously you could have audit trails (but if you can’t log in, then how can you find the information), perhaps you could have a secret backdoor (not such a good idea - some cyber-criminal will find it), perhaps you can have policies and procedures (not that they help when you are locked out)… so what to do? Maybe the best thing to do is to ask your IT administrators how they would solve the problem - they will no doubt come up with a solution that would work for you and your network. If you think using this case might be a little close to the mettle, then how about framing it as an ‘accident’ when everyone gets locked out - it’s own form of ‘disaster’.

July 22, 2008 | Filed Under Availability, Insider, disaster recovery, security | 1 Comment 

How Would You Know?

There is a case running in the US at present where a student hacked into his school’s database and changed his grades. This could be considered as malicious data corruption! The allegations arose when some cross checking showed up some anomalies which led to an investigation. The question is, would you know if something similar was going on in your organization?

Data loss is easy to spot if it is a laptop that has gone missing - it was here one minute, now it’s gone. Data skimming is tough to spot, i.e. where data is being slowly an steadily extracted, for example over a wireless network - but it does get eventually found out, however, it sometimes takes years. But what about malicious data corruption, how would you know? In this case it was relatively simple to spot once the cross check event occurred - but what if there hadn’t been the need for a cross check? what if someone had broken in to a system and upped a credit note? The automated cheque system would probably print out the rebate without hesitation - providing it wasn’t over a specific amount.

Audit trails would provide some comeback (should a cross check occur) but the operation to alter credit notes is probably a valid function, so how would you know which was ‘real’ and which was not?

June 24, 2008 | Filed Under Insider, Reputation, security | 1 Comment