Monday, 21 July 2008

Security Officer Goes Postal

Today's Toronto Globe and Mail newspaper had this article about a city of San Francisco computer engineer who changed the security passwords on his employer's system. The system still works, but nobody can get in to set up new users, change passwords etc. The man, Terry Childs, is languishing in a local jail with bail set at $5,000,000.


As an accountant, should you care? I do. The accounting system I run is a major user of the computer network. A network security issue is a financial security risk.

My first thought was: breakdown in controls, i.e. segregation of incompatible duties. There should be more than one person with the system password. But then I thought, wait, what if the control system was in place? What if Childs just let himself in late one night, as he would typically do to apply new security patches, and changed the password? If he were in charge of security, it would be quite a normal thing for him to do. The difference is that he didn't notify the other security administration staff of the change.

My next thought was how to design a security system so that this couldn't happen. You would need at least two passwords, neither of which could change the other. Then there would have to be two independent security officers, etc. I checked with the security officer on our system. He said that we have three system administrators, each with a separate admin login and password. Even if one of them changed the password on all three admin accounts, it's still possible to unlock the admin password. Thank you, Microsoft!

But design is only half the issue. Even though our system could recover from a rogue security officer, that doesn't mean that he/she couldn't do a significant amount of damage. Control systems only go so far. They cannot protect you from human feelings and weaknesses. If your security officer does not feel that he/she is part of the team, then you have a major risk regardless of how well your system is designed.

So, who is to blame, the employee or the employer? The newspaper article doesn't shed much light on why Childs was so disgruntled that he would put himself and the whole city of San Francisco at risk, but my experience leads me to point the finger squarely at both. Putting Childs in jail will not correct the problem. Management needs to find out what the problem is and take positive steps to listen to employee concerns, and employees need to find a constructive way to air their grievances. In his own passive-agressive way, Childs has become the most outspoken of the disgruntled employees, but I'll bet you 10 pounds of Ghirardelli chocolate he's not the only one.

P.S. A note on security: one of my clients was doing an upgrade and I saw him logging in as "Bob". I told him that for this work he had to login as Admin. He just smiled and said the Administrator account actually had no system privileges. It was there as a decoy for hackers. The real power was in the Bob account. Lesson learned.

6 comments:

Norm said...

This story is interesting to me. From what I heard he was the key system engineer on the system.So that being said does he not have the right to hold the passwords? The system still works and there are no problems. So what is he actually guilty of? Also maybe he has forgotten the passwords. I hate when that happens!

Bill Kennedy, CA said...

Hi Norm,

Good point. I'm not sure the city of San Francisco would agree that there are no problems. Typically something has to be done by an administrator every day: adding / removing users, applying software patches, updating the operating system etc.

I take your point though. He could have changed the password and then "forgotten" it, but I bet he'd still be where he is today!

Bill

INvoice factoring blog said...

Bill -

Just found you through Becky's brag basket.

There is one thing to bear in mind - all the security in the world will not stop a dedicated intruder that has resources. It will only delay them.

The idea is to make it so difficult that they just give up and go elsewere.

Cheers,
Marco

Bill Kennedy, CA said...

Hey Marco,

Couldn't agree more. It's even harder to stop them when they work for you! Thanks for looking me up.

Bill

Anonymous said...

As we now know, it was part of his job to set passwords in the routers and had been for years. What we don't know is specifically what was asked of him during the meeting on July 9th, 2008 when DTIS officials claim that they asked him for "the password." We do know that San Francisco Police Inspector James Ramsey was present and that he told Terry that he would arrest Terry if Terry failed to answer. Terry did answer and was allowed to leave. DTIS officials then claimed that the password provided by Terry didn't work and that they had been unable to test it while Terry was there. He was under police surveillance and arrested three days later.

He then voluntarily supplied a password to the mayor (from jail.) Initially the Cisco Engineers could not get the password to work and after further communication from Terry through his attorney (Erin Crane) they were able to successfully use the password.

We don't know what Terry was asked on the 9th. We do know that he answered and that for some inexplicable reason, the DTIS employees present in the meeting could not verify that the password worked at that time. We also know that Terry did give a correct password to the mayor and that Cisco Engineers were unable to figure out how or where it could be used. We also know that Terry then supplied that information and the password was found to be functional.

Bill Kennedy, CA said...

We will never get to the bottom of why Terry did what he did. His lawyer gives some clues here: http://government.zdnet.com/?p=3902 and the prosecution's point of view is summarized here: http://government.zdnet.com/?p=3905&tag=rbxccnbzd1

It's possible that mental illness is involved. Whatever his motivations were, however, the point that management needs to deal with the human issue is valid.

Bill