San Francisco network lockup justifies CIO fears

By Zach Church, News Writer 22 Jul 2008 | SearchCIO-Midmarket.com

Technology news and tips for midmarket CIOs Digg This!     StumbleUpon     Del.icio.us

The judgment for IT managers was swift when news broke that a San Francisco city network administrator had been arrested and charged with locking his own bosses and colleagues out of the city's new fiber wide area network (WAN).

"Whoever was managing this guy also needs to be let go, with prejudice: one should never allow this many basic security rules to be broken, no matter how talented the admin is," a poster going as "Sotarr" remarked on SearchCIO-Midmarket.com's blog, CIO Symmetry. His statement echoed a sentiment attached to most news items covering the arrest of Terry Childs, 43, of Pittsburg, Calif.

What happens to Childs' superiors -- aside from the intrinsic embarrassment -- remains to be seen. But the version of the San Francisco snafu told by prosecutors, which paints Childs as a disgruntled employee, draws a nightmare scenario for any CIO. What horror awaits when you can't trust your own people?

More on information security Blog: San Francisco IT hack story looks a bit too much like Insider threats a problem for SMBs, too

Traditionally, CIOs and security professionals have focused on external threats, malicious attacks by people outside the company looking to exploit systems and steal data, said Jim Maloney, president and CEO of Santa Fe, N.M.-based Cyber Risk Strategies LLC.

But two recent surveys show that midmarket organizations are becoming significantly concerned about breaches from inside the business, malicious or not.

The 2008 (ISC)² Global Information Security Workforce Study, conducted by Frost & Sullivan, found that 51% of IT executives and security professionals consider internal employees "the biggest threat" to security. And an Information Security magazine survey this year found a full 70% of respondents concerned about detecting and shutting down internal attacks.

"It's a concern based on people reading the news and thinking about it," Maloney said. "I think there's more awareness and appreciation of the insider threat. An insider threat is both malicious and incidental. Sometimes it's an insider who has very high privileges, but they accidentally expose information."

Prosecutors claim that Childs was most definitely being malicious and that he hijacked the WAN he helped implement across San Francisco city government. He faces four felony charges of network computer tampering. Prosecutors say he improperly accessed the network for a number of weeks before eventually locking other administrators out and holding the passwords hostage.

More distressing is the accusation by authorities that Childs was exhibiting hostile behavior as far back as a month ago, taking pictures of his department's new head of security as she conducted a password audit on June 20, as reported by The San Francisco Chronicle.

Whoever was managing this guy also needs to be let go, without prejudice. Sotarr commenter, CIO Symmetry

A determined IT staffer has countless opportunities to sabotage a business's operations. Eliminating that risk is impossible, experts say, and minimizing it requires a series of security efforts that go beyond the IT department and extend across the business.

"One of the things that really caught my eye [in San Francisco] is you had an HR and IT communications breakdown," said Michael Maloof, CTO at Post Falls, Idaho-based TriGeo Network Security Inc., a maker of network monitoring tools.

"When you talk about the classic disgruntled employee, HR certainly has a responsibility to communicate back to IT, not the details or what discipline, but that there is a new situation."

CIOs can -- and should -- monitor employee network access, Maloney said. Concurrently, they should be careful not to alienate or intimidate employees by watching over their shoulders.

"I think you have to find a balance that you do have to let people know that you are monitoring and watching what's going on, but you have to have them appreciate the motivation and reasoning for it," he said. "It's not because you inherently distrust every employee."

Maloney said he has been "pretty impressed with the maturity of the data log prevention solutions" that give users warning pop-ups and alert administrators to certain instances of network access.

Maloof said there is nothing wrong -- and everything right -- with keeping an eye on even the highest-level IT staffers. Considering the accusations against Childs, he said the lockout could have been avoided.

"He had a perfectly legitimate right to have this access, but we all know in our day-to-day jobs you don't need to use this access," Maloof said.

Of course, it's not all about new security and monitoring products. Tried-and-true methods still work. Simple solutions, like requiring two administrator passwords for certain network activity, go a long way toward prevention, Maloney said.

Tags: Risk management for the midmarket,  Information security management for the midmarket,  Security tools for the midmarket,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Risk management for the midmarket Using key risk indicators to sell your information security program Gartner: Vetting security of third-party partners in five steps Security and risk management in the midmarket Identity and access management planning guide for the midmarket Get smart about patching security vulnerabilities Log management tool saves big on network fixes, integrates with IPS Unified communications: Securing access to OCS Disaster recovery and business continuity planning: Know the risks Database security: Who should have access? Security monitoring tools: Better to buy than build? Information security management for the midmarket Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted Gartner: Vetting security of third-party partners in five steps Locking down security in the move to electronic medical records Security and risk management in the midmarket Identity and access management planning guide for the midmarket Information systems management for the midmarket CIOs share advice on doing more with less Get smart about patching security vulnerabilities A CIO's advice for implementing single sign-on solutions Security tools for the midmarket IT security spending a bright spot in '09, with more growth predicted Security and risk management in the midmarket Identity and access management planning guide for the midmarket A CIO's advice for implementing single sign-on solutions Options for outsourcing security grow, offer IT budget savings Network access control: Pointers for getting the knack of NAC Unified communications: Securing access to OCS Unified communications security: How safe is it? Database security: Who should have access? Security monitoring tools: Better to buy than build?

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary