Welcome to NBlog, the NoticeBored blog

I may meander but I'm exploring, not lost

Feb 3, 2009

Alleged Fannie Mae logic bomber denies charges

Reuters says:

"A 35-year-old computer programer pleaded not guilty on Friday to charges that he planted a computer virus designed to destroy all the data on 4,000 Fannie Mae computer servers the day he was fired from the company ..."

While we read about logic bombs in security textbooks, real world examples are relatively few and far between, in other words the probability of attack is quite low. The impacts could be significant, although in practice most attacks we read about have been thwarted while a proportion of successful attacks are likely either to be misdiagnosed as bugs, viruses, outsider attacks etc. or covered up by embarrassed managers. As so often when assessing information security risks, the true scale of the insider threat can only be surmised from imperfect data and hence contingency planning is sensible in case we miscalculate.

Disgruntled technically-competent insiders, usually IT professionals, get the blame for logic bombings. Logic bombs are but one example of the damage privileged insiders can cause, ranging from fraud and theft of intellectual property (personal or proprietary) to passive resistance such as faked incompetence and "accidental" damage to the IT systems and networks under their control. Last year's story of network administrator Terry Childs holding the city of San Francisco to ransom for the access password is another real-world example.

What controls would be useful to guard against this sort of situation? There's a wide choice including:
  • Management oversight - bosses keeping an eye on what their staff are doing (not so easy to arrange if the boss is the trouble maker and other bosses are incompetent to oversee or are simply unaware!);
  • Divisions of responsibility such that a lone cowboy cannot easily take advantage of his access (tricky again if he has system privileges and access to information, systems and processes that permit him to bypass or undermine standard access controls);
  • Laws, regulations, policies, standards, procedures and guidelines, not just to influence potential logic bombers (who, by their very nature, are unlikely to respect the rules) but also to establish and mandate the supporting/compensating procedural, technical and physical security controls;
  • Audits, whether periodic/planned/pre-notified or ad hoc/unannounced/surprise visits, plus management reviews and similar checkpoints, particularly when scoped and panned specifically to address this issue and performed by experts with prior experience in this area;
  • Technology-related controls such as air-tight change and configuration management processes; scans for unauthorized or inappropriate source code, malware and hacker tools on production systems; logical access controls as a whole; trustworthy backups; network intrusion detection and content management systems etc.;
  • Slick incident management processes to identify and respond rapidly and efficiently to potential incidents and thus limit the damage;
  • Liabilities on those responsible, whether employees or third parties, that are legally defined and practically enforceable in employment or service contracts (an after-the-fact contingency or corrective control);
  • Whistleblowers' hotline - a facility to encourage peers and co-workers (including managers and HR people dealing with clearly disgruntled staff) to report their concerns or suspicions in confidence for independent review;
  • Security awareness, training and educational activities, for instance promoting the whistleblower's hotline and policies, and training those who oversee IT operations in the symptoms of insider attack to watch out for (e.g. when logic bombers develop and test their evil schemes prior to the Big One);
  • Pre- and para-employment screening of employees in an attempt to locate and drop the bad apples, assuming that they can be identified as such (some believe that bad apples can be psychologically profiled but this practice is probably more art than science - merely being a social misfit or square-peg-in-a-round-hole is not in itself sufficient cause to track or sack somone, and such people can be extremely beneficial and creative if somewhat difficult to manage employees);
  • Sensible termination procedures, designed to remove possible hitches from a leaver's last few days or weeks on site (e.g. arranging for an "understudy" to shadow a leaver, both to pick up important new skills and to watch out for inappropriate activities);
  • Keeping employees gruntled, not disgruntled (!). Seriously, maintaining good employer-employee relations is a general baseline control against many forms of insider threat, and a particular challenge for management in an economic downturn. Procedural controls are particularly likely to suffer when people have other things on their mind than the organinization's best interests.