Does the name Terry Childs mean anything to you? What about Roger Duronio? Chris Harn or Jerome Kerviel? How about Marie Lupe Cooley?
They are all examples of trusted insiders alleged to have gone bad -- to have abused their positions for personal gain, financial benefit, or, in some instances, simple gratification or revenge. And they're all making big headlines.
These fascinating cases are a new entertainment form brought to you courtesy of Web 2.0.
Childs holds the virtual keys to the city. Though having pleaded not guilty to all sorts of malfeasance, he's still being paid his $127,735 annual salary as a network administrator in the City of San Francisco's technology department.
Childs is alleged to have manipulated the system to give him singular control of the city's new FiberWAN network -- the backbone of the city's applications and data management systems -- controlling an estimated 60 percent of all its data, including public safety, law enforcement, payroll, and email. This story is a great big jelly doughnut -- take even a small bite and some of the filling invariably squirts out in all directions. Messy but good! In the meantime, everybody else is locked out of the city's system and networks.
Here's San Francisco Mayor Gavin Newsom's spin: "There's nothing to be alarmed about, save the inability to get into the system and tweak the system. Nothing dramatic has changed in terms of our ability to govern the city."
Really? So why the $5 million bail for Childs? Why all the stories in the media? Why the press conference by the District Attorney's office?
The mayor has said that the city has brought in experts from Cisco to help them solve the problem. They are hoping to break into the network. How beautifully ironic... only the bad guy can get in.
According to San Francisco's mayor, if the experts cannot get in, the entire network may have to be rebuilt, which will take at least eight weeks, at significant expense. Wow! One guy seems to have caused quite a problem.
Or has he? Blogger Paul Venezia is not convinced it's that a big a deal. If his assumptions are close to being right, he suggests that he could fix the problem in less than a day, saying it can't be as hard as it sounds. However, it also can't be all that easy, because the problem persists.
One quick conclusion: Security is a media event that can quickly become a feeding frenzy. There have been dozens and dozens of stories being run in major tech news venues. Just Google "Terry Childs" and see for yourself. As a security professional, be sure to keep this in mind: Today’s breach is tomorrow’s headline.
These kinds of stories expose the many new realities of IT, info-security, and today's networked world. They include trusted insiders; public figureheads; mainstream media; the blogosphere; network architecture and design; business continuity and disaster recovery; risk analysis; the legal process, and probably at least a dozen more.
Here is another conclusion: The notion of a completely trustworthy insider has been assaulted. And the price will be paid by every legitimate and trustworthy insider out there. So as a trusted insider, the question now becomes, how would you prove your own good conduct?
There are several other takeaways here. First, it shows how vulnerable systems and networks really are. Secondly, it erodes the inherent trust that insiders receive -- but maybe this is a good thing after all. The kneejerk response to this supposition from the security community is likely to be "What, are you crazy?" Should everyone, even IT insiders, be continually under suspicion, or do we really need to be able to trust someone? Email me here and let me know. I'll report back after compiling the results and give you my perspective as well.
— Paul Doyle, independent consultant and co-founder of the Information Assurance Consortium
This blog is part of Internet Evolution’s Security Clan, which looks at the present and future threats to Internet security and the methods being used to defend and protect users and organizations. Register here to join the Security Clan, and you might become eligible to win one of our limited edition T-shirts. Or maybe a padlock. Use it to conceal that Post-It with all your passwords on it.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
