Security Views Case Study #3 - The long-time employee threat
This breach (click HERE) apparently occurred at a service provider, whose employee stole and sold 2.2 million individuals’ personal information; 99,000 of them had credit card info.
What went wrong?
The individual, a senior database administrator who had worked at the company for seven years, saw the opportunity, didn’t think he’d get caught, and took the chance.
1) Either there were no confidentiality safeguards on the client’s information, or the safeguards that existed were weak enough for a single person to exploit.
2) Access logging and/or audits of access logs were not being done. (If they were, the thief would have known he would get caught, unless he was the only one responsible for the audits. But then the theft might never have been detected.)
The Bottom Line
1) Sensitive confidential information must be identified and protected throughout its lifecycle with confidentiality safeguards such as encryption and/or access controls, as well as detection safeguards such as audit or access logs.
2) Safeguards for sensitive confidential information must have some kind of two-person control or separation of duties to ensure that no single individual can cause a breach and cover their tracks without being detected.
3) Audit processes and the existence of other safeguards (but not their details) should be communicated to all employees to ensure that they are aware that insider attacks will be detected and prosecuted according to employment agreements and acceptable use policies. This is a form of deterrent (unless too many details of how the safeguards work are revealed).
Do you have any comments on this case study? Feel free to speak your mind.
Disclaimer: This analysis is only based on the breach information provided in the SC Magazine article, which is assumed to be accurate. It is only intended as general Security Management guidance, and to illustrate approaches that can help reduce security risks in an organization. If you would like to obtain assistance in this type of analysis for your organization, you can contact me by clicking HERE.
LonerVamp on 13 Jul 2007 at 1:41 pm #
One could bring up a discussion of separation or rotation of duties as well. If there was access logging, maybe this DBA was the one who oversaw it.
Also, I wonder about his management. Did they know anything about this DBA? Was he disgruntled? Did he suddenly start living a higher life than his pay grade? His immediate manager should be making his first priority to know his/her human resources. There will always be surprises (like me suddenly becoming a serial killer despite not fitting any profile), but the generality is a generality for a reason.
In the end, this guy had access, and likely this breach was not preventable. But it was detectable and mitigatable. (If not downright deterred with rotating duties and proper logging.)