The InfoSec Blog

http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/07/18/30FE-sf-network-lockout_1.html

To an auditor or anyone with security training this screams of a security risk.
One critical guy who has no backup. private and sole knowledge of the system, never takes vacations. arrogant and protective of his knowledge.
Its a classical case of what should be avoided. There are no management controls in place. He could have been running any number or illegal operations, scams or selling of bandwidth to criminal groups, set up a virtual network … whatever. No-one would know. “Dual controls” are a fundamental for any critical operation - they are intended to prevent the abuse of privilege we see in this case, to divide the responsibility of the completion of a process into separate, accountable actions, or to safeguard integrity. Childs represents a single point of failure, and management is at fault for letting this situation arise.

His ‘pride in his work’ and treating the network like a child also comes across as a disregard for the end users, the people for whom the network is supposed to function.

It certainly appears that Terry Childs believed San Francisco’s FiberWAN network was his baby, and that by refusing to allow others to access the inner sanctum was in the best interests of the city, the citizens, and perhaps most importantly, himself.

Himself yes, the others, no. His dog-in-a-manger attitude shows a disregard for the end-user, municipal clients, his peers and those he should be mentoring.

His attitude towards management, formal procedures, (like change controls and documentation), standards and automation of processes are frightening. These are signs that an auditor should have caught long ago. The question is ‘why didn’t that happen?’

As I said, his managers are at fault for letting this situation arise.
One again its the suit-geek dichotomy; because they don’t want to know the technical issues and be involved in them the managers let geeks like Terry Childs have free reign and don’t institute basic controls.

So when they do have to reign him in — UPSET. They are now paying the consequences.

The city is better off without Childs, but unfortunately it would also be be better off without some of his managers too. What it does need is proper administration, of its networks and of its technical staff.

Forcing the issue may have impacted the city’s use and control of its network in the short term but not in the long term.

I suspect that the situation will resolve itself with Terry Childs as the scapegoat and his managers being absolved. Our legal system has an all-or-nothing attitude towards accountability. In a just world the managers who let this happen would be punished. Knowing how government IT works they will probably be promoted.

Will the City IT institute some basic controls and policies? Possibly, but once again I’m cynical and suspect they will be specific and reactive ones rather than wise and encompassing ones that calmer minds consider as a good baseline of security management practice and staff administration.

Related articles by Zemanta

• Why San Francisco’s network admin went rogue
• Experts: Lax Security Allowed San Francisco Network Hijack
• Techie Hall of Shame

http://government.zdnet.com/?p=3874

There’s an old joke about a man brought before the court for breaking and entering, not because he was caught in the commission of a crime but because he was found in possession of housebreaking tools - crowbars, glass-cutter and so forth.

When found guilty by the judge he said “well you better convict me for rape as well since I have the tool for that“.

This case is neither new nor precedent setting as Alan Dershowitz pointed out … back in 1988 in this book “Taking Liberties“. Some of his orther books at Amazon are listed here.

http://www.informationweek.com/news/showArticle.jhtml?articleID=202101781

Convicted hacker Robert Moore, who is set to go to federal prison this
week, says breaking into 15 telecommunications companies and hundreds of
businesses worldwide was incredibly easy because simple IT mistakes left
gaping technical holes.

“It’s so easy. It’s so easy a caveman can do it,” Moore told
InformationWeek, laughing. “When you’ve got that many computers at your
fingertips, you’d be surprised how many are insecure.”

Even before I took up auditing as a profession every client I dealt with had glaring errors and omissions in their security arrangement, be it physical, logical or documentation.

Yes, this includes divisions of banks (brokerage firms were the worst).
Most of the horror stories would be familiar to people who read and contribute to security forums and blogs. This is what is, when it comes down to it, really astounding. The omissions from the ‘baseline’ of good practice and obvious issues like documentation (so as to span the employment of different sysadmins and communicate within the IT group); restriction on access to root password (especially for developers); not doing development on the production machine/database; backups - that reflect the business and not just the convenience of the hardware/sysadmin; documenting (and hopefully approving!) changes; actually installing and configuring the firewall, which, of course, assumes there is policy which
reflects the business needs rather than the ‘best guess’ of the sysadmin to determine how its going to be configured.

And so on and so on.

So it gets to be, if you’ll pardon the analogy, like worrying over the diseases of civilization like Alzheimer’s, Osteoarthritis/Osteoporosis, ALS, Macular degeneration, diseases due to over-rich diets, Senescence in general when you don’t have a adequate diet or clean water to drink.

“Standards” like a ISO-17799/27001, ITIL aren’t trying to do anything more than lead people though a process to make them deal with the basic good practices. When they talk of things like Risk Analysis they are trying to get people to think about risk and their risk posture, and that is, all to often, sadly, something most firms don’t seem to have got around to.

Judging by what I see people asking - as well as asserting - on other forums about security and risk, most of the IT industry is in a bad way and doesn’t even know it. Of course the dominance in IT departments of the techie-geek-and-proud-of-it who has a dislike for ’suits’ means that there is an unhealthy obsession with equipment (rather than business processes) as assets, and with identifying and enumerating individual threats and vulnerabilities rather than they effect - as classes - on the business processes and how to mitigate or recover from those effects. (In other words FMEA. You knew I was going to get around to saying that, didn’t you )

Lets worry about the baseline before we try to address the esoteric.

When did you last secure your laptop?

The last year seems to have been a bumper one for stolen laptops, especially ones stolen from high profile companies and which contian plenty of personal information.

Many of the companies concerned seem to think that having passowrd proetction is adequate. Others think that because the laptop was stolen “for the hardware” and not for the information on it, all is OK. A couple think that firing the person who was using the laptop makes everythng OK.

Well, I don’t think so.

Will things change?

At the very least, the publicity has made it clear to theives that tTell me about when you saved the company a million dollars. Or when you successfully managed the million dollar project to deployment, on schedule and on budget. The infomation on the laptop is more valuable than the hardware. This year, 2007, any thief with any sense will sell the data and throw away the laptop. Perhaps on a rubish tip - oh, I see one did that

Here is a summary of some news articles from 2006

Read the rest of this entry »

http://news.bbc.co.uk/1/hi/technology/6220416.stm

We’ve seen the reports in the glossy weeklies about the revolutionaries in Africa recruiting young children. Our Western sensibilities are offended by this “corruption of innocents”. But here’s something more like the criminal ‘child labour’ gangs of Dickens.

Dickens had a unique perspective on the subject of child labour, reflecting upon his own experience working at Warren’s Blacking Factory at the age of twelve when his father was held in debtor’s prison. Completely on his own, working long hours in rat-infested quarters, young Dickens felt abandoned by his family, and his bitterness over this period of his childhood continued to influence his life and writings

How different from the well educated, well fed modern child of middle-class parents in a room of his own in suburbia surrounded by the trappings of modern adolescence and with all that computing power. Dickens would be hard pressed to pen a novel that fostered enough sympathy for the plight of such children as to press for social reform.

The boom in cyber crime is forcing criminals to go to great lengths to recruit skilled hackers, says a report.Some criminal gangs are paying students while they study to ensure they have a pool of tech-savvy workers to call on, says the report from McAfee.

Others are cashing in on the glamour of the hi-tech world to tempt youngsters into embarking on a life of crime.

McAfee said children as young as 14 years old were being targeted by some criminal gangs.

What a contrast from Dickens’s time when the children were forced by economic circumstance to work long hours under dreadful conditions with a high mortality rate.

Personally, I feel the media has a lot to be accountable for with the way it glamorizes “hackers” and criminal activity. The movie “Swordfish” probably rolls all these factors into one better than any other I can think of.

As well as the direct route of targeting students, some organised crime gangs were trading on the glamour surrounding the “hacker” label to help them recruit impressionable youngsters, revealed the report.

The aura of rebellion the name conjured up helped criminals ensnare children as young as 14, suggested the study.

So what will this lead to? More parental paranoia and control? By some, probably, but more likely not by those whose children are most at risk. The practice of instilling fear in parents about their children for any number of reasons, academic achievement, exposure to physical and on-line predators, that they don’t get enough ‘ice time’, and so many other factors is getting to be unhealthy.

But what are we to do?