Home > Uncategorized > Tough Times for the City of San Francisco

Tough Times for the City of San Francisco

I attended the ISSA-LA meeting last Wednesday. While I was eating lunch there, someone first told me about the nasty insider incident that occurred recently in San Francisco. A city of San Francisco computer engineer, Terry Childs, allegedly reset all network administrators’ passwords in the city’s network, which then became inaccessible for an extended period of time. The total loss resulting from this incident was estimated to be $250,000. Childs, who has since been arrested and charged with computing tampering, was allegedly unhappy about a law enforcement investigation that ensued after tampering activity within the network had been discovered.

Although more dramatic than usual, this incident is by no means unique. Time-after-time incidents such as this one occur, with disgruntlement being the most common motive. It is surprising to me, however, that organizations learn of attacks such as these, but do little in response afterwards. I would think that at a minimum information security staff would reexamine the most recent threat and risk analyses to determine whether insider attacks were considered and weighted sufficiently. It would also be reasonable to reexamine the level of residual risk due to insider activity to determine whether this level is still acceptable and, if not, what additional controls need to be implemented. But even if information security staff were to do all these things, I would not count on senior management being any more concerned about the insider threat than before, nor would I count on them to allocate more resources for controls that counter insider-related risk.

The city of San Francisco incident once again shows just how critical monitoring of not only externally-initiated activity, but also internally-initiated activity is. Unfortunately, most intrusion detection systems are geared much more towards detecting externally-initiated attacks, and I am sure that whoever changed all the network administrator passwords carefully erased all evidence of this activity in the audit logs of the systems in which this activity transpired. Use of technology designed to detect insider attacks would have made all the difference in the world, in that the tampering activity would almost certainly been discovered earlier and the culprit could most likely have been identified before the catastrophic outage occurred.

Additionally, this incident points to the need for better and more frequent background investigations, particularly for employees who hold critical positions in the IT arena. Most system and network administrators are beyond reproach, but let’s face it, some of them are not. Nevertheless, as a whole, system and network administrators are trusted way too much. Given that they are granted virtually unlimited power in the systems and networks that they administer, these individuals need to be under greater scrutiny than others, yet they are usually not. Thorough background checks need to be performed not only when personnel such as these are going through the hiring process, but also every year or two after they are hired. Interestingly, in 1982 Terry Childs (who, by the way, may or may not be guilty of the tampering charges he is facing) was convicted for aggravated burglary and was put on five years of probation.

Yes, the city of San Francisco incident leaves some very valuable “lessons learned.” Whether or not they will be heeded is, however, an entirely different matter.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.