Real Insider Threats

Just the other day I read the following in Cliff Berg's book High-Assurance Design:

Roles should be narrowly defined so that a single role does not have permission for many different functions, at least not without secure traceability.

The CTO of a Fortune 100 financial services company once bragged to me over dinner that if he wanted to, he had the ability to secretly divert a billion dollars from his firm, erase all traces of his actions, and disappear before it was discovered.

Clearly, the principles of separation of duties and compartmentalization were not being practiced within his organization.

Now I read the following in VARBusiness:

Federal law enforcement officials Tuesday arrested the well-known CEO of White Plains, N.Y.-based MSP provider Compulinx on charges of stealing the identities of his employees in order to secure fraudulent loans, lines of credit and credit cards, according to an eight-count indictment unsealed by the U.S. Attorney's office in White Plains.

Terrence D. Chalk, 44, of White Plains was arraigned in federal court in White Plains, along with his nephew, Damon T. Chalk, 35, after an FBI investigation turned up the curious lending and spending habits. The pair are charged with submitting some $1 million worth of credit applications using the names and personal information -- names, addresses and social security numbers -- of some of Compulinx's 50 employees...

Terrence Chalk is also charged with racking up more than $100,000 in unauthorized credit card charges. If convicted, he faces 165 years in prison and $5.5 million in fines, prosecutors say. Damon faces a maximum sentence of 35 years imprisonment and $1.25 million in fines.

These are exactly the problems I mentioned earlier. Both cases make me sick. In the former, the Fortune 100 CEO knew his organization was broken but he thought it was a joke. In the latter, someone in a position of authority abused his access and ruined the financials lives of his employees.

This is a great example of the need to implement proper corporate governance by not centralizing the roles of CEO, President, and Chairman of the Board in a single person. Furthermore, none of those people should have access to the data abused by Mr Chalk. That level of access should stop at the VP for Human Resources.

Obviously the smallest of companies (mine included) can't separate certain duties because there are too many roles for too few people! However, organizations with 100 or more employees should certainly be taking steps to limit the access all employees have -- including the CEO.

This includes system and security administrators. According to surveys like those conducted by Dark Reading, a certain percentage of those with privileged access are abusing their power.

I often hear that system administrators should be responsible for securing their systems. I believe that sys admins should configure their systems as securely as possible, but outside parties (auditors, independent security staffs) should be responsible for auditing system activity and ensuring operation in compliance with security policies.

At some point we will also be able to remove the ability of system administrators to access sensitive data, perhaps using role-based access control (RBAC). There is no need for a sys admin who maintains a platform housing Social Security numbers and the like to be able to read those records. It will not be popular for current sys admins to relinquish their "godlike" powers, but it will result in more secure operations. Sys admins are data custodians; they are not data owners.