Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

Watching the UBS trial.

I hadn’t even heard about the sabotage of UBS PaineWebber’s systems until recently.  The ongoing trial is fascinating, especially since it centers around the use of this simple little thing:

According to InformationWeek’s reporting, which you can find here, here, here, and here, the evidence for the prosecution consists mainly of these items:

  • They found two copies of the code on the defendant’s computers, and one on his bedroom dresser.
  • The defendant, who was ticked off that his annual bonus came up $15,000 short that year, went out and bought $23,000 worth of put options just before the logic bomb went off, the vast majority of them betting against his employer.

The desperation of the defense is entertaining to see:  they’re reduced to complaining that the first company UBS hired for the investigation, @Stake, had former black hats in it; that the Secret Service made the images of the disks they seized at their field office instead of in the house; and that there was a single latent, mystery fingerprint on the piece of paper with the bomb code.

Now, obviously this defendant was himself a time bomb waiting to go off.  He fits the classic profile of an insider threat.  He was having money problems, he was an older IT employee, and was probably showing signs of narcissism:

A sense of entitlement, associated with the narcissistic personality, refers to the belief that one is special and owed corresponding recognition, privilege or exceptions from normal expectations. This sense of “specialness” is often associated with a self perception of gifts or talents which are unrecognized by others. The perception that this specialness is not being recognized by authority figures often combines with a pre-existing anger at authority to produce feelings in these individuals that they have been treated unjustly and are entitled to compensation or revenge. Often, this sense of entitlement is supported by special arrangements or exceptions to rules granted to highly valued but “temperamental” MIS employees. Thus employers actually reinforce this belief, up the ante, and contribute to what often becomes an inevitable crisis. The current shortage of information technology personnel may also influence feelings of entitlement among older information technology employees, who may resent special treatment and bonuses paid to new hires. 

(bold emphasis mine)

The worst thing you can do is to make special exceptions for bad behavior on the part of a system administrator or privileged programmer.  Not only is it not necessary—there are plenty of technical people who are just as good who don’t have the emotional maturity of a three-year-old—and not only does it hurt morale in other parts of the organization, but it can lead to reinforcing that bad behavior, as shown above.  System administrators and security professionals should be held to a higher standard, not a lower one. 

How do you protect against an insider threat like that?  Well, first, by acknowledging that it exists, and making plans for it.  In fact, if you try to implement additional separation of control and monitoring, you’ll be able to pick out the potential problem children by seeing which ones object to it.  Real sysadmins aren’t threatened by separation of powers; they welcome it because it’s an additional layer of protection for them.  If anyone insists that they’re above being watched, if they vehemently defend their right to be trusted (i.e. special)—watch them more carefully.

Many people would try to defend against this sort of attack by approaching it from the vulnerability standpoint.  They’d claim that using host-based monitoring or Tripwire would have reduced the likelihood of this little file being pushed out to so many servers.  (It wouldn’t have.  There’s no way you can monitor and investigate every time a sysadmin does an rdist to thousands of machines.)

This is a classic case where you have to manage the threat, not the vulnerabilities.  For one thing, you can’t possibly think of all the vulnerabilities and eliminate them.  And when your threat is also a trusted element, everything is a vulnerability.  All your defenses have to be threat-centric.

(Of course, as Schneier points out, this principle applies to quite a few bigger problems, too.

Yes, UBS will have a lot of work to do to make sure this sort of thing doesn’t happen in the future.  I hope they’re spending their security money in the right place.

UPDATE:  Duronio was found guilty.  And yes, it appears he was angry.

 

 

Posted by shrdlu on Monday, June 26, 2006
(0) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon

Next entry: Automated security awareness!

Previous entry: New concepts in security, part I: "Discreet Disclosure."

Comments

Add a comment

Name:

Email:

Location:

URL:

Smileys

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: