Tuesday, November 11, 2008

Laid-off Sys Admin Story Makes My Point

I read this great story by Sharon Gaudin titled Laid-off sysadmin arrested for threatening company's servers:

A systems administrator was arrested in New Jersey today for allegedly trying to extort money and even good job references out of a New York-based mutual fund company that had just laid him off...

Viktor Savtyrev, of Old Bridge, N.J., was arrested at his home Monday morning. He faces two charges under the federal cyberextortion statute...

Late in the morning of Thursday, Nov. 6, Savtyrev allegedly used a Gmail account to e-mail the company's general counsel and three other employees, saying he was "not satisfied with the terms" of his severance, according to FBI Special Agent Gerald Cotellesse in the complaint. Savtyrev allegedly threatened to cause extensive damage to the company's computer servers if it would not increase his severance pay, extend his medical coverage and provide "excellent" job references.

The sysadmin also threatened to alert the media after attacking the server.


Now, I know many of you are saying "See! The insider threat is so terrible!" I look at this story and think the opposite. This story exemplifies the point I made in Of Course Insiders Cause Fewer Security Incidents. If the potential intruder in this case had been an adversary in East Slobovia, the victim company would have no recourse. The bad guy could take whatever action he wants because no on can touch him.

Because the potential intruder was an insider, the victim company knew who he was, where he lived, and could enlist law enforcement help to arrest him.

Like I also said in the previous post:

However, as I've said elsewhere, insiders will always be better informed and positioned to cause the most damage to their victims. They know where to hurt, how to hurt, and may already have all the access they need to hurt, their victim.

This is another strike against those who believe in vulnerability-centric security. No company has air-tight defenses, so even if you do a good job revoking access from ex-employees they still can strike back. At least when they are former insiders you have a chance of putting them out of commission by striking at the threat, not patching more holes.


Richard Bejtlich is teaching in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

14 comments:

Matt said...

Being a sysadmin is enough to drive anyone crazy. Trust me, I know.

Trackback

Anonymous said...

Richard, let me voice my opinion: I read your blog for a long time, and see that the content is less and less technical, and more and more boring, like this entry.

Look again, now very few entries catch my eyes, and I think most others share my view.

This happened for a year or so. Perhaps that is because you are no longer technical guy, but become business and manager guy?

I do hope to see more technical and interesting content here. No more boring posts, please.

Richard Bejtlich said...

Anonymous,

First, I write this blog for me. I use it to organize my thoughts. If you don't like it, you're not wasting anything other than your time. This blog is free and I don't charge subscriptions or even use Google Adsense.

Second, this blog isn't the only place I write regularly. Maybe you would prefer my Snort Report articles? Those tend to be more "technical."

Third, I don't think "most others" share your view, given the amount of public and private feedback I get.

Overall, if you want different content, shed your anonymous label and post your own stories elsewhere. Good luck.

yoshi said...

Richard, I have a really hard time seeing your point. You attack "vulnerability-centric security" with an equally narrow (minded?) approach to information security.

Anyone worth their salt in this industry takes a holistic approach to risk management. Proper process would of found this guy sooner or prevented him from doing damage in the first place. In addition - any security implementation should work regardless about how much you know about that implementation. I have in-depth knowledge on a number of perimeter systems at banks since I partially implemented them. But do to proper implementation of those systems and working as a team environment with third party validation - my ability to break into said systems is not improved.

It all comes down to implementation and process ... which is where I think you have a gap - have you actually have implemented anything? I'm being serious since I read many of your blog postings and are perplexed by your approach sometimes.

(for the record - i know no one - not a single person - who believes in "vulnerability-centric security".)

James said...

This is the best quote Ive seen in a while. "know where your data is, who has access to what, read your logs, guard your perimeter, minimize complexity, reduce access to "need only" and segment your networks. Those are the practices and techniques that result in real security"
AMEN!!

Mike said...

I have run across people who believe in 'vulnerability-centric security'. I had a RHCE instructor several years back state that it was a waste of time to deploy an IDS or honeypot on your network. His recommendation - patch, patch, patch and everything would be fine. He had a lot of implementation experience working for large bank.

On the other hand I haven't found any IDS people argue for zero vulnerability remediation. It's not a binary choice, of course you need to patch where and when you can and harden systems.

As far as having good processes in place as prevention - It would be very difficult to have a process in place that could prevent a rogue, expert sysadmin with full access from back-dooring a system. That doesn't mean that you shouldn't have processes, just don't be lulled into a false feeling of security.

Finally, I've been a reader of this blog for several years and I definitely don't find it boring in any way.

Roy Manseras said...
This comment has been removed by a blog administrator.
Anonymous said...

No this wasn't a technical post, but security is in most situations less than 50% technical. Granted the computer forensics and incident handling has all the geek sexiness, it's not all there is.

Policy and procedure is what failed in this situation. Job rotation, least privilege, and proper termination of accounts all parts of good information security practices. Definitely relevant, just not technical.

Richard Zhao said...
This comment has been removed by a blog administrator.
SCORPIO said...

You have very nice blog to read and also please visit our website for getting more news about shipping thrugh our shipping directory and also you can use our Indian free classifieds to get more business inquiry.

http://www.shipie.com
http://www.kaisaa.com

SCORPIO said...
This comment has been removed by a blog administrator.
Anonymous said...

With regard to some previous comments,I would point this out:
Richard takes pains to sort through some of the fundamental issues of information security in a more heuristic fashion, drawing analogies from real world physical security.
An approach, I might add, I often resonate with.
Without a proper "worldview" , the best techniques,processes, and technicalities run the risk of being misguided.

zoom said...

Just read the article. I was wondering why the feds would get an indictment for one email. It was more and they even taped the guy.

Desperation. 100k+ to zero. I mostly agree with your views, but I also say people need to contact law enforcement more often. The vast majority of the incidents go unreported. True that most of the incidents are caused by people in another country, but it doesn't mean they can't be touched.

The feds did a great job taking done the eastern europe crew. Local LE can't do much, but I got the Secret Service to assist on an advanced fee scam that led to a ring in three major US cities. The FBI helped out with a field agent in Nigeria and they got the local LE to put the grabs on the leader. Small money so you not going to see it in the news, but goods things do happen.

Make the reports guys. If anything, a big number of complaints may get the news people talking and in turn get the LE brass to start seriously looking at how to coordinate investigations. Look at the UK, those guys are fantastic.

Oops, I'm rambling...sorry.

Layoffs said...
This comment has been removed by a blog administrator.