Thursday, November 16, 2006

Another Reason for Privileged User Monitoring

No sooner did I write about a CEO gone bad do I read this: Ex-IT Chief Busted for Hacking:

Stevan Hoffacker, formerly director of IT and VP of technology for Source Media, was arrested at his home yesterday on charges of breaking into the email system that he once managed.

According to the FBI and the U.S. Attorney for the Southern District of New York, Hoffacker hacked into his former company's messaging server, eavesdropped on top executives' emails about employees' job status, and then warned the employees that they were about to lose their positions.

I doubt there's any real "hacking" involved here. Hoffacker probably retained access or leveraged knowledge of configuration errors to access these systems.

The FBI did not say exactly how Hoffacker broke into the mail system, but it noted that the former IT exec had access to the passwords for the email accounts of other Source Media employees.

Of course, if Hoffacker was an "ex-IT chief," he wasn't a "true insider." He was an "ex-insider," who should have had all of the (hopefully) nonexistent access granted to an outsider. True, he had knowledge of the systems not possessed by the typical outsider, but just because I created systems for previous employers doesn't mean I can waltz onto their networks now.

Although I am bringing up the "inside threat" again, please don't forget that you probably have external intruders from all over the globe inside your organization now. While privileged user monitoring and insider threat deterrence, detection, and ejection are important, keep in mind the parties who are already abusing your corporate assets.


Rob Lewis said...

Privilege removal should not be like pulling teeth. It should be possible to be done quickly and immediately.

Francois Kashy said...

Although I am somewhat new to IT security, two principles seem evident to me:
- Security is only as strong as your weakest link
- The weakest link is the where the breach occurs
- Points of trust (i.e. with lesser or no controls) become your weak spots, or weak links, and therefore are the most likely points for a breach to occur.

It is self-evident to me that any place where you rely on trust becomes a weak spot in security and the most likely spot to be compromised. Therefore it is the people you trust the most (and those with the most impact on security) that should be the most closely controlled or at least monitored. For example, the CEO. said...

As an ex IT Head - he should that he would either have been caught by tracking users, or one of the employees he confided in - would bring this information to someone and start the ball rolling