San Francisco Hack: Where Was the Oversight?
Page 1 of 2
If the City of San Francisco were a public corporation and allowed a blunder on par with the recent Terry Childs case, it might find itself facing federal investigation and Mayor Gavin Newsom might be fighting to stay out of jail, experts said.
Security experts contacted by InternetNews.com expressed dismay at the apparent lack of best practices in the city's IT department -- practices commonplace in the corporate world that they think may have stopped the debacle from happening.
Childs, a 43-year-old computer network administrator for the city's Department of Technology, was arraigned on four counts of computer tampering more than a week ago.
He faces allegations of tampering with the city's FiberWAN (Wide Area Network) network, which holds records such as e-mails from city officials, city payroll files, confidential law enforcement documents and jail inmates' bookings (presumably now including his own).
Childs reportedly created a password that gave him exclusive access to the system. When the police demanded the password, he gave them a fake one, and later refused to give the proper password even when threatened with arrest.
At his arraignment, Childs's attorney, Erin Crane, told the San Francisco Chronicle he was prepared to give up the password last week.
Childs finally gave up the password on Monday, July 21, when Mayor Newsom went to the jail himself to meet with Childs and his attorney. Since then, according to Ron Vinson, chief administrative officer and deputy director of the San Francisco Department of Technology, the city has been able to regain full access of FiberWAN and change the passcodes Childs put in place.
Childs is still being held on $5 million bail, a sum his attorney has called "crazy." A spokesperson for District Attorney Kamala Harris declined to comment when contacted by InternetNews.com. Crane did not return repeated messages seeking comment.
Raffael Marty, chief security strategist for security and compliance provider Splunk, said security best practices were clearly not applied to the city systems.
"You don't want to have a single person holding the key to the kingdom," he told InternetNews.com.
"I have heard that he was the focal point for everything, and that's incredibly bad practice to put everything in one person's hand," Marty added. "It seemed no one else had the information he had. There seems to be no emergency planning. What if he was hit by a bus? From a security standpoint, this is horrific."
The sentiment from Gartner security analyst Avivah Litan is "we told you so."
"It just goes to show everything Gartner's been trying to tell its clients is true," Litan said. "You've got to lock down privileged users' activities. You've got to monitor them."
"There isn't sufficient monitoring of employees," she added. "Most want to look the other way when it comes to employee activities, whether it's fraud or malicious activities. They don't want to admit they have a problem, so they don't want to work at solving a problem."
How Childs got away with so much is still unclear. In a Chronicle story, Mayor Newsom said Childs "got a bit maniacal." Vinson declined to comment on that statement, but did say that the city was attempting to implement best practices to prevent such a problem, "however, it appears that he was rebelling against them," he told InternetNews.com
Indeed, while most companies fear the external hacker breaching their walls, employees are often the ones to blame -- whether it's activities by someone like Childs or sloppiness as in cases like TJX, where files containing millions of customer records were breached due to weak security.
[cob:Pull_Quote]"The problem with this high risk-user group [IT professionals] is 86 percent of all internal attacks come from a current or ex-technical employee," said Cheryl Traverse, CEO at security appliance vendor Xceedium.
Traverse said companies often take a walled approach to security -- keeping outsiders locked out, but letting those within that wall roam freely, rather than being kept in place. The Childs case was an example of that, she said.
"You have to be able to create a compartment where people can work and do the job they are supposed to do, then you need to contain those people to the compartment they are supposed to be in," she added.
Continued on Page 2: More security, more accountability