Insider threat looms large as San Francisco's network crisis plays out

Others turn to document control software, lock out USB drives to safeguard data

The unfolding cliffhanger in San Francisco this week - in which a city network administrator has been arrested for allegedly holding the network hostage - represents an extreme example of the insider threat that IT security vendors and others have been sounding the alarm about for years.

The unfolding cliffhanger in San Francisco this week – in which a city network administrator has been arrested for allegedly holding the network hostage – represents an extreme example of the insider threat that IT security vendors and others have been sounding the alarm about for years.


IT administrator pleads not guilty to network tampering | See courtroom images here.


City prosecutors and San Francisco Mayor Gavin Newsom were still seeking to resolve the crisis by having experts try to take back the city's compromised network from 43-year-old Terry Childs, who was arrested when he refused to relinquish network control.

There's worry that Childs, who has worked for the city for five years but faced firing for alleged poor performance, may have installed the means to electronically destroy sensitive documents. Childs, being held in a jail cell on $5 million bond, also happens to be a former felon convicted of aggravated robbery and burglary stemming from charges over two decades ago, which the city knew when it hired him as a city computer engineer.

He has pled not guilty to four counts of computer tampering, accused of creating a single password and denying any other administrator access to the city's network. His lawyer in the ongoing negotiations says Childs is "willing to cooperate."

"So far he's not willing to give the passwords out and we're still trying to regain access," says Ron Vinson, chief administrative officer for the city's Department of Technology, who says Childs was part of the team that designed the city's network that has taken shape over the past four years. He adds that city workers currently do have normal access to records.

The insider threat is typically described as including disgruntled and unscrupulous employees trying to gain access to information they shouldn’t, and sharing it for personal gain, espionage or revenge. Finding countermeasures now looms large in the plans of many companies—especially ones that have been hit. (Compare Data Leak Protection products.)

“A year ago we suffered some breaches,” says Steve Farrow, managing director for the U.K.-based operations of Pilz, the Ostfildern, Germany-based manufacturer of industrial safety machinery. “We suffered a physical break-in where someone stole hard disks in order to steal computer data, not taking the whole machine. They targeted intellectual property linked to development plans. It wasn’t encrypted.”

Farrow thinks an insider is probably the culprit, though no one was caught despite police effort. In another case around the same time, says Farrow, an employee went to work for a competitor, handing the new employer plenty of electronic data about financial reports and product-launch dates. The combination of those two events spurred Pilz to undertake new defenses in data protection by rolling out document-control software for security.

The software from Liquid Machines for enterprise-rights management establishes read, write and print controls on sensitive research and business information, while storing it encrypted. “Everyone in the company who has a computer is getting this,” says Farrow, noting this means about 1,300 people. He adds that physical security has also been tightened after what was seen as an emergency at the firm.

Concerns about the potential for a rogue insider stretch far and wide.

Dale & Thomas Popcorn, the Englewood, N.Y., distributor of gourmet popcorn through retail stores and the Web, has disabled the USB thumb drive access on all of its computers as one step to prevent sensitive business data from being too-easily compromised.

“You could easily pull up a customer list and export it,” says Norm Steiner, manager of IT infrastructure there, alluding to the general worry about the insider threat. Dale & Thomas uses the Promisec software, designed to address the insider-threat potential, to continually scan to make sure computer settings are in place. All employees are denied USB thumb drive use, says Steiner, and if they think they really need access to it on their computers, they have to formerly apply for it through the IT department in conjunction with business groups, such as human resources.

“There are denials, and they get upset,” says Steiner about how employees sometimes react to hearing “no.”

General Dynamics also takes the insider threat seriously.

General Dynamics makes use of the ArcSight security and event management tool to centralize collection and analysis of security events on both its own internal networks and for some federal agencies under a Dept. of Homeland Security contract. The firm is looking at expanding that capability to better monitor user application use.

By installing ArcSight’s new IdentityView add-on to watch for database use, General Dynamics hopes to get better visibility into what network users are doing and whether they’re authorized to do it.

“There are sensitive databases in the government that determine who can stay in the country and who can’t,” says Bil Garner, General Dynamics project manager. IT and applications teams create resources for users, he notes, “But who can access what is very much an issue.”

General Dynamics anticipates that IdentityView will become a tool to monitor user activity and “tie an event to a user,” says Garner. “Before it was just an event.”

San Francisco’s Terry Childs is not the first IT administrator to have been accused of going on a rampage. There have been several cases in the past, including the case of Roger Duronio, the former UBS PaineWebber computer systems administrator, convicted two years ago for planting a malicious-code “logic bomb” that caused more than $3 million in damage and repair costs to the UBS computer network.

The motive, according to New Jersey prosecutors, was that Duronio was angry about the $32,500 annual bonus he got in 2002, which was less than the $50,000 he was expecting. He was sentenced to 97 months in prison.

And in another IT insider case, William Sullivan, the former database administrator at Fidelity National Information Services (not related to Fidelity Investments) in Jacksonville, Fla., this month was sentenced to 57 months in prison and ordered to pay $3.2 million in restitution for a crime he committed through his power to gain access to databases in the Certegy Check Services division of the firm.

Sullivan pled guilty in November to stealing consumer information on 8.4 million people in the United States and various foreign countries, including bank account and credit and debit card information, and selling it for about $600,000 to marketing firms between 2002 and 2007. So far, there's no evidence the information has been used for other than marketing purposes.

Learn more about this topic

IT administrator pleads not guilty to network tampering

Images from the courtroom

Alex Lewis: San Francisco network hacked by a Childs

Report: IT admin locks up San Francisco’s municipal network

Third of IT admins admit snooping with privileged passwords

10 of the worst moments in network security history

Should felons be allowed to be IT managers?

Certegy: Ex-worker stole 2.2 million records

Indictment of Roger Duronio in the internal sabotage case at UBS PaineWebber

Jury convicts Roger Duronio

Join the discussion
Be the first to comment on this article. Our Commenting Policies