Seek and destroy
by Deborah Volk on May 25th, 2009

In recent local news that became national news, Abdirahman Ismail Abdi, a former employee of California Water Services Company ("Cal Water"), a local water utility company, attempted to steal $9 million from the company by wiring the money to a bank in Qatar. Fun facts:

  • According to Cal Water's website, they're the largest investor-owned American water utility west of the Mississippi River and the third largest in US. Their parent company, California Water Services Group is a public company traded on NYSE with 2 million customers.
  • The attacker allegedly gained access to computers belonging to two senior executives in two separate buildings at the utility to initiate and confirm three wire transfers
  • The attacker resigned from his job as an auditor (!!) of Cal Water. He came back a few hours later (now night time, after business hours) and was able to get into the building using his electronic key card which was still active.
  • The janitor saw the attacker using the computer and presumably reported to management which discovered the transfers the next morning. The money has been recovered, the attacker fled to Canada and has yet to be apprehended.
The pattern of attack is very similar to a Fannie Mae incident where the terminated employee attempted to plant malware in retaliation for losing his job. In both Cal Water and Fannie Mae cases, the attack surface remained large due to the ex-employee's access not being immediately revoked. In Fannie Mae's case, the access was logical (VPN/network), in Cal Water the access was physical (card key/building entry). Without seeing the court documents, I won't speculate how the attacker was able to gain access to the execs' computers but I wouldn't be surprised if he had privileged (superuser) access too. (Segregation of Duties is truly a fairy tale for many companies)

We cannot completely eliminate insider attacks but we can reduce the attack surface by following a few best practices:
1. Be fast. Carefully design the IT portion of the off-boarding business process that gets kicked off when an employee leaves the company for any reason, be it voluntary or involuntary. In terms of timing, off-boarding should be executed as close as possible to employee walking out the door.

2. Don't get stuck in traffic. Have you ever driven a car on a one-lane road? If you have a slow driver ahead of you (and traffic flowing in the opposite direction so you can't jump out), you'll be stuck crawling for hours. This analogy applies to processes too. Don't be stuck with a process that has a single lane - in or out. If you depend on an upstream business unit (be it HR, Facilities, Operations, etc) to tell you that a person left the company, you're going to be at their mercy. If they have an issue - someone forgot to enter the terminated date or entered it the next morning or misspelled the name or the process is paper based and the fax machine was broken or... - you have a bigger issue. Best-in-class off-boarding processes allow for exceptional circumstances where the IT portion of the process can be triggered in multiple ways via multiple channels.

3. Trust but verify. A typical off-boarding process relies on either a direct supervisor (or someone higher in the org chart) or someone in HR to kick off the process and in either case you've got an issue since the task is driven by a single human. People forget, go on vacations or fall ill, put things off (memo to procrastinators: Just Do It) and so on. You need a system of checks and balances, at worst a single control where an alarm will go off somewhere if the terminated employee hasn't been off-boarded. At best, multiple people in independent org units (e.g. HR and IT) will be responsible for off-boarding workers. If one of them sleeps on the job, the other will step in.

4. Seek and destroy. Physical access (entering gates, buildings, floors, offices) is just as important as logical access (entering network and various systems). Best-in-class off-boarding processes do not differentiate between physical and logical access. All access should be shut off immediately, all access factors (usernames/passwords, personal certificates, key cards, fobs, badges, plain old keys) should be disabled and/or taken from the employee and accounted for.
Points 1-4 above could be followed regardless of whether a company has deployed a sophisticated identity and access management solution. Having said this, automating off-boarding processes via an identity administration product such as Oracle Identity Manager (OIM) certainly helps. In my next blog post, I will cover aspects of implementing off-boarding with OIM.

Posted in Identity Management, Access Management, Business Perspective    Tagged with off-boarding, insider threats


Leave a Comment

2012 (1)
2011 (2)
2010 (2)
2009 (64)
March (11)
April (18)
May (18)
June (4)
July (1)
August (1)
September (5)
October (5)
December (1)