I just saw this story about a “hacker” who possibly stole data containing SSN numbers, addresses, and other sensitive information from the State of GA. It’s funny that the “hacker” was an “employee” and they don’t know anything other than he had no reason to access the data and he did so outside of normal business hours.
There are many reasons I have taken an interest in security. All have been based on different experiences I’ve had over my life. One of them in particular, was when I was employed at a Fortune 500 financial company that created a small internet spin-off. The spin-off was doomed to failure after the second or third rethinking of their business model and we never had more than 300 customers, most of whom were the board of directors, employees, and family members who were trying to support the failed little venture.
Why is that important? Well, I was the DBA for this group….and I had access to over 260 million financial accounts. If you need help with the math, that’s significantly more than the 300 accounts that I actually needed access to.
It took me a few months to stumble across the fact that I had access to all this information at all, but when I did….I thought it was cool…nothing more. Then I slowly started to realize this was bad. Then I realized this was very, very bad. If I had access to it, an 18 year old nobody in a tiny spin-off of a huge multi international company that had many other groups just like us, how many other people had access to the same data? It turns out it was just over 100 people. A hundred people with access to 260 million personal financial accounts. How valuable is that data? What are the odds that at least 25% of the people with access to it could be bribed? What are the chances that 5% of them could try to sell the data without any provocation?
After thinking over this massive hole in security I met with the network administrators to discuss the issue. I could tell their interest level in the topics I was discussing was very low. It was almost as if I was describing a movie plot instead of an actual risk they should consider. When I was done presenting the facts, with an evident level of smugness and superiority, they simply told me that they had auditing procedures in place and if I did anything they would know about it.
This is exactly what happened in the news story. An employee had access to data that he did not need. Catching him after the fact did not stop the theft of the data. Once the data is out, it’s out. There is no going back.
Now back to my story. I explained to the network admin, that I could erase the logs after accessing the data and he would never even have known it happened. Or I could create a proxy account and use it instead of my using my own account…or I could use one of the several accounts that were used by services to run in the network because their passwords were well known. The smugness and superiority that was displayed only seconds ago had now been completely replaced by a look of panic and fear.
The end result….my access was now limited in the network. I had been effectively blacklisted by the network admins. I could no longer be trusted. The hundred some odd other people still had access to all the data, including the measly 300 accounts that I and I alone was responsible for.
The old adage, if it ain’t broke, don’t fix it, has long been used to justify keeping antiquated systems in place within organizations. It may be time to evaluate the security risks within these systems and start moving towards secure solutions. State mainframe databases like this one from the story, have very limited methods for authentication and almost no way to support authorization models.