Individual (allegedly) Wreaks Havoc with Former Employer – Another Teachable Moment in Infosec.

May 16, 2013

The story recently broke of an employee (former employee) who had high-level system access as a “software programmer and system manager”.  The allegation is that he retaliated after being passed-over for promotions, which led to his resignation in December, 2011; with a final day of work in January, 2012.[1]  According to a Criminal Complaint in the incident as filed by the Federal Bureau of Investigation (FBI) in the District Court for the Eastern District of New York, the accused had worked there for several years, and was actually “one of two employees who were primarily responsible for ensuring that the software that drove the company’s manufacturing business—including its production planning, purchasing, and inventory control—operated efficiently”,[2] showing just how much free system access he really had.  The estimate puts a cost to the former employer of his alleged activities at some $90,000.00 in damages.  Admittedly, it could have been significantly more than this.  That number is not insignificant.  However, we may or may not ever come to know whether it stopped there due to self-imposed limitation(s), or inability to do anything more destructive or wide-ranging due to security impediments.

 

On to the questions:

1. When someone with that kind of access departs, is it now necessary to change every single password of every single employee?

2. Is that the same if you have high IT turnover?  Things can get pretty hectic in that case!

Bob[3] was an “ongoing insiders”.  The current accused is therefore a “former insider” and not a “pure outsider”, if looking at the situation from a purist perspective.

3. Which of these three (ongoing insiders, former insiders, and pure outsiders) is now classified as the greater threat to employers and/or businesses in general?

 

There is a sometimes quite intense ongoing debate on whether outside threats or inside threats are greater; but both sides of the debate, and naysayers who disdain such reductionism per se or prefer to focus on purer forms of quantification and categorization, all agree that the state of Infosec/Cybersec is complex and accelerating at a breakneck pace.  Events will doubtless continue to present teachable moments.  I say that an inside the firewall/outside the firewall categorization is helpful in quantifying the potential harm from various threat vectors on available attack surfaces, and planning to address them on a constant and consistent basis.  However, I also think that all threats can be adequately considered when: (a) you focus on achieving buy-in to the need for security protocols and adherence thereto at all levels of the organization; (b) you budget accordingly for training, ERP, and the staff and tools to deal with the threat universe; and (c) you assiduously enforce best practices, even when it makes (for some) their accessing of preferred apps. or sites inconvenient to impossible, or slows people down a little.  I call this cubing the B.

The above-referenced and linked allegations remain allegations.  All parties are innocent until proven guilty in a court of law.

**********************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[2] Federal Bureau of Investigation (FBI).  Press Release.  Long Island Software Programmer Arrested for Hacking into Network of High-Voltage Power Manufacturer.  Published by the FBI on fbi.gov, May 2, 2013.  Online: >

http://www.fbi.gov/newyork/press-releases/2013/long-island-software-programmer-arrested-for-hacking-into-network-of-high-voltage-power-manufacturer<

[3] Ekundayo George.  Cybersecurity: the Enemy is also (perhaps even more so), Within – the case of “Bob”.  Published January 17, 2013, on ogalaws.com.  Online: >https://ogalaws.wordpress.com/2013/01/17/cybersecurity-the-enemy-is-also-perhaps-even-more-so-within-the-case-of-bob/<

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: