Threat Management, Incident Response, TDR

Angry insider locks down San Francisco WAN

Network administrators in San Francisco could not access the city's new wide area network (WAN) because a disgruntled engineer refused to divulge his exclusive credentials.

The engineer, Terry Childs, set up passcodes that locked out everyone except himself, possibly because he was upset at his attempted dismissal, according to a report Monday in the San Francisco Chronicle. Childs, who remains in jail, was charged with four counts of computer tampering – a felony in California.

San Francisco officials said they are trying to crack his credentials and hope to regain access to the systems where emails, payroll files, law enforcement documents and arrest records are stored, the report said.

But this may prove difficult, Raj Rajamani, product manager at Solidcore Systems, provider of change control solutions, told on Tuesday.

“With modern forensic tools, they will probably be able to crack the passwords he set up, but it may never be possible to know what kind of damage has been done," he said.

Authorities said that considering the denial-of-access to other personnel that occurred, the incident may translate into millions of dollars.

The systems affected continue to work, though with only limited or no access.

“They are probably OK until some minor problem arises, such as a hard disk filling up or a tape backup failing," Jeff Nielsen, senior product manager at identity management provider Symark Software, told on Tuesday. "Such problems are normally handled by system administrators easily, but if they're locked out, they've got big problems.”

How can businesses protect against such malicious insider attacks? According to Rajamani, first they must understand that this could happen anywhere.

“Many organizations are aware they should protect data, but have not matured enough to fully recognize the danger, or have not come to a point where they feel compelled to protect it completely,” he said. "One way to help protect against this is to first determine what information is in your systems, where any critical information is, as opposed to non-critical data. And you want to certify access – who has privileged access and how are settings being altered?”

“This points out an age-old problem," said Nielsen. "Most access is done on a trust basis. Ideally, what you should do is move to a process-based framework, where access is granted on a one-time basis, based on a business need and where logs can be created to trace back changes.”


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.