Insider Threat, the Value of Computer Logs & the Need for Consistent Policy Enforcement

In recent years many organizations have implemented the use of computer logs on their networks to be in compliance with multiple laws. However, here’s a perfect example of the value of computer logs beyond just to be in compliance; using them for one of the things they were meant to do…catch inappropriate activity and provide evidence that a specific person is doing something inappropriate or outright wrong.
A current news story documents how computer logs will likely cost a cop his pension and could point to evidence for his missing wife.

There has been much in the news during the past couple of months about a police officer, Drew Peterson, who is a suspect in the death of his 3rd wife and recent disappearance of his 4th wife. Now the audit logs from the police computer network reveals that he was using his authority to do background investigations on friends of his 4th wife, along with other people he had no business reason to do checks on.
Of course Peterson’s attorney denies Peterson did anything wrong. However, it’s going to be pretty hard to argue with Peterson’s login ID doing all these activities that are against the police department’s policy…*IF* there was also an information security policy telling all personnel that they must not share IDs or passwords, and that they will be accountable for all activity that occurs with their IDs/passwords.
The following excerpt from the ABC News story is interesting:

“Sources said Peterson can be tied to the allegedly improper computer searches at the police department through his personal login. But Peterson’s attorney says this is just retribution by the Bolingbrook police chief, who has called his former employee an embarrassment to the department.
Brodsky said he has written the Illinois attorney general to complain of vindictive, selective prosecution.
“It was common practice for members of the Bolingbrook Police Department and employees to run warrant checks and name checks for friends, for family members, and even to run prank names, rather risque prank names, when they would get bored in the evening,” Brodsky said. “And so if they were to prosecute Drew for doing anything like that, they would have to prosecute probably most of the employees and officers of the Bolingbrook Police Department for the same thing.””

So, according to the report,
1) Computer logs provide evidence that Peterson was performing improper background checks using his login ID.
2) Peterson’s lawyer claims running such improper checks was a common accepted practice within the department.
The lawyer highlights an important issue that all organizations must understand…
Information security policies must be consistently enforced to be effective.
Many organizations publish their information security policies and then not only do nothing to enforce them, but turn a blind eye to rampant policy noncompliance.
An inconsistently enforced policy is a worthless policy.
So a few of the lessons learned from this story include:
1) The insider threat is significant; studies show a certain significant percentage of authorized personnel will do bad things with their access if they think they can get away with it.
2) Generating and maintaining computer login and activity logs can help to mitigate the insider threat, and catch those authorized users who are misusing their access to do bad and/or inappropriate activities.
3) Information security policies will be ineffective against the insider threat if policy compliance is not actively and consistently enforced.
4) Inconsistent information security policy enforcement may result in an organization losing a court case against an employee who did bad things if others in the organization were also known to be doing similar bad things and management did nothing about it.

Tags: , , , , , , , , , ,

Leave a Reply