Okay, why would a large city like San Francisco make such a silly, preventable mistake like allowing one employee to be able to establish a super user type of account and then lock everyone else out of the government network?
“Hacker Holds Key to City’s Network: An Alleged Hacker Won’t Reveal Secret Password to Unlock San Francisco’s Network”
The headline is completely misleading. This was not a “hacker”…this employee was a network administrator who was “instrumental in designing the router system for the city’s FiberWAN (wide-area network).” The alleged “hacker,” Terry Childs, had authorized access to the network. He used that authorized access to install and implement ways to access the other areas of the network, and data, to which he did not previously have access.
He then reportedly created a new account and password to “most of the city’s municipal data” and removed the network and data access capabilities from everyone else, including all the city employees who need to use the network to process business.
The statements of Mayor Newsom and Childs’ lawyer Mark Jacobs provided in the article are quite silly.
The focus was on Childs, but what about San Francisco’s information security program? Do they even have one? Don’t they have policies, procedures and tools in place to catch the type of tampering that Childs did?
Sounds like Childs knew there were not good controls, and what sounds like no effective separation of duties, monitoring or logging, in place, and he decided to exploit those vulnerabilities and lax security practices after a reported “misunderstanding” with his supervisor.
Without having any of the details of the exploit, it would seem simple logging and monitoring by the internal auditing and/or information security department, would have caught right away the inappropriate changes that Childs reportedly made. And better network controls would probably have prevented it altogether.
“While in jail, he remains on the city payroll, reportedly earning $127,735 a year.”
Nice salary! Rebuilding the network (as the article indicates is being done) will cost much more.
Implementing effective information security controls to begin with would have been MUCH less costly!
Wonder if the San Francisco government office will learn a costly lesson from this, or if it will just end up being costly?
Tags: awareness and training, Gavin Newsom, Information Security, insider threat, IT compliance, logging, Mark Jacobs, monitoring, policies and procedures, privacy training, risk management, security training, separation of duties, Terry Childs