IT COULDN'T HAPPEN HERE....OR COULD IT ?

Every issue of The ISO17799 Newsletter features at least one TRUE story of an information security breach and its consequences. This issue considers genuine cases illustrating different threats from WITHIN the organization:

1) The Disgruntled Employee

An organization in the US fired an employee who had been known to be less than happy in his work and had been causing problems for management through a variety of activities. Unbeknown to the organization, this employee had made a copy of the main client database for himself and therefore had access to sensitive information.

Shortly after the employee was dismissed, major customers started receiving offensive material purportedly being sent by the organization itself. The ex-employee used a simple open SMTP server to simulate the organization's email addresses. Customers immediately started to move away from the organization and even when they were informed that this material had been maliciously sent to them by a previous employee, they remained unimpressed with a company that had so little security in place.

The organization quickly went out of business, paying a heavy price for not having sufficient control over employee access to sensitive information.

2) Intellectual Property Rights

A firm in London developed a range of new products mainly by utilizing the services of one of its employees who was particularly skilled at these activities. Once these products had been developed, they were successfully marketed by the firm and a good revenue stream emanated from this new business area.

Unfortunately, the firm had not considered protecting the intellectual property rights of work undertaken during the employee’s time with them and it was subsequently successfully sued by the employee who had authored the products, and who then claimed ownership over the intellectual property rights contained within them.

The lesson to be learned here is that employees' contracts should clearly state the ownership of any work developed for the company during his/her employment. This agreement should be signed by the employee to signify acceptance of these terms and conditions prior to undertaking this type of work.

3) Who Audits the Auditor?

A large financial company thought they had security in the bag. Their security department was active, and involved in most activities of the Group. It had a reputation for being on top of new technology, and had an aggressive audit schedule, with all sensitive applications and projects being regularly audited.

What a pity they got a fundamental principle so badly wrong! As the Group's security area they had full access to security settings, and administered access control for key applications. As auditors they audited the same. That was the crunch.

The same individuals who set security levels and granted access to information resources, also audited them. A classic case of insufficient segregation of duties.

In one sense they were lucky. The incident which brought this to light was petty. The individual in question could not resist the temptation to adjust his overtime figures on the payment database. He inflated the figures by several hundred dollars, each month, for several months. He was caught because someone else on his team spotted his payslip (which he had left inside his briefcase, which he left open!) and knew instinctively that he had not been working long hours in recent weeks and therefore that the salary figure was far too high.

It could, however, just as easily been an accounting database he adjusted, or a number of financial databases, and the company could have been facing a substantial and embarrassing loss.

The golden rule of course is that auditors usually need only read access to audit, and not update.

From : http://www.17799central.com/news.htm