Jul 25th 2008
By Bill Kennedy - The Toronto Globe and Mail newspaper had this article about a city of San Francisco computer engineer who changed the security passwords on his employer's system. The system still works, but nobody can get in to set up new users, change passwords etc. The man, Terry Childs, is languishing in a local jail with bail set at $5,000,000.
As an accountant, should you care? I do. The accounting system I run is a major user of the computer network. A network security issue is a financial security risk.
My first thought was: breakdown in controls, i.e. segregation of incompatible duties. There should be more than one person with the system password. But then I thought, wait, what if the control system was in place? What if Childs just let himself in late one night, as he would typically do to apply new security patches, and changed the password? If he were in charge of security, it would be quite a normal thing for him to do. The difference is that he didn't notify the other security administration staff of the change.
My next thought was how to design a security system so that this couldn't happen. You would need at least two passwords, neither of which could change the other. Then there would have to be two independent security officers, etc. I checked with the security officer on our system. He said that we have three system administrators, each with a separate admin login and password. Even if one of them changed the password on all three admin accounts, it's still possible to unlock the admin password. Thank you, Microsoft!
But design is only half the issue. Even though our system could recover from a rogue security officer, that doesn't mean that he/she couldn't do a significant amount of damage. Control systems only go so far. They cannot protect you from human feelings and weaknesses. If your security officer does not feel that he/she is part of the team, then you have a major risk regardless of how well your system is designed.
So, who is to blame, the employee or the employer? The newspaper article doesn't shed much light on why Childs was so disgruntled that he would put himself and the whole city of San Francisco at risk, but my experience leads me to point the finger squarely at both. Putting Childs in jail will not correct the problem. Management needs to find out what the problem is and take positive steps to listen to employee concerns, and employees need to find a constructive way to air their grievances. In his own passive-agressive way, Childs has become the most outspoken of the disgruntled employees, but I'll bet you 10 pounds of Ghirardelli chocolate he's not the only one.
P.S. A note on security: one of my clients was doing an upgrade and I saw him logging in as "Bob". I told him that for this work he had to login as Admin. He just smiled and said the Administrator account actually had no system privileges. It was there as a decoy for hackers. The real power was in the Bob account. Lesson learned.