Internal Security Lapse Seen in Fannie Mae Case
Employee sabotage alleged
Insider threats to data security via theft or sabotage are sure to rise, especially as companies increase employee layoffs during a bad economy. One sign of the times is the appearance of the infamous "logic bomb," a software bug timed to hose a company's network, typically planted by someone with network access.
Troubles at the Fannie Mae mortgage institution led to layoffs and alleged employee sabotage. The case concerns Rajendrasinh Makwana, an IT contractor who once worked at Fannie Mae's office in Urbana, Md.
Makwana was indicted this week for allegedly planning a logic bomb that was set to go off on Saturday Jan. 31. Had it activated, it could have caused untold millions in damage and system downtime, Fannie Mae officials said.
If the allegation against Makwana proves true, it represents yet another example of a lapse in access control at a major company. Fannie Mae may not have acted quickly enough in revoking the former employee's network access.
Makwana's contract terminated at Fannie Mae as far back as October 24. His termination was associated with a cross-site scripting error that happened in late September. Yet, according to an FBI affidavit, he retained his access to systems after he left the building and the company.
Policy-wise, the incident clearly demonstrates that access to information systems needs to be terminated simultaneously with physical access to the server room, explained Ellen Libenson, vice president of product management at security firm Symark.
"Makwana was a contractor and consequently his exit 'processing' was not handled the same as a full-time employee. All the more reason to have a special, heightened procedure for contractors so it doesn't slip through the cracks," she said. Contractors may not be on HR's radar screen because they are handled differently in the payroll system, she explained.
If turning off someone's access is too time consuming because the IT staff has been reduced as a result of layoffs, enterprises should "knock these guys out ASAP and get to the lower level risk people when you can," Libenson suggested. "If you are forced to do triage, use your head about it."
Bad economic times may be resulting in an increased number of bank robberies, and perhaps cybercrime as well.
"Cybercrime is easy pickings right now," said Mandeep Khera, chief marketing officer at security firm Cenzic. "Corporations should proactively run security assessments on a regular and continuous basis and fix the vulnerabilities, so that even if someone internal has inserted malicious code, you can remediate it in a timely manner. If you have disgruntled employees and you haven't been securing your Web applications and infrastructure for vulnerabilities on a regular basis, chances are very high that you are at risk."
-- Jabulani Leffall
James E. Powell is the former editorial director of Enterprise Strategies (esj.com).