What You Can Do for Your Country
A Marine friend once gave me a copy of "Murphy's Laws of Combat." Three laws were underlined: "The important things are always simple. The simple things are always hard. The easy way is always mined."
Apparently, the person responsible for security at Autotote Systems never heard of Murphy. The easy way to his company's data certainly wasn't mined. Autotote's betting network apparently was hacked by one of its own employeesif opening an unlocked digital door can be called that.
Forget about the script-kiddies, denial-of-service attacks and Web site defacements. New intelligent routing technology from companies such as RouteScience, and "edge delivery" and site-staging services like those from Akamai and Inktomi, make these kinds of attacks increasingly irrelevant to large organizations.
No, the real threatas demonstrated by Autototecomes from within. Most worrisome, according to Marcus Sachs, director of telecommunications infrastructure security at the White House's Office of Cyberspace Security, is subversion of the data within electronic business processes, either to cause disruption or for personal gain.
Why is a federal cybersecurity officer worried about the protection of corporate databases?
Because money stolen from companies such as Off-Track Betting is money that can be used to sponsor terrorist and other nefarious activity. Terrorists already have used electronic fraud to finance their operations; al Qaeda appears to have used credit card fraud and identity theft to help fund its activities throughout the world
And apparently, it wouldn't take much for them to add a company like Autotote to their list of victims. Chris Harn, a senior software engineer at the company, is alleged to have used his access to transaction information in the company's wagering system to fix the Off-Track Betting "Pick Six" bets of a fraternity brother in October.
Three Warning Signs
The important things are always simple. If Autotote had simply kept software development separate from the "production" version of its systemthe one handling active betsthis whole mess might have been avoided.
Harn's job was to write software for the system, not maintain operations of it. Yet, he had access to data he shouldn't have had; he had access on a day he shouldn't have (his day off); and the company had no way of telling what he was doing with the data.
"Those are three big, and very popular, strikes," says Jerry Brady, the chief technology officer at Guardent, a security consulting and services company based in Waltham, Mass. Brady says that the same gaps in security can be found in many industries, including banks, investment brokers and other financial firms. Developers are given access to production systems out of expediency to keep systems up and running. That expediency will haunt companies. Even relatively innocuous data changes, such as a change of address, can be used to exploit or disrupt systems if they're not audited, says Brady.
These gaps aren't technologicalthey're cultural. That makes them fairly straightforward to solve. But the simple things are always hard. Even with awareness of computer security issues at an all-time high, according to Brady, executives at many companies still think of security in terms of "a fourteen-year old kid hacking their Web site."
There's technology on the way to help mind the store. Companies like Guardent and eEye of Aliso Viejo, Calif., will ship products next year that keep closer tabs on the behavior of insiders; Guardent's tools will aggregate information from audit trails and log files of applications and servers, while eEye is focusing on controlling access through policy enforcement at the desktop.
But the real push for security has to come from the top. Sachs says the White House's plan for national cyber-security hinges on security being treated as a boardroom issue as well.
So heed Murphy, and get serious about the simple things. Doing nothing might seem like the easy waybut the easy way almost always is full of mines.
Sean Gallagher is Technology Editor at Baseline.