On the evening of April 27 2009 Abdirahman Ismail Abdi entered the facilities of the California Water Services Company (Cal Water). After presumably parking his car in the employee car park, he entered one building with his electronic key card and proceeded to the office of a senior executive. Sitting down at the executive’s computer he initiated three separate transfers totaling $9 Million USD from the accounts of Cal Water to an account in Qatar. Having completed this transaction he exited the office and building and proceeded to another secure building on the Cal Water campus. Again he used his electronic key card to access the building. Proceeding to the office of yet another senior executive, he again used that executive’s computer to access the Cal Water’s financial systems and approved the transfer requests he initiated just a few minutes before in the other building. His work completed he most likely walked out to his car and drove away.
What we don’t know yet is how he accessed the financial systems: did he use his own credentials or did he use the credentials of the senior executives whose computers he accessed? To me it sounds like he somehow compromised the accounts of the two executives but this is just conjecture on my part. The next question raised is why he would need two separate computers. If he had the user account information then couldn’t he just access the financial system from the same machine logging in once to initiate the transfer before exiting and logging in again to approve it? A number of reasons come to mind:
· Perhaps he was trying to frame these two executives;
· Perhaps the software used to access the financial system required different client modules thus the need for two separate computers;
· Perhaps the financial system required an electronic certificate from these users that was only stored on their own computers.
I’m sure other reasons come to mind but let’s go with these. Moving on, how do we know that Abdi is the perpetrator? Having just broken down how the financial account was accessed I would venture to guess that he did not use his own login credentials. Cal Water is the largest investor-owned American water company west of the Mississippi River and the third largest in the company. I think that it is safe to assume that they had some sort of separation of duties controls in place hence the need for two computers in two different buildings. Again this is conjecture on my part but it does make sense.
But if he used the accounts of those senior executives then how do we know it was him? We believe it to be Abdi because he was observed by janitor in the buildings on the night of the crime and he also allegedly attempted to deposit a check for more than $25,000 USD made out to Cal Water in his own bank account. Add to this the fact that (1) Abdi put his wife and children on a plane to Germany on April 28th the morning after the crime and (2) Abdi resigned his position as an auditor for Cal Water just hours before he allegedly committed this crime and things don’t look so good for him right now. (Abdi is currently on the run and is believed to have fled the United States through Canada as of this writing.)
Now this is a good story worthy of a “movie of the week” (or perhaps an afterschool special for young security professionals still in school). It goes to show that the human element is both our greatest weakness as well as our greatest strength. Let me explain that.
Going back over the story a few things stand out to me. The first is that Abdi needed to access Cal Water facilities with his electronic key card. The second is that he needed to use two separate computers presumably with two separate accounts in order to complete the crime.
Now I have no inside knowledge of the Cal Water environment or systems but it makes sense that if Abdi could have accessed the facilities without his key card he probably would have so they are most likely adequate to protect against unauthorized access by an external threat source.
Next he used two separate computers assigned to individuals who most likely had the authority to initiate and approve fund transfers. Not only did he need their computers but he probably needed and used their login credentials. How he gained their login credentials is unclear. Were they written down somewhere; did he eavesdrop them sometime in the past; did he install some sort of key logger software when he was acting in his capacity as an auditor? (The last is a scenario that I made up because it seemed plausible – there is absolutely no indication that this actually happened or is alleged to have happened.) Right now we just don’t know but it makes sense to me that he had to have needed two separate computers and two separate sets of login credentials with the right level of access to the financial systems. As an auditor it is likely that Abdi was privy to vulnerability information concerning the financial system therefore he probably chose the easiest way to exploit the system. That tells me that it is very likely that the technical controls on the Cal Water financial system were operating as intended or were at least sufficient otherwise why would he to go the trouble and risk of compromising two buildings, two offices, and two accounts. (Again, I have no inside knowledge of Cal Water.)
So if the physical access controls were working as intended and the technical financial controls were working as intended then the only thing we have left is a failure of the human control – namely the disgruntled insider, that lead to this breach. It was also the human control that identified the perpetrator. Remember that a janitor has identified seeing Abdi in the building on the night of the crime after he quit. Remember also that Abdi tried to deposit a check made out to Cal Water in his own account – not a very smart thing to do.
People will argue that there was also a failure of the termination process and that Cal Water should have disabled his access (physical as well as technical) when he resigned. What we don’t know is if his resignation was effective immediately or if he gave two weeks. In many companies it is normal operating procedure to have an employee departing on favorable terms to wrap things up and transfer their work to another person in their final days in a position. We have no indication at this time that Abdi was a problem employee or that he would have given any indication that he posed a threat. Remember from what we know he resigned; he wasn’t fired. There is also every indication that he probably didn’t even use his on login credentials once inside the facility so even if his technical access had been minimized it most likely couldn’t have prevented his use of another’s credentials.
The bottom line is that it appears as if the physical and technical controls were working and operating effectively therefore the solution probably isn’t a technical one. The human control is what failed. Yes you could go through and upgrade the physical and technical controls to require multi-factor authentication both for entry into the facility as well as for identification within the network but is that really feasible in a majority of companies? The need for security must always be balanced with the needs of the business. Had Abdi actually been able to walk off with $9M then perhaps you could justify that sort of expenditure but in truth he didn’t. (The account in Qatar was frozen and the funds transferred back to Cal Water.)
The insider threat is real and in an economy like this is growing. Studies such as the 2009 Data Breach Investigations Report notwithstanding, the impact of an insider breach if often greater than that of an external breach. In this case it was a transfer of money but what if it had been a customer list or proprietary data concerning a major company project. (We’re speaking in general here not about Cal Water specifically.) Touting the number of scans detected or intrusions blocked at the firewall don’t mean anything when Joe the employee who has just been laid off walks out with your customer list or the details of your proprietary processes on a flash drive. Your competition could then undercut your prices or catch up on year’s worth of development in the space of a day. How much is that worth to your company?
As much as I don’t like the fact that some studies and reports have tried to downplay the risk posed by outsiders, I don’t want to overplay their importance either. They are a threat just like other threats and they need to be addressed just like everything else. What this story shows us is that your security controls need to go beyond the physical and technical realm. Your staff and management needs to be trained to identify the potential for employees to become disgruntled insiders and take steps to address the issue before it becomes one. I talked about this a lot in my three part series on Insiders (Part One, Part Two, Part Three).
You also need to recognize that there is no way to completely guard against the insider threat so you need to have a plan on how to deal with it when it does eventually happen. This takes a coordinated effort across the organization and since it may involve the seizure of evidence by local or federal authorities (should they become involved) you’ll need to account for that. How should you deal with the media, stockholders, and the public? What you say in the early days when you aren’t sure exactly what has happened is just as important as what will eventually be said in hindsight. (See my post on Public Relations and Security.)
This post has given me the idea that it might be useful to do something on the order of a breach analysis in order to bring up issues that need to be addressed well before an incident happens. Perhaps I’ll do something like that in future posts.
Entries (RSS)
[...] gsmckee4 put an intriguing blog post on Ascension Blog » He did WHAT?!?!Here’s a quick excerptAfter presumably parking his car in the employee car park, he entered one building with his electronic key card and proceeded to the office of a senior executive. Sitting down at the executive’s computer he initiated three separate …. In this case it was a transfer of money but what if it had been a customer list or proprietary data concerning a major company project. (We’re speaking in general here not about Cal Water specifically.) Touting the number of scans detected … [...]