On the evening of April 27 2009 Abdirahman Ismail Abdi entered the facilities of the California Water Services Company (Cal Water).  After presumably parking his car in the employee car park, he entered one building with his electronic key card and proceeded to the office of a senior executive.  Sitting down at the executive’s computer he initiated three separate transfers totaling $9 Million USD from the accounts of Cal Water to an account in Qatar.  Having completed this transaction he exited the office and building and proceeded to another secure building on the Cal Water campus.  Again he used his electronic key card to access the building.  Proceeding to the office of yet another senior executive, he again used that executive’s computer to access the Cal Water’s financial systems and approved the transfer requests he initiated just a few minutes before in the other building.  His work completed he most likely walked out to his car and drove away. 

 

What we don’t know yet is how he accessed the financial systems: did he use his own credentials or did he use the credentials of the senior executives whose computers he accessed?  To me it sounds like he somehow compromised the accounts of the two executives but this is just conjecture on my part.  The next question raised is why he would need two separate computers.  If he had the user account information then couldn’t he just access the financial system from the same machine logging in once to initiate the transfer before exiting and logging in again to approve it? A number of reasons come to mind:

 

·         Perhaps he was trying to frame these two executives;

·         Perhaps the software used to access the financial system required different client modules thus the need for two separate computers;

·         Perhaps the financial system required an electronic certificate from these users that was only stored on their own computers. 

 

I’m sure other reasons come to mind but let’s go with these.  Moving on, how do we know that Abdi is the perpetrator?  Having just broken down how the financial account was accessed I would venture to guess that he did not use his own login credentials.  Cal Water is the largest investor-owned American water company west of the Mississippi River and the third largest in the company.  I think that it is safe to assume that they had some sort of separation of duties controls in place hence the need for two computers in two different buildings.  Again this is conjecture on my part but it does make sense. 

 

But if he used the accounts of those senior executives then how do we know it was him? We believe it to be Abdi because he was observed by janitor in the buildings on the night of the crime and he also allegedly attempted to deposit a check for more than $25,000 USD made out to Cal Water in his own bank account.  Add to this the fact that (1) Abdi put his wife and children on a plane to Germany on April 28^th the morning after the crime and (2) Abdi resigned his position as an auditor for Cal Water just hours before he allegedly committed this crime and things don’t look so good for him right now. (Abdi is currently on the run and is believed to have fled the United States through Canada as of this writing.) 

 

Now this is a good story worthy of a “movie of the week” (or perhaps an afterschool special for young security professionals still in school).  It goes to show that the human element is both our greatest weakness as well as our greatest strength.  Let me explain that. 

 

Going back over the story a few things stand out to me.  The first is that Abdi needed to access Cal Water facilities with his electronic key card.  The second is that he needed to use two separate computers presumably with two separate accounts in order to complete the crime. 

 

Now I have no inside knowledge of the Cal Water environment or systems but it makes sense that if Abdi could have accessed the facilities without his key card he probably would have so they are most likely adequate to protect against unauthorized access by an external threat source.

 

Next he used two separate computers assigned to individuals who most likely had the authority to initiate and approve fund transfers.  Not only did he need their computers but he probably needed and used their login credentials.  How he gained their login credentials is unclear.  Were they written down somewhere; did he eavesdrop them sometime in the past; did he install some sort of key logger software when he was acting in his capacity as an auditor? (The last is a scenario that I made up because it seemed plausible – there is absolutely no indication that this actually happened or is alleged to have happened.) Right now we just don’t know but it makes sense to me that he had to have needed two separate computers and two separate sets of login credentials with the right level of access to the financial systems.  As an auditor it is likely that Abdi was privy to vulnerability information concerning the financial system therefore he probably chose the easiest way to exploit the system.  That tells me that it is very likely that the technical controls on the Cal Water financial system were operating as intended or were at least sufficient otherwise why would he to go the trouble and risk of compromising two buildings, two offices, and two accounts.  (Again, I have no inside knowledge of Cal Water.)

 

So if the physical access controls were working as intended and the technical financial controls were working as intended then the only thing we have left is a failure of the human control – namely the disgruntled insider, that lead to this breach.  It was also the human control that identified the perpetrator.  Remember that a janitor has identified seeing Abdi in the building on the night of the crime after he quit.  Remember also that Abdi tried to deposit a check made out to Cal Water in his own account – not a very smart thing to do. 

 

People will argue that there was also a failure of the termination process and that Cal Water should have disabled his access (physical as well as technical) when he resigned.  What we don’t know is if his resignation was effective immediately or if he gave two weeks.  In many companies it is normal operating procedure to have an employee departing on favorable terms to wrap things up and transfer their work to another person in their final days in a position.  We have no indication at this time that Abdi was a problem employee or that he would have given any indication that he posed a threat.  Remember from what we know he resigned; he wasn’t fired.  There is also every indication that he probably didn’t even use his on login credentials once inside the facility so even if his technical access had been minimized it most likely couldn’t have prevented his use of another’s credentials.   

 

The bottom line is that it appears as if the physical and technical controls were working and operating effectively therefore the solution probably isn’t a technical one.  The human control is what failed.  Yes you could go through and upgrade the physical and technical controls to require multi-factor authentication both for entry into the facility as well as for identification within the network but is that really feasible in a majority of companies?  The need for security must always be balanced with the needs of the business.  Had Abdi actually been able to walk off with $9M then perhaps you could justify that sort of expenditure but in truth he didn’t.  (The account in Qatar was frozen and the funds transferred back to Cal Water.)

 

The insider threat is real and in an economy like this is growing.  Studies such as the 2009 Data Breach Investigations Report notwithstanding, the impact of an insider breach if often greater than that of an external breach.  In this case it was a transfer of money but what if it had been a customer list or proprietary data concerning a major company project.  (We’re speaking in general here not about Cal Water specifically.)  Touting the number of scans detected or intrusions blocked at the firewall don’t mean anything when Joe the employee who has just been laid off walks out with your customer list or the details of your proprietary processes on a flash drive.  Your competition could then undercut your prices or catch up on year’s worth of development in the space of a day. How much is that worth to your company?

 

As much as I don’t like the fact that some studies and reports have tried to downplay the risk posed by outsiders, I don’t want to overplay their importance either.  They are a threat just like other threats and they need to be addressed just like everything else.  What this story shows us is that your security controls need to go beyond the physical and technical realm.  Your staff and management needs to be trained to identify the potential for employees to become disgruntled insiders and take steps to address the issue before it becomes one.  I talked about this a lot in my three part series on Insiders (Part One, Part Two, Part Three). 

 

You also need to recognize that there is no way to completely guard against the insider threat so you need to have a plan on how to deal with it when it does eventually happen.  This takes a coordinated effort across the organization and since it may involve the seizure of evidence by local or federal authorities (should they become involved) you’ll need to account for that.  How should you deal with the media, stockholders, and the public?  What you say in the early days when you aren’t sure exactly what has happened is just as important as what will eventually be said in hindsight. (See my post on Public Relations and Security.)

 

This post has given me the idea that it might be useful to do something on the order of a breach analysis in order to bring up issues that need to be addressed well before an incident happens.  Perhaps I’ll do something like that in future posts. 

Tags: Abdi, Abdirahman Ismail Abdi, Cal Water, California Water Services Company, Data Breach, financial control, financial system, human factor, human factors, seperation of duties

I just finished a book by Michael Santarcangelo entitled Into the Breach: Protect your Business by Managing People, Information, and Risk. I am ashamed to admit that I hadn’t run across this book sooner and didn’t know about it until after I was a guest on Michael’s Podcast a few weeks back. At 110 pages the book is a quick read but don’t let that fool you – there is a lot of information in here.

The book is aimed at executives and other decision makers and not at technical information security professionals themselves. That is not to say that there isn’t value in here for the technically minded as long as they remember that they are not the targeted audience. There are a few things in here that might actually cause the technically focused some anguish but if they are honest with themselves and take a step back they should admit that what Michael says is true.

Into the Breach is the book that I wanted to write. I share Michael’s perspective on many of the topics discussed and have come to the same conclusions, although independently. We attack the problem from different angles but we share so much in common that I’m left to wonder if the differences are merely trivial. As I read the book I heard my own thoughts being echoed back to me more than a few times. I found new and interesting perspectives on issues that I have worked hard to solve and I even learned a few things (which means that it was time well spent.)

The book is broken up into three parts. The first part explains the human factors at play in any environment and seeks to provide a understanding of the human factors as they relate to protecting information. I really couldn’t find fault with anything I read in this section.

The second part lays out Michael’s Strategy to Protect Information and its implementation. Michael’s approach to the problem is different from mine but in no way does that make it any less valid. He does a good job explaining not only how something needs to be done but why it needs to be done which is the key to mastering anything. That said I have some constructive criticism to provide with regard to a few things that were mentioned.

The first being that Michael talks about how a management team can learn and deploy his strategy by just reading his book. The concepts that he lays forth are simple and well explained however I can say that I have facilitated groups through similar processes and it is not as easy as Michael makes it sound. The greatest fear that I would have by someone reading Michaels book is that they will try to implement his program without guidance then in failure believe that this approach is just a load of crap and go back to the way they have been doing things. Processes like this need to have someone with experience facilitate their adoption in order to steer teams around pitfalls and ultimately achieve success.

The second criticism is that near the end of Part Two, Michael talks about metrics and how to measure the success of the program. This is indeed an important point however his examples did little to illustrate his point and may have in fact made his argument weaker. He talks about the blending of quantative and qualitative measures (a concept that I’m wholly in favor of) but gives his executive/decision maker reader little to take back that is actionable.

The third part addresses considerations for extending and enhancing the strategy laid out in Part Two. Michael talks about how his strategy can help protect the bottom line and help reduce the cost of compliance. I agree that it will but again the topic was treated so quickly that a reader may be left to conclude that this is all that there is to the argument. They couldn’t be more wrong however would someone in the targeted audience know this – perhaps it would; perhaps it wouldn’t.

Please dear readers, don’t construe my criticisms as a damning critique of this book. At 110 pages it is nearly impossible to cover the topics that Michael has attempted. This book is exactly where it needs to be in terms of detail when considering the intended audience. I applaud Michael for writing the book. It is a book that has been needed out there for a very long time. I highly recommend it. I would even go so far to say that you should buy several copies and give them out to senior executives in your organizations. But only do so if you intend to follow up with several conversations about how to apply these principles in your environment. Use this book as a basis upon which to build conversations on how you can improve security within your organization and environment.

Tags: human factors, Into the Breach, Michael Santarcangelo, Strategy to Protect Information