Friday, February 13, 2009

I just read of a very recent court decision that has interesting consequences for information security but is receiving little to no media attention. As you may know from my recent blog on the inside attack that was foiled at Fannie Mae that could have knocked that entire organization offline for a week, unauthorized access by insiders and/or former employees should be a huge concern these days. But a recent ruling by a Federal court in Georgia in the Andritz, Inc. v. Southern Maint. Contractor, LLC case held that lost revenue caused by theft may not be recoverable under the Computer Fraud and Abuse Act. This means to me that if you can’t stop an ex-employee from stealing information from your systems in the first place via proper de-provisioning and auditing tools, you may be out of luck in terms of recovering lost money caused by that theft.

I was able to spot this case via a client alert sent out by the law firm of Wilson Sonsini which represents Centrify in corporate matters. I will quote a few relevant sections of the alert below. First, they describe the Computer Fraud and Abuse Act (CFAA):

“The CFAA was first enacted in 1984 with the intention of protecting classified information on government computers and financial records and credit information on government and financial institution computers … Violations of the CFAA include (i) the unauthorized access to a computer for a wrongful purpose that results in the offender obtaining something of value, and (ii) the knowing transmission of “a program, information, code, or command” that intentionally causes damage to a covered computer. Companies have successfully asserted CFAA claims in widely varying contexts, including actions involving a scraper program loaded by a competitor onto the company’s computer network to obtain pricing information, a data-deletion program installed by an employee on a company laptop after the employee decided to terminate his employment, and the harvesting of e-mail addresses in order to send unsolicited bulk email.”

OK, sounds good, looks like there is some good protection from information theft by ex-employees hacking into the system using a shared and/or orphaned account. But not so fast my friends ….

“In Andritz, an employer brought a CFAA claim against former employees who allegedly accessed the employer’s computer network without authorization and obtained files containing trade secrets for the purpose of providing the files to a new employer. … The court dismissed the case, finding that revenues lost due to the defendants’ use of the improperly obtained information to lure customers from the employer were not compensable damages under the CFAA. … The Andritz court interpreted this provision narrowly, holding that the only lost revenue recoverable under the statute is the revenue lost because of an interruption in computer service.”

In other words, the court ruled because the systems did not go down because of this theft, you can’t use this specific computer fraud act to recover any lost revenue. Conceivably you could get some damage recovery via other means; such as if you had a NDA with the employee, but this potentially knocks out one remedy. But the net net is that this clearly puts a further premium on IT organizations to implement superuser privilege management and detail user-level auditing to stop insider threats well before these attacks cause lost revenue. Here is what Wilson Sonsini recommends to IT organizations:

“Companies may want to consider how they monitor and enable access to such [confidential] information and ensure that access is promptly terminated when the employee departs. Finally, the presence of or access to tools that enable analysis of user activity, including log-file management, can help employers evaluate whether or if any such unlawful access has occurred.”

We whole heartily agree with these recommendations, and I think Centrify is pretty uniquely qualified to address these requirements in heterogeneous computing environments with our Centrify Suite for the following reasons:

• Because DirectControl introduces the paradigm of having users and IT staff leverage a single, secure integrated authentication capability to non-Microsoft platforms via Microsoft Active Directory, it helps organizations break the bad habit of IT staff sharing the UNIX root password and the password to other privileged accounts. Instead, personnel log in with an account that clearly identifies who the user is (i.e. their AD account) which means when an IT staffer is terminated, you don’t have to change the root password on all your systems, as they were not sharing the root account to begin with. It also provides the ability to immediately disable a given user’s access across the enterprise (i.e. all UNIX and Windows systems) in one place — Active Directory.
• DirectControl not only controls who can authenticate to your mission-critical UNIX systems, but its patented Zone technology also provides granular access control to further limit which users can authenticate to which particular systems or groups of systems.
• Our DirectAuthorize solution provides centralized, role-based privilege management features help you manage and enforce fine-grained control over user access and privileges on UNIX and Linux systems.
• Finally, our DirectAudit solution helps you spot suspicious activity by showing which users accessed what systems, what commands they executed, and what changes they made to key files and data.

For more information, check out this webinar we did with Gartner on how to enable detail user-level auditing in your organization to protect against attacks and threats.