News Stay informed about the latest enterprise technology news and product updates.

San Francisco network lockup justifies CIO fears

It's almost too terrible to fathom -- a network administrator hijacks your network. But is there anything you can really do about it, other than keep your fingers crossed?

Take it from the message boards.

The judgment for IT managers was swift when news broke that a San Francisco city network administrator had been arrested and charged with locking his own bosses and colleagues out of the city's new fiber wide area network (WAN).

"Whoever was managing this guy also needs to be let go, with prejudice: one should never allow this many basic security rules to be broken, no matter how talented the admin is," a poster going as "Sotarr" remarked on's blog, CIO Symmetry. His statement echoed a sentiment attached to most news items covering the arrest of Terry Childs, 43, of Pittsburg, Calif.

What happens to Childs' superiors -- aside from the intrinsic embarrassment -- remains to be seen. But the version of the San Francisco snafu told by prosecutors, which paints Childs as a disgruntled employee, draws a nightmare scenario for any CIO. What horror awaits when you can't trust your own people?

More on information security
Blog: San Francisco IT hack story looks a bit too much like

Insider threats a problem for SMBs, too
Traditionally, CIOs and security professionals have focused on external threats, malicious attacks by people outside the company looking to exploit systems and steal data, said Jim Maloney, president and CEO of Santa Fe, N.M.-based Cyber Risk Strategies LLC.

But two recent surveys show that midmarket organizations are becoming significantly concerned about breaches from inside the business, malicious or not.

The 2008 (ISC)2 Global Information Security Workforce Study, conducted by Frost & Sullivan, found that 51% of IT executives and security professionals consider internal employees "the biggest threat" to security. And an Information Security magazine survey this year found a full 70% of respondents concerned about detecting and shutting down internal attacks.

"It's a concern based on people reading the news and thinking about it," Maloney said. "I think there's more awareness and appreciation of the insider threat. An insider threat is both malicious and incidental. Sometimes it's an insider who has very high privileges, but they accidentally expose information."

Prosecutors claim that Childs was most definitely being malicious and that he hijacked the WAN he helped implement across San Francisco city government. He faces four felony charges of network computer tampering. Prosecutors say he improperly accessed the network for a number of weeks before eventually locking other administrators out and holding the passwords hostage.

More distressing is the accusation by authorities that Childs was exhibiting hostile behavior as far back as a month ago, taking pictures of his department's new head of security as she conducted a password audit on June 20, as reported by The San Francisco Chronicle.

Whoever was managing this guy also needs to be let go, without prejudice.
commenterCIO Symmetry
A determined IT staffer has countless opportunities to sabotage a business's operations. Eliminating that risk is impossible, experts say, and minimizing it requires a series of security efforts that go beyond the IT department and extend across the business.

"One of the things that really caught my eye [in San Francisco] is you had an HR and IT communications breakdown," said Michael Maloof, CTO at Post Falls, Idaho-based TriGeo Network Security Inc., a maker of network monitoring tools.

"When you talk about the classic disgruntled employee, HR certainly has a responsibility to communicate back to IT, not the details or what discipline, but that there is a new situation."

CIOs can -- and should -- monitor employee network access, Maloney said. Concurrently, they should be careful not to alienate or intimidate employees by watching over their shoulders.

"I think you have to find a balance that you do have to let people know that you are monitoring and watching what's going on, but you have to have them appreciate the motivation and reasoning for it," he said. "It's not because you inherently distrust every employee."

Maloney said he has been "pretty impressed with the maturity of the data log prevention solutions" that give users warning pop-ups and alert administrators to certain instances of network access.

Maloof said there is nothing wrong -- and everything right -- with keeping an eye on even the highest-level IT staffers. Considering the accusations against Childs, he said the lockout could have been avoided.

"He had a perfectly legitimate right to have this access, but we all know in our day-to-day jobs you don't need to use this access," Maloof said.

Of course, it's not all about new security and monitoring products. Tried-and-true methods still work. Simple solutions, like requiring two administrator passwords for certain network activity, go a long way toward prevention, Maloney said.

Let us know what you think about the story; email: Zach Church, News Writer

Dig Deeper on Small-business IT strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.