Insider Abuse at Dept. of Homeland Security
A federal agent with Department of Commerce is being charged with misusing a federal database to harass and abuse his ex-girlfriend. eWeek reports:
According to the indictment, Robinson, began a relationship with an unidentified woman in 2002 that ended acrimoniously seven months later. After the breakup, federal authorities allege Robinson accessed a government database known as the TECS (Treasury Enforcement Communications System) at least 163 times to track the travel patterns of the woman and her family.The indictment also claims that during and after the relationship, Robinson alternatively threatened to have the woman deported or to have her and her family killed.
Insider abuse is a threat everywhere and is especially problematic in government agencies. If I don't like the fact that my bank is involved in a high profile data breach, I can switch banks. I can't switch federal governments. Of course, the fact that this guy was caught means someone is watching:
Federal agents are authorized to use the TECS database only in the performance of their official duties and not for personal reasons. In addition, law enforcement agents receive training in TECS security and privacy, and are issued unique passwords to access TECS so that their use of the system can be monitored.
Bruce Schneier writes:
What I want to know is how he got caught. It can be very hard to catch insiders like this; good audit systems are essential, but often overlooked in the design process.
In an earlier post on an insider attack by a database administrator I also argued that auditing is essential. But one reader, Jim Kerr, commented:
I agree with the premise of this article. But how do you know your audit trail is accurate if you are using passwords for authentication identity? If I was an insider making a move I would not use my own credentials. I would use someone elses user name and password. This is the problem with the jaded mentality that passwords protect systems and correctly identify users in audit logs.
Jim Kerr is right, a username in an audit log is not a smoking gun but it can be one of several pieces of information that can collectively lead to the perpetrator. Other information, like IP address, time of day, methods of access can all help build a picture of how the attack took place.
I'm interested in hearing what level of auditing is used by readers. Feel free to post a comment with your thoughts.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
