Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/30/2006
02:09 PM
Tom Smith
Tom Smith
Commentary
50%
50%

7 Lessons From IT Security Trial

Over the last several weeks, InformationWeek has been covering the trial of a former UBS PaineWebber systems administrator, Roger Duronio, who's accused of writing and setting off a highly destructive logic bomb at his former employer as revenge for not receiving the maximum yearly bonus. The government prosecution contends that Duronio was not only looking to wreak havoc, but also to profit by purchasing securities whose valu

Over the last several weeks, InformationWeek has been covering the trial of a former UBS PaineWebber systems administrator, Roger Duronio, who's accused of writing and setting off a highly destructive logic bomb at his former employer as revenge for not receiving the maximum yearly bonus. The government prosecution contends that Duronio was not only looking to wreak havoc, but also to profit by purchasing securities whose value would rise if the company's stock went down--the theory being that the company's stock would tank as a result of the security problem that prevented traders from doing their work.The trial provides an enlightening perspective on the damage such attacks can cause, as well as other security lessons that all IT organizations must learn if they're going to avoid becoming victims. My top seven:

  • If you want to make it as difficult as humanly possible for hackers--whether employees or outsiders--to ply their trade, your company needs to have bulletproof security policies and practices. That may seem extremely obvious, but in the course of this trial, UBS employees acknowledged that 40 systems administrators in the company's data center used the same password for root--or all-encompassing--access to the company's network. The defense has been aggressively pouncing on this as an indicator of porous security that left the network vulnerable to attack, and it's tough to argue that point. In addition, 20% of the servers affected by the attack had inadequate data backup--not the smartest move for a company whose lifeblood, stock trading, requires data access.

  • Don't underestimate the measures a hacker or person seeking revenge will go to in order to prove their point or carry out their plan. In this case, the sophistication of the logic bomb's author has come into question, but one point is undeniable: The person responsible methodically placed the trigger that set off the logic bomb on every affected server two times to maximize the chances it would wreak havoc. Sophisticated or not, the plan did immense damage, just as the attacker hoped it would.

  • You can't be too wary of disgruntled or otherwise suspicious employees. Sure, we'd all be pissed off if our bonus came up $15,000 to $20,000 short. That's not chump change, even for someone making a base salary of $125,000 per year, as the defendant was. But how many of us would be willing to risk our future, our reputation, the reputation of our families, and a lengthy jail stay over that amount of money? Duronio was prepared to do so, if the prosecution's account is accurate.

  • The effects of a major attack can be far-reaching and long-lasting, even after the forensics pros have gone home and the remediation work is done. By the admission of UBS's own IT pros in trial testimony, on March 4 (the date of the attack), for two or three years later, they took critical servers offline to avoid the affects of any lingering malicious code. Also by UBS's own account, the effects are still felt today, more than four years later.

  • Even a hacker who's successful at damaging systems and impairing business can be susceptible to stupid behavior that points back to him or her. We don't yet know whether Duronio is guilty, but the existence of hard-copy printouts of malicious code in his home is likely to weigh heavily on the jury.

  • When it comes to security--and in fact all IT work--choose your vendors carefully. The defense has been hammering away at UBS's use of @Stake after the attack, in part because it employed well-known hackers. It's entirely possible, even likely, that @Stake is totally on the up and up. Perhaps UBS was fully aware of the hacking backgrounds of some employees and considered those backgrounds when hiring @Stake. Let's hope that was the case.

  • IT security problems--aside from the direct financial damage to a business--can be a public relations nightmare for any company, and even worse for a financial services firm. UBS's PR organization must be eagerly awaiting the day this trial is over and no longer in the news. No matter how well-meaning and even well-run its IT operations may have been, the trial isn't casting that organization in a positive light.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26814
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
CVE-2021-27581
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.