Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Support for Information Assurance Activities: Details of FTC Rulings Since 1969 Now Available | Main | DOT Stolen Laptop: Arrest Made »

Establish Effective Procedures for Removing Systems Access: Example

An article from last Wednesday (11/15) just caught my eye; it is intriguing: "Hoffacker charged with hacking system." The article indicates a former VP of Technology at Source Media, Stevan Hoffacker, was

"charged with hacking into the company's computer system three years after he was dismissed, and tipping off employees whose jobs were in jeopardy."

The article also states:

"Prosecutors have alleged that Hoffacker, who worked for Source Media and its predecessor company from 1998 to 2003, hacked into the company's e-mail network and sent e-mails to two Source Media employees in August and in September of this year, alerting them that they might lose their jobs. The messages were sent from a Yahoo account, according to court documents.

Hoffacker had access to usernames and passwords of other employees during his work in the company's information technology department, prosecutors said."

I wonder, what is the real story? It isn't considered hacking to send emails...unless...were those email systems not accessible to send to from outside sources? That would be very rare (though, yes, they still exist) for an email system to be configured to only allow emails to originate and be delivered within the closed network system. The last time I used a system like this was on an IBM 360/370 mainframe-based email system accessible only through "dumb" terminals...around 10 - 12 years ago. The system was Emc2/TAO from Fisher International; but it could also have been installed to share email from outside the network. This particular installation was not.

So, if the Source Media email system could communicate with email senders and recipients outside the network, would sending emails to Source Media staff be considered hacking? If an email server is configured to receive emails from outside the network, and the Hoffacker email address was not explicitly blocked, in what other way could hacking occur? If there had been some type of restraining order for Hoffacker to not send emails and then he did anyway, could this legally be considered "hacking"? Or, if the known Hoffacker email address had been blocked, but then he used a different address to send to the two employees, could that be considered "hacking"?

Or...perhaps I'm missing a key component of the story...

"The two employees had been the subject of e-mails among executives discussing their employment status and possible termination, the government said."

So, is the hacking claim based upon Hoffacker knowing information (that he used to tip off the two employees) that had been communicated within the Source Media system between the executives, but not, to Source Media's knowledge or logs, sent directly to Hoffacker?

If so, and this is likely the case, this points out a few information security practices that Source Media apparently lacked:

* Implement policies and procedures to remove systems user account access to network and computer resources immediately upon, and in certain cases prior to, termination/dismissal.
* Implement additional controls to ensure systems access is monitored for trusted systems users, such as administrators.
* Never give administrators access to view the systems account passwords.
* Encrypt passwords in storage (at rest) and in transit (in motion).
* Encrypt confidential information within email messages.
* Consistently enforce policies and procedures.
* Communicate via training and awareness activities the importance of these information security and email issues, and explain, in multiple ways, how these activities impact business.

Tags:                
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on November 21, 2006 9:04 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/242

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.