7.1.2 Case Study 18
The insider, a contractor, was employed by the victim organization, a high technology company
that developed and manufactured various computer components. The insider worked for the
organization for a few years before moving to the division where the incident occurred. The
insider worked in the supercomputer division (SCD), which was devoted to creating extremely
valuable supercomputers used for functions such as ensuring nuclear weapons safety. The
computers were password protected, and the highly sensitive data was stored in an encrypted
form. The division experienced a problem with its email systems, leading to a dispute between the
insider and a systems administrator. The insider became disgruntled when his suggested approach
to addressing the problem was not applied, and the systems administrator ultimately resolved the
email issue with a different approach. The insider decided to leave this division of the
organization because he felt that any decision he made would be superseded by the systems
administrator. The organization disabled the insider’s passwords to all but one of the
supercomputers (Computer X). Subsequently, the insider began working as a contractor for
another division within the victim organization. A year after the insider’s dispute with the systems
administrator, a colleague noticed that the insider was running a gate program, which enabled the
insider to remotely access the organization’s computers. The organization’s security policies
explicitly prohibited using gate programs because they breach firewall programs the organization
uses to prevent computer intrusions. The colleague confronted the insider, who responded that he
used the program to access his email while he was traveling but was aware that it violated the
organization’s security policy, and he agreed to modify the program. Five months later, the same
colleague noticed that the insider was using another gate program and confronted the insider
again. The insider requested that his account for that specific computer be closed, and transferred
his gate program to Computer X. The insider downloaded a password cracking program and ran it
on Computer X. The insider obtained a password for one of Computer X’s authorized users,
which he then used to log onto Computer X and copied its complete password file. The insider
uploaded this password file to another SCD computer and used it to obtain 35 user passwords for
those working in the SCD. The insider’s goal was to use the breach to demonstrate that the
security in the SCD had declined when the insider departed and to regain the respect he lost when
he left the SCD. The insider ran the crack program on another SCD computer and used it to obtain
additional information to demonstrate the inadequacy of the SCD’s security. A colleague noticed
that the insider was running the crack program and that the insider’s password for Computer X
had not been disabled. The colleague reported this to a network security specialist and the local
police department. The insider was arrested, convicted, ordered to pay $68,000 restitution, and
sentenced to five years of probation followed by 480 hours of community services. If the insider
did not fulfill these obligations, he was to serve 90 days in jail. The restitution order was reversed,
and an appellate court later expunged the conviction.
1. What security lapses happened and how did the organization suffered?
2. What are the factors that led to this event?
3. What should have been done in order to prevent this issue?
Solutions:
The insider, a contractor, was employed by the victim organization, a high technology company
that developed and manufactured various computer components. The insider worked for the
organization for a few years before moving to the division where the incident occurred. The
insider worked in the supercomputer division (SCD), which was devoted to creating extremely
valuable supercomputers used for functions such as ensuring nuclear weapons safety. The
computers were password protected, and the highly sensitive data was stored in an encrypted
form. The division experienced a problem with its email systems, leading to a dispute between the
insider and a systems administrator. The insider became disgruntled when his suggested approach
to addressing the problem was not applied, and the systems administrator ultimately resolved the
email issue with a different approach. The insider decided to leave this division of the
organization because he felt that any decision he made would be superseded by the systems
administrator. The organization disabled the insider’s passwords to all but one of the
supercomputers (Computer X). Subsequently, the insider began working as a contractor for
another division within the victim organization. A year after the insider’s dispute with the systems
administrator, a colleague noticed that the insider was running a gate program, which enabled the
insider to remotely access the organization’s computers. The organization’s security policies
explicitly prohibited using gate programs because they breach firewall programs the organization
uses to prevent computer intrusions. The colleague confronted the insider, who responded that he
used the program to access his email while he was traveling but was aware that it violated the
organization’s security policy, and he agreed to modify the program. Five months later, the same
colleague noticed that the insider was using another gate program and confronted the insider
again. The insider requested that his account for that specific computer be closed, and transferred
his gate program to Computer X. The insider downloaded a password cracking program and ran it
on Computer X. The insider obtained a password for one of Computer X’s authorized users,
which he then used to log onto Computer X and copied its complete password file. The insider
uploaded this password file to another SCD computer and used it to obtain 35 user passwords for
those working in the SCD. The insider’s goal was to use the breach to demonstrate that the
security in the SCD had declined when the insider departed and to regain the respect he lost when
he left the SCD. The insider ran the crack program on another SCD computer and used it to obtain
additional information to demonstrate the inadequacy of the SCD’s security. A colleague noticed
that the insider was running the crack program and that the insider’s password for Computer X
had not been disabled. The colleague reported this to a network security specialist and the local
police department. The insider was arrested, convicted, ordered to pay $68,000 restitution, and
sentenced to five years of probation followed by 480 hours of community services. If the insider
did not fulfill these obligations, he was to serve 90 days in jail. The restitution order was reversed,
and an appellate court later expunged the conviction.
1. What security lapses happened and how did the organization suffered?
2. What are the factors that led to this event?
3. What should have been done in order to prevent this issue?
Solutions:
