iEntry 10th Anniversary RSS Archive

IT Management Begins With Security
SecurityProNews > Insider Reports > Insider > Fannie Mae Learns Luck Isn’t Good IT Oversight
Search:
[ insider_reports_insider ]

Fannie Mae Learns Luck Isn’t Good IT Oversight



SecurityProNews
Staff Writer
2009-02-02

SecurityProNews: Insider Reports Insider Reports RSS Feed


A "logic bomb" set to go off this past weekend by a terminated Fannie Mae employee sent shockwaves through the security industry, bringing up the inevitable "how do I keep this from happening to me?"

Fannie Mae Learns Luck Isn't Good IT Oversight
Fannie Mae Learns Luck Isn't Good IT Oversight

The first step is, unlike Fannie Mae, not relying on luck to protect your network.

It was only via sheer luck a Fannie Mae employee discovered Rajendrasinh Makwana's code insertion that would have destroyed information on 4,000 servers Saturday morning. If not for that good fortune, Fannie Mae would be very publicly struggling to locate the source of sabotage set in motion last October.

But what is the lesser of two embarrassments (aside from the company's obvious financial mismanagement), it appears Fannie Mae was far too casual about the process by which access to the network changes in the event of turnover.

An affidavit in the case showed that as many as 8-12 hours went by after Makwana's termination before he was no longer able to access Fannie Mae's network. Fired at 1:00 p.m., Makwana didn't turn in his company-issued laptop (where the IP trace led back to) until 4:45, giving him around three hours to insert malicious code in anger. Access wasn't terminated until late that evening.

"Where the hell are the controls on Fannie Mae's change management process?" asks security consultant Hal Pomeranz. "How is it possible that Makwana was able to modify code that ran on Fannie Mae's production systems without that modification being detected? Having a front-end change control process is nearly useless if you don't have back-end controls to verify that the process is being followed correctly."

Indeed, well before he was able to change the code, access termination should have been simultaneous with Makwana's termination. Pomeranz suggests biting the overhead bullet and using file integrity assessment tools like Tripwire, AIDE, and Samhain. He also sites available change management research.

Stephen Hall at the InternetStormCenter has other suggestions, like separation of duties, role-based access control, and "the four eyes principle."


About the Author:
SecurityProNews is a daily online and email publication focusing on internet security issues.

More insider_reports_insider Articles

SecurityProNews: Insider Reports Insider Reports RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Contact Us | Advertise | Newsletter Archive | Sitemap | Submit an Article | News Feeds
SecurityProNews is an iEntry, Inc.® publication - $line) { echo $line ; } ?> All Rights Reserved | Privacy Policy and Legal		 Join the WebProWorld Forums: Click Here
Virus Warnings

Subscribe to
SecurityProNews FREE!


[ more newsletters ]

Featured On:
article resources
Search Articles:
[advanced search]

WebProWorld.com
Get in-touch with industry experts and leaders
Post your site for review by expert and peers
Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com

Titan Quest Forum
The #1 Titan Quest forum
Halo 3 Forum
The best Halo, Halo 2, Halo 3 forum
Nintendo Wii
Nintendo Wii news and views
Mac Software
The best in OS X freeware
Graphics Forum
Your source for graphic tutorials
SecurityProNews.com | Breaking eBusiness News Get Your IT Questions Answered - Click Here SecurityProNews News Feeds