Security's Everyman

Security's Everyman

Tuesday, January 29, 2008

The lunatic is in my head

timeline_darkside You can stop with the snide comments now. :)

It seems that every week we read about another insider who has done something to damage the company. Sometimes it is physical (postal shootings, Coke document theft), sometimes it is digital theft, planting of a virus or logic bomb, unauthorized access after termination of employment, etc... It seems to me that there are two common themes in most of these:
1) Disgruntled employee.
2) Human error. This ranges from a lack of implementing proper controls or procedures, lack of following proper controls or procedures, laziness, apathy, or carelessness.

This morning I read this story on about an inside job where an employee of AT Systems (an armored money delivery service) stole 8.5 million dollars. He was able to pull it off by being smart and observant.

He used another employees security code to gain entry to the building after hours. The story doesn't say how he got the code. Did the other employee give it to him? Did he get it by "shoulder surfing"? Did he find it written down somewhere? Let's look at each of these and see what went wrong.

  • It was given to him. I would imagine that a company that handles large amounts of cash would have a policy against sharing your access code with others. So the human error of laziness, apathy or carelessness comes into play.
  • He "shoulder surfed" it. I would think that the company teaches their employees to be careful when entering security codes to ensure that others do not find out what their code is. So again laziness, apathy, or carelessness comes into play.
  • He found it. I also imagine that they have a policy that forbids you to write your code down. Most of these codes are fairly short (4 to 6 digits) and are easy to memorize. So what went wrong here? Again, I have to point to human error.

Regarding this I have a couple of questions. Why did the code give 24/7 access (I'm assuming) to the building in the first place? Was there a legitimate business need for full and unfettered access? I doubt it and if there is when access to that much cash is involved I would think that dual access control would be called for. This is where policy and procedure needs to step up. Never should any one person be allowed to gain access to that much cash or even the facility that houses that much money.

The other thing that the article mentions is that he "watched and listened".

 "I decided to steal money from AT Systems' vault," he wrote. "I set about learning codes and watching and listening."

One thing that I preach in User Awareness is that you have to be careful what you talk about and where you talk about it. Even if you are at work. There are things that not everyone need to know. Don't discuss procedures around people who don't need to know them. Again, when entering passwords, access codes, combinations, etc ensure that no one else can see what you are doing. In my opinion those who were careless in what they discussed and how they didn't protect the information to gain access to the money are partially to blame for the loss. 

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.