Microsoft last week lost a potential European customer for its cloud-based Microsoft Office 365 product over concerns about the Patriot Act allowing U.S. government access to to private data. UK defense contractor BAE Systems said they’d changed plans on advice of their lawyers. Smart lawyers.

If we have to rely on lawyers for data security advice, we’re in real trouble.

Frankly I think the US Government and the Patriot Act would be the least of their problems.  If a defense contractor put their data on a public cloud service it would be an open invitation to Iran, North Korea, China, and others to try to steal it.

It boggles my mind that BAE even thought about putting their data in the cloud, yet stories quoting company officials show they were about to pull the trigger.

In many industries — but especially defense — there must be absolute data security.  They traditionally have had a rigorous process to control where data is kept, how it is kept, how it is accessed, who can access it, etc.  I am troubled by the notion of a major defense contractor letting an external service store their data and have them access it across the public Internet.

How much were they really saving?  How much were they really risking?

Along the same lines there’s the supposed cyber attack on the Springfield, IL water system.  Officially they have stated that nothing happened.  Okay, fine.  But this, too, begs the question: why are utility control systems even accessible from the Internet?

I appreciate the value of being able to call an engineer, have him/her access the system from home, and help fix a problem.  There might be a few legitimate reasons to make critical internal systems accessible from the Internet.  However if you choose allow the connection, then: (1) you need use the best security tools to manage the connection, and; (2) you need to monitor the connection and be able to sever it at the first sign of trouble. That didn’t appear to happen in Springfield

These are both examples of a generational gap in experience.  By laying off all the older engineers and IT experts, industry has created an experience gap in its technology work force and bonehead moves are taking place as a result.  Someone at BAE had no clue it might be a bad idea to put their data on the cloud.

How stupid was that?

 

Note — This is the first of two three very different columns about what turns out to be the same topic.

I was driving back to college in my red 1966 Oldsmobile Cutlass convertible when a pickup truck appeared before me on the two-lane road going perhaps 20 mph under the speed limit, which was to say 25 mph slower than me. I pulled into the opposing lane to pass him and the guy punched it, accelerating quickly to keep pace with me so I could neither pass him nor pull back into his lane without hitting him. My simple passing maneuver became a death race because now a third car was added to the mix, coming straight for me down the road. I tried to speed up to pass the truck but he stayed with me. I looked over and he was laughing, trapping me in the passing lane. So I stomped on the brakes and he did too! The other car was still approaching, slower now because he was also afraid. I came to a complete stop on the road and only then did the pickup resume speed, finally allowing me over. The guy was, as my Mom would say, an asshole. But if you think about it my behavior contributed to the peril. He had been lying in wait, but I had taken his bait.

What’s the admin ID and password on your home router? Leaving the factory they are all the same for each major ISP. You haven’t changed it, have you? If it’s a wired router some bad guy can start with a block of IP addresses and easily hack you. He probably has. If your router is wireless he can do it over the net or over the air. And we helped him by not changing our IDs and passwords (change both).  In this case the hacker is that guy in the pickup and — like me in the Olds — we’re fat, dumb, and happy.

In Palo Alto many years ago there was a $1 video rental shop on the corner of El Camino Real and Page Mill Road. It later became a florist and now is something completely different. But back in the 1980s when VHS tapes rented for $3-5 per night, $1 rentals were amazing and the shop was packed with customers who driving past on their way to Hewlett Packard, Varian, or Syntex when they stopped for a copy of Lethal Weapon. The deal seemed almost too good to be true. It was too good to be true. The shop owners were gathering credit card numbers and one weekend a few months into their video business they extracted more than $1 million from Mastercard and Visa before skipping town forever.  Those of us who rented $1 videos without question enabled their crime.

How many passwords do you have? According to data security researchers,  you probably have a four-digit PIN you use for accounts where four digits are required and you have an eight-digit password you’ve been using for everything else for at least a decade. If I set up a web site offering a deal too good to be true, like say free online video rentals (just to make my point brutally clear) free games, or free horoscopes, or maybe a free VoIP phone account or even a free IP proxy service to let you cheat and watch the BBC iPlayer, what password will you give for that account?

Why your ever-faithful eight-digit universal password, of course!

Nearly everybody does it, security researchers report, and nearly everybody is vulnerable as a result.

When Dick Feynman was cracking safes for fun at Los Alamos during the Manhattan Project, 30 years before winning his Nobel Prize, he found most of the military safes had their original factory-set combinations, which of course are all the same.

Now throw-in your pornstar name, which includes answers to typical security questions, and millions — maybe tens of millions — of networks, PCs, and financial accounts are suddenly wide open.

There are viruses and malware and botnets — always more botnets — and the fact that millions of our PCs are zombies comes down as much to our carelessness as to the evil intent of the people hacking our machines. They get away with it in large part because we let them — even help them — do it.

Next, how our habitual behavior has allowed the world economy to be screwed… and what can be done about it…

Podcast: Play in new window | Download

Twenty years ago, when I was writing Accidental Empires, my book about the PC industry, I included near the beginning a little rant about how good engineers were incapable of lying, because their work relied on Terminal A being positive and not negative and if they lied about such things then nothing would ever work. That was before I learned much about data security, where apparently lying is part of the game. Well, based on recent events at RSA, Lockheed Martin, and other places, I think lying should not be part of the game.

Was there a break-in? Was data stolen? Was there an unencrypted database of SecureID seeds and serial numbers? All we can say at best is that we don’t really know. And in some quarters that is supposed to make us feel more secure because it means the bad guys are equally clueless. Except they aren’t, because they broke-in, they stole data, they knew what the data was good for while we — including SecureID customers it seems — are still mainly in the dark.

A lot of this is marketing — a combination of “we are invincible” and “be afraid, be very afraid.” But a lot of it is intended also to keep us locked-in to certain technologies. To this point most data security systems have been proprietary and secret. If an algorithm appears in public it escaped, was stolen, or reverse-engineered. Why should such architectural secrecy even be required if those 1024- or 2048-bit codes really would take a thousand years to crack? Isn’t the encryption, combined with a hard limit on login attempts, good enough?

Good question.

Alas, the answer is “no.” There are several reasons for this but the largest  by far is that the U.S. government does not want us to have really secure networks. The government is more interested in snooping in on the rest of the world’s insecure networks. The U.S. consumer can take the occasional security hit, our spy chiefs rationalize, if it means our government can snoop global traffic.

This is National Security, remember, which means ethical and common sense rules are suspended without question.

RSA, Cisco, Microsoft and many other companies have allowed the U.S. government to breach their designs. Don’t blame the companies, though: if they didn’t play along in the U.S. they would go to jail. Build a really good 4096-bit AES key service and watch the Justice Department introduce themselves to you, too.

The feds are so comfortable in this ethically-challenged landscape in large part because they are also the largest single employer… on both sides. One in four U.S. hackers is an FBI informer, according to The Guardian. The FBI and Secret Service have used the threat of prison to create an army of informers among online criminals.

While security dudes tend to speak in terms of black or white hats, it seems to me that nearly all hats are in varying shades of gray.

Yet there is good news, too, because IPv6 and Open Source are beginning to close some of those security doors that have been improperly propped open. The Open Source community is building business models that may finally put some security in data security.

The U.S. government is a big supporter of IPv6, yet the National Security Agency isn’t.  Cisco best practices for three-letter agencies, I’m told, include disabling IPv6 services. From the government’s perspective, their need to “manage” (their term, not mine — I would have said “control”) is greater than their need to engineer clean solutions. IPv6 is messy because it violates many existing management models.

The key winners are going to be those companies that embrace IPv6 as a competitive advantage. IPv6-ready outfits in the U.S. include Google, AT&T, and Verizon. Yahoo and Comcast still have work to do. Apple has been ready for years.

Some readers will question why I appear to be promoting the undermining of U.S. intelligence interests. Why would I promote real data security if what we have now is working so well for our spy agencies?

I’m not a spy, for one thing, but if I was a spy and trying to keep my secrets secret I wouldn’t buy any of these products. I’d roll my own, which is what I think most governments have long done. So the really deep dark secrets were probably always out of reach, meaning most low-hanging fruit is simple commercial data like the 125+ million credit card numbers stolen so far this year from Sony, alone.

If the NSA needs my credit card information let them show me why. I think they don’t need it.

We’ve created a culture of self-perpetuating paranoia in military-industrial data security by building systems that are deliberately compromised then arguing that draconian measures are required to defend these holes we’ve made ourselves. This helps the unquestioned three-letter agencies maintain political power, doing little or nothing to increase national security, while at the same time compromising personal security for all of us.

There is no excuse for bad engineering.

Podcast: Play in new window | Download

Update — Though I chose to keep secret the identity of the defense contractor to limit the damage it was subsequently revealed by Reuters to be Lockheed-Martin. There was one additional detail presented at the end of a story in Saturday’s New York Times.

Back in March I heard from an old friend whose job it is to protect his company’s network from attack. “Any word on just what was compromised at RSA?” he asked, referring to how the RSA Data Security division of EMC had been hacked. “I suspect it was no more than a serial number, a seed, and possibly the key generation time. The algorithm has been known for years but unless they can match a seed to an account it is like having a key without knowing what lock it fits. That might simplify a brute force attack but first the attacker would need something to brute force…”

Well it didn’t take long for whoever cracked RSA to find a lock to fit that key.

Last weekend was bad for a very large U. S. defense contractor that uses SecureID tokens from RSA to provide two-factor authentication for remote VPN access to their corporate networks. Late on Sunday all remote access to the internal corporate network was disabled. All workers were told was that it would be down for at least a week. Folks who regularly telecommute were asked to come into nearby offices to work. Then earlier today (Wednesday) came word that everybody with RSA SecureID tokens would be getting new tokens over the next several weeks. Also, everybody on the network (over 100,000 people) would be asked to reset their passwords, which means admin files have probably been compromised.

It seems likely that whoever hacked the RSA network got the algorithm for the current tokens and then managed to get a key-logger installed on one or more computers used to access the intranet at this company. With those two pieces of information they were then able to get access to the internal network.

The contractor’s data security folks saw this coming, though not well enough to stop it. Shortly after the RSA breach they began requiring a second password for remote logins. But that wouldn’t help against a key-logger attack.

The good news here is that the contractor was able to detect an intrusion then did the right things to deal with it.  A breach like this is very subtle and not easy to spot.  There will be many aftershocks in the IT world from this incident.

But is this the only such instance of a major corporate network break-in? The very fact that we haven’t heard anything about this (I hadn’t, had you?) makes me think this probably ISN’T the first such network penetration from the recent RSA hack… or the last.

What if every RSA token has been compromised, everywhere?

“I have not seen anyone abandoning their investment yet,” said my friend back in March. “Most networks exchange token values over an encrypted channel anyway so the facade of security is still there. Until an attack succeeds (and how would you know?) the lemmings are complacent.”

Well an attack has succeeded, laying open who knows what national secrets?

The lemmings are now upset, or would be if they knew what you know now.

I guess now they do.

Remember, after the recent earthquake and tsunami in Japan, those stories about wallets filled with money being found and turned-in to the authorities, still stuffed with cash? That’s one positive aspect of Japanese culture, but does it also make them too trusting? Sony’s loss of first 77 million customer records and now another 24.6 million suggests that may be the case. A society with low crime rates and comic book criminals screams of unsophistication, which was confirmed for me this week when I heard from a reader who is a payment system auditor. He looks inside Japanese institutions and often doesn’t like what he sees.

“For whatever reason (low crime rate, maybe?),” my reader says, “the Japanese cannot seem to get their heads around the fact that unencrypted cardholder data sitting on servers in unsecured areas and being transmitted across public networks is a bit of a risk. Every other country in Asia has grasped this easy concept, but not Japan. I have tried many times to explain why this is bad but am usually met with blank looks and checking of watches.

“I could remote desktop right now to a Windows 2000 server in a facility in Japan with a public IP (user-name Administrator, no password) which contains hundreds of thousands of .csv files with full PAN, CSV, name, address etc. I notified the facility in question about this two years ago, by the way, and they have never done anything about it.”

This is Bob again. From my own experience with Windows systems I can’t imagine such exposed servers having not been repeatedly explored by bad guys over the past two years.  That information isn’t just vulnerable, it is gone.

But it isn’t just the Japanese who are at fault. A short survey of some of my U.S. admin friends showed there are plenty of unsecured or under-secured payment servers running in this country, too, though none I know of without passwords. I don’t want to name too many names, but if your organization is handling funds on old unsupported Windows 2000 servers you are probably in trouble.

Now back to Sony. With now over 100 million accounts exposed, Sony finally sent lame duck exec Kaz Hirai out to take one for the team and apologize. Hirai offered — just as I predicted — a month of free service. What now? Lawyers will sue, Sony will fix their systems, and gamers once again will game. But while Sony may escape large economic losses from the current problems plaguing its various networks, there is one group that will continue to be rightly upset with the electronics giant — credit card companies like MasterCard and Visa.

The credit card companies have published standards for the management of customer data. These standards are a good combination of requirements and best practices. Anyone who does a significant amount of credit card-based business is required to meet these standards, which Sony appears to have ignored. Independent audits are required. To enforce the credit card company rules there are fines and the death penalty — being cut off.

Since Sony processes credit card transactions — and even offers its own credit cards as you’d know if, like me, you obsessively watch Jeopardy — they are going to be under a very uncomfortable microscope very soon.

The auditors are coming. Worst case they might tell Sony to buzz-off — to refuse Sony’s credit card charges for those 100+ million accounts. Then something really interesting stuff might happen.

Sony might not care.

If Sony is busted by Visa or Mastercard, Discover or American Express, all that probably means is they’ll have to hire a middle man — usually a big bank — to do the credit card transactions for them. Different servers in a different data center would handle the money and all would once again be right with the world, though at the cost of an extra service charge to Sony.

But what if Sony chose a different path? What if Sony cut a payment deal with, say PayPal, instead?

It’s a tempting gambit. PayPal would like nothing more than to pick up those 100 million accounts. They’d pay Sony for them, turning a loss into a gain and a loss of face into an industry transition.

PayPal has been looking for a chance to kick the credit card companies down a peg, grabbing some business.

I can almost hear the phones ringing in Tokyo….

Podcast: Play in new window | Download

Sony’s huge PlayStation Network (PSN) has been down for a week now following the theft of ID and credit card data on some or all of the gaming and video entertainment network’s 77 million customer accounts. Readers have been asking for comment but I stay out of these things unless I have something new to contribute. That something finally comes a week into the crisis as gamers begin to wonder why the network is still not back in operation and speculate on what this all means to Sony? It’s a huge loss of face, if course, but beyond that the damage to Sony is minimal. And the upside for PSN members, including those involved in the many emerging class action lawsuits, is likely to be bupkes. Nothing.

Recent history suggests Sony’s likely gift to users as an apology for losing their personal data will be some period of free credit monitoring and a free month of PSN service. If that sounds generous you might be surprised to learn that the going price for wholesale monitoring from the big U. S. credit reporting firms is approximately five cents per account per month or $3.85 million if all 77 million PSN accounts have been compromised. The usual terms for a mea culpa of this sort are three months of monitoring for a total cost to Sony of around $10 million.

“It will cost them more to send the e-mails making the offer than it will to provide the service,” said a source of mine in the credit reporting industry.

If you are hoping for big bucks from a class action lawsuit, go back and read PSN’s Terms of Service you clicked on without reading when you first joined the network. As with nearly all such legal agreements, you signed away any significant right to compensation beyond the direct cost of the service for the time it is disrupted. Only the lawyers will make a dime from this.

That is not to say that Sony doesn’t takes the attack or subsequent outage lightly. No Japanese company would. But the fiercely proud corporation also hasn’t gone out of its way to apologize. No Japanese company would. A funny thing about Japanese business culture is the tendency to apologize profusely for absolutely anything that is beyond the control of the company or its executives. They’ll apologize for traffic, for bad weather, for someone else’s mistake, but if the company or its leaders have actually screwed-up they generally won’t say a thing, which is not at all good for Sony’s global image.

This outage comes in large part because Sony has been so aggressive against hackers, who finally decided to slap-down the electronics giant. This is not to argue that Sony shouldn’t defend itself, but it is to argue that Sony should have expected elevated attacks as a result of its actions. Maybe they did expect more trouble, but the fact that they were so easily compromised shows corporate hubris at a reckless level.

Now let’s consider for a moment why this outage is continuing a week after the break-in. Speaking with a few experts and reading the official Sony FAQ gives some insight into what may really be going on. Sony says it is investigating, but should an investigation really take this long? Can’t the server logs and other network data be locked-down in a few minutes and examined at leisure? Sure. So when Sony says it is investigating what they probably mean is they are trying to fix the problem, seal the breach, and make sure that particular gambit cannot be accomplished again. This takes time — hours of programmer time and dozens or even hundreds of hours of QA time to make sure the fix scales properly and will work under a full network load.

Sony doesn’t say this, of course, but that puts us back to the fierce pride part. While they can admit a break-in they find it very difficult to say they are putting locks on the doors that never had them.

But wait, there’s more! In the official Sony FAQ  and also the Official PlayStation blog there is an amazing admission that the company really has no idea how many user accounts were compromised. They suggest that users “assume” their data has been stolen. Well, was the data stolen or not? That big unencrypted or shoddily encrypted file with the details of 77 million account holders either left the building or it didn’t, right?

Sony doesn’t seem to know.

This is from the official PlayStation blog:

Q: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.

Q: Was my credit card data taken?
A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.

I love the part about it having been a malicious attack. Had the attack been less malicious, would less data have been lost? That is the sound of Sony whining.

When I discussed the attack with a friend of mine in the enterprise data security business he made an interesting speculation. “A really smart criminal would want to cover his tracks,” said my friend. “You can either grab the data and hope to slink away unnoticed or you can grab the data then destroy everything on your way out.”

In a worst case scenario, Sony doesn’t even know what vulnerability the crackers used to gain entry. Sony may be literally clueless.

The people behind this PSN hack didn’t want it to go unnoticed. They wanted Sony and Sony users to know they had been violated. And Sony’s apparent ignorance of just what was taken (possibly even how it was taken) plus the fact that the network is still down a week later strongly suggests the crackers may have thrown a few metaphorical hand grenades into the system on their way to Dennys for that celebratory Grand Slam breakfast.

Podcast: Play in new window | Download

Like a lot of you, this week I received several messages telling me my e-mail address had been stolen from a company called Epsilon that provides mass e-mail services to many giant corporations. At the end of this post you’ll find what I believe is the latest list of companies affected. I have heard from four of these companies so far — Best Buy, Chase, Hilton, and Ritz-Carlton, which is interesting because I don’t recall having even stayed at a Ritz-Carlton. From a look at the master list below I’m surprised I haven’t yet heard from Verizon, where I am also a customer. The point of this post isn’t just to print a list of Epsilon customers, but to say how screwed-up and perilous this event is for everyone involved including you and me. Heads should be rolling and there is no evidence yet that they are.

Epsilon, which has millions of consumer e-mail addresses and associated names, was hacked, losing some unstated number of customer files probably numbering in the millions. The affected companies have sent very earnest messages notifying us, expressing hopes that the damage is limited, but urging us to be on the lookout for bad guys messing with our ID’s. What they aren’t saying yet is this: “Epsilon screwed-up so we’re firing their sorry asses and suing them back to the stone age. ”

If Epsilon made such a huge mistake they should be punished. If they are being punished we, as the truly affected parties, should be told that is the case. Better, still, we should be compensated for our inconvenience. This is not business as usual. This is a huge steaming mess. Polite e-mail messages that say almost nothing are not an adequate response.

Here’s why I feel this way and you should too:

This stolen data will be used is for phishing attacks, which is what the companies are warning us to be on the look for. There will be such attacks and telling us to be on our guard won’t stop them from being successful to some degree. It is in my view a woefully inadequate response. Remember these bad guys have a lot of data on us — the name of the company with which we are doing business, our names (in most cases), and our e-mail addresses.

No matter what spin the companies put on it this is huge. Consumers will be compromised and losses in the millions — maybe tens of millions — will be incurred. And I don’t care if the banks say they’ll cover the losses, that never happens gracefully, at least not for me.

People who opted-out with these companies were also exposed. So it isn’t just customers but also former customers and non-customers whose information was stolen. What is the legal exposure there? It’s an issue I haven’t seen discussed anywhere.

What if the bad guys start sending mail to the opt-out people (you know they will) and by doing so cause the affected companies to violate the CAN-Spam Act of 2003? That can cost $16,000 per violation.

But hey, this is a case of simple theft and Hilton can’t be held responsible, can it? It isn’t clear.

Here’s what the Federal Trade Commission says: “The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible. ”

That’s a giant class action lawsuit just waiting to be filed.

But wait, there’s more! Any company that accepts credit cards can be subject to a security audit. Will these companies listed below pass their next such audit? On the face of it they shouldn’t because their systems have been compromised. Blaming Epsilon doesn’t change that because, as in the FTC example above, the companies can’t simply delegate responsibility. And I sincerely doubt that Epsilon or its parent, Alliance Data Systems, is in a financial position to indemnify all those companies.

Again you might say this is an over-reaction on my part, that cooler heads will prevail. Maybe so, but the ugly truth here that isn’t being addressed is that some — maybe many — of these companies could be hiding a multitude of security sins that would come to light in such an audit. Do they really want to let anyone who knows what they are doing have a close look at systems that may be antiquated or even non-existent?

If this Epsilon mess causes a rash of credit card claims and chargebacks that trigger automatic security audits, then even if the Epsilon event itself is explained-away a lot of these companies will still be in trouble.

The worst part of all, though, is that nobody in this mess is on our side, nobody. Apparently we’re not too big to fail.

Here is what I understand to be the current list of affected companies:

1800-Flowers

Abe Books

Air Miles CA

Ameriprise Financial

Barclays Bank of Delaware

Beachbody

Bebe Stores Inc.

Benefit Cosmetics

BestBuy

Brookstone

Capital One

Charter Communications

Chase

Citibank

City Market

The College Board

Crucial.com

Dell Australia

Dillons

Disney Vacations

Eurosport/Soccer.com

Eddie Bauer

Food 4 Less

Fred Meyer

Fry’s

Hilton Honors

The Home Shopping Network

Jay C

JP Morgan Chase

King Soopers

Kroger

LL Bean

Marks & Spencer (UK)

Marriott Rewards

McKinsey Quarterly

Moneygram

New York & Co.

QFC

Ralphs

Red Roof Inns Inc.

Ritz Carlton

Robert Half

Smith Brands

Target

TD Ameritrade

TIAA-CREF

TiVO

US Bank

Verizon

Viking River Cruises

Walgreens

World Financial Network National Bank

Podcast: Play in new window | Download

Last week a story broke about a former Fannie Mae IT contractor accused of planting malicious code that would have taken down systems and destroyed data right at the epicenter of today’s global financial crisis. The accused former employee has since surfaced claiming innocence so I prefer not to go into that specific case but rather use it to consider the likelihood that similar crimes could take place in other companies.

Well of course the probability is 100 percent simply because similar crimes HAVE taken place in other companies. It happens all the time at an annual cost of BILLIONS.

IT crimes go grossly under-reported because they are so embarrassing to their victims who convince themselves that saying something will only embolden the bad guys and lead to further losses. In one sense this is true, but in another it creates a false sense of safety. This is one area where we really SHOULD feel vulnerable yet most companies don’t and have lax procedures as a result.

So just in case you are interested in this topic or have some influence in data security, here are my overkill ideas on how to lock things down. It is doubtful that any company or agency would do all these things, but doing at least some of them makes good sense to me.

Many years ago good business practice was to put all critical systems on an internal, isolated network that did not have a path to the Internet. This would prevent someone from the Internet accessing a bank’s ATM network, or a chemical company’s process control system, or a power utility, etc. Recently I’ve been amazed to find how many firms are not doing this anymore and worse, they don’t understand why they should even try.

So here are my recommendations to avoid those nasty logic bombs. Your mileage may vary.

1) Route admin access to all systems through a logging proxy server. Each administrator must be authenticated by the proxy server and their access to systems logged. Keep the logs and check them on a regular basis.

2) All admin personnel will be assigned two user IDs. One will be a normal, non-privileged ID they will use for routine things like email and office applications. The other ID will be privileged and include a special character, maybe a “$.” You can’t check your email or run a business application with this ID. All admin access is done with the special ID. Use of generic root or administrator accounts is not allowed after the system is set up and running.

3) Scripts are run on each server (or domain) to check user IDs. All privileged IDs must have the special character and the right rules. All non-privileged IDs must not have the special character. Logs are checked for login by generic root or admin accounts. All deviations from policy are flagged and investigated. Scripts automatically disable all out-of-policy accounts.

4) After a system is set up, install a script to reset weekly the generic root or admin password. No one is supposed to use this account and no one knows the password. If you need access to the generic system ID, then run a tool that will tell the password of the week. This is a logged event too.

5) All admin access to a system should be logged and recorded in the change control system. If you fixed something or changed something, you need to note it by editing the record of your access (you can’t delete the record, only add to it.). On important systems run a trip-wire tool and post its report in change control too.

6) Privileged IDs must have their passwords changed at least once a month. Longer password expirations are acceptable for non-privileged IDs. There are password rules on content and length. Manage all IDs with LDAP.

7) HR manages user IDs. In the case of a departure or termination, the user’s IDs are disabled. The passwords are changed. Their managers are given access to the IDs and new passwords. All IDs are maintained in a database. When each system is checked, the IDs on it are checked against the HR database. Exceptions are flagged and investigated. When someone leaves the company for any reason, reports are created showing all their system access and changes.

Now would these seven steps stop a determined and talented former employee or contractor? Nah. And that’s the part that’s really distressing, because I am sure we have built into our IT overhead 5-10 percent simply to cover sabotage – a crime we otherwise try never to mention.