Having a bad day at the office?

An IT systems administrator, fearing that he was about to be laid off, planted a logic bomb in his employer's systems. He survived the round of redundancies but detonated the logic bomb anyway. Fortunately for all concerned, bugs in the code prevented it working properly. In court, he was found guilty, sentenced to 30 months' jail time and found liable for $81,200 in restitution.

This story touches on quite a number of security topics:
- He was a trusted insider who went bad
- Logic bombs are a form of malware
- His office/day-job gave him privileged access to the company's IT assets
- Weak change management process controls did not prevent the bomb being installed
- The logic bomb had one or more bugs in the program/script
- Nevertheless it sparked a security incident
- He was called to account for the damage
- There was legal and presumably corporate policy noncompliance
- The risk of recurrence presumably remains

All in all, a nice multi-purpose security awareness case study.

PS The official US DOJ press release about the conviction is dated "Dec 8 2008", an integrity failure to boot.

A Christmas present for ordinary computer users

Peter Gregory has blogged a list of free security software that is sure to appeal to "ordinary" (as in non-geek) computer users.

The only significant omission that occurs to me is online software security patching. Peter blogged just a week ago about a free and urgent security patch for Skype, perhaps not a good example as he chastises Skype for not publicising the patch. Microsoft Update is probably better.

Personally, I use Secunia's PSI (Personal Software Inspector) to track and stay current with security patches for most of the software on my home system, not just the Microsoft stuff. It does a good job for me but may be too geeky for ordinary mortals. What do you think? Is there a more user friendly option you'd recommend?

Human error multipliers

George Spafford wrote "there are a number of behaviors that can dramatically increase the odds of human error yet organizations fail to manage them". He identifies a wide range of factors that make human errors more likely including: complexity; deadlines; fatigue; multitasking; poor planning; insufficient testing; lack of change management ... and many more (just read George's paper and I'm sure you will think of more).

George continues, "some organizations may have multiple behaviors that when combined further increase risk levels. Organizations must take a careful look at their culture and processes to understand and subsequently manage the level of human error being introduced." 'Taking a look at' culture and processes is easy enough but changing them (especially the culture) is a different matter entirely. That said, George's list of issues implies a whole load of options for those willing to take up the challenge.

Integrity links

IT performance proportional to change management

A well-written piece in the IIA's IT Audit by Dwayne Melancon outlines the results of a research study conducted by the IT Process Institute. The ITPI went looking for characteristics of the controls infrastructure that distinguish high- from low-performing IT departments. The researchers picked out IT process controls from COBIT and ITIL/ISO 20000 frameworks and measured 98 organizations - not a huge sample but statistically significant and adequate given the depth of study.

The headline is that they found a clear link between the quality of an organization's change management controls and its performance. Since top/medium/low performers were determined by the "number of controls for which respondents scored in the top 50th percentile if all respondents" across controls for access, change, release, configuration, service level and resolution (presumably of problems/incidents), it is inevitable that high performers scored well on the selected 6 control areas. The study indicates that the strongest link occurs in the change management domain.

The report picks out some interesting correlations between specific controls and high performers e.g.:
- monitoring for authorized/unauthorized and successful/unsuccessful changes;
- firm consequences for those who intentionally make unauthorized changes;
- formal processes and automation of configuration management.

These in turn suggest potential metrics e.g.:
- percentages of changes that are authorized and successful (the proportion of unplanned work that an IT department undertakes has been previously identified as a worthwhile metric; the "proportion of problems that are fixed first time" is another good one);
- percentage of unauthorized change incidents that lead to disciplinary action (measuring management's commitment to enforcing change management controls);
- percentage of configuration information that is accurate and complete.

The full study report costs $1,695 and may be hard to justify but the free executive summary is worth reading if you have an interest in the relationship between IT governance, risk, control and security.

More IT governance and change management links

Cisco patches released

Cisco users have their own patching worries. Check out the latest Cisco patches including a fix for a privilege escalation vulnerability in the Cisco Intrusion Protection System (oops).

More change management resources

Microsoft fixes yet more bugs

As eagerly anticipated, Microsoft released yet another a bunch of fixes on a few days ago, three of which were rated critical. It is widely reported that problems with the patch files originally made available from some download locations may have interfered with the update process, although we understand everything is working fine now. Nevertheless, Microsoft customers are well advised to double-check that all necessary patches have been applied to all relevant systems using Microsoft Baseline Security Analyzer (MBSA), Microsoft Update (which updates both Windows and Office) or other patching utilities. There are rumors of exploit code already in circulation for the announced vulnerabilities so consider the risks carefully if you are not certain that all your systems are fully patched.

More change management resources

Fix costs escalate 200x post implementation

It has been estimated that it is about 200 times more expensive to fix a problem when an IT system is in Production compared to fixing at the requirements analysis step during Development. The factor falls to about 4 for small IT projects but can exceed 500 for very large projects. Even if these figures are only vaguely close to the truth, the implications for quality assurance processes in IT development are crystal clear, as are the benefits of splitting massive projects into discrete sub-projects.

More change management, bugs and secure systems development resources