Tuesday, February 03, 2009

More bad news at Fannie

Fannie Mae just barely and by luck managed to avoid a virus deployed by a disgruntled ex-employee that would have erased all of its data and brought the company to a halt. The short story is that an IT contractor by the name of Rajendrasinh Babubahai Makwana was fired on October 24 for violated security protocols. What happened next is a scandal:

The allegations [in the indictment] lay out a cautionary tale about the risk of lax security practices at highly sensitive enterprises. Despite his dismissal on October 24, Makwana's highly privileged computer access wasn't terminated until late into the evening because of bureaucratic procedures in Fannie's procurement department, according to court documents.

Shortly after Makwana was informed he was being fired, he logged in to Fannie's main development server and embedded a series of malicious scripts inside a legitimate program. To conceal the malicious payload, he created a page worth of blank lines between the legitimate code and the malicious code.

Makwana won't be the only part of Fannie's IT staff getting fired, I expect. In general, this story underscores two key points about hacking: (1) insiders pose the greatest security risk for most companies (because of both malice and stupidity), and (2) for that reason, access governance control is perhaps the single most important dimension of network security.

No comments: