I first met Alan Norquist back in 2000 while we worked together at Ponte Communications, a dot-com startup that lured me away from my first stint at Oracle.  Ironically, Alan came to Ponte directly from Sun Microsystems; I would later join Sun. At Ponte, we developed and sold technology to provision and configure a wide range of network infrastructure devices.  The company didn’t succeed, but it allowed me to focus for awhile on the issues involved in using a centralized application to provision multiple connected devices – a capability that was central to the growth of Identity Management Provisioning market a few years later.

In the ensuing ten years, Alan has been a successful serial entrepreneur. He is now Founder and CEO at another emerging company, Veriphyr, which uses advanced data analytics to automatically discover user access policy exceptions.

Again, our lives have converged because of common professional focus on Identity Management and Information Security.

In a recent blog post, Alan pointed out a recent Colorado legal case:

“A three person process for approving payments did not stop a lone insider from stealing $11 million by playing puppet master. The thief’s unauthorized access to the unused computer accounts of two other employees allowed her to pull the strings and make it appear financial payments had the necessary three ‘independent approvals.’”

A report from TheDenverChannel.com further elaborated:

Michelle Cawthra, who was a supervisor at the Colorado Department of Revenue, had testified that during the scheme, she deposited unclaimed tax refunds and other money in [her boyfriend’s] bank accounts by forging documents and creating fake businesses.

How did she do it?  Rather than de-provisioning access for a few employees who had reported to her, she allowed the orphan accounts to hang around.  Ms. Cawthra had convinced the departing employees to share their passwords with her, so she had multiple unfettered channels of access to complete her nefarious schemes.

Interestingly enough, preventative Separation of Duties (SOD) controls were in place.  But with appropriate orphan accounts within her grasp, Ms. Cawthra was able to circumvent those controls and complete her work.  In addition to preventative controls, a method to detect illicit use before the case got out of hand was really needed.

So if you want to steal $11 million, perhaps you can leverage orphan accounts.  However, if you are on the right side of the law, I’m sure Alan would be delighted to discuss how Veriphyr can help catch schemes like Ms. Cawthra devised.

I have added a new feature, “InfoSec Site”, to the Discovering Identity blog.

I frequently come across sites on the web that are relevant to the Information Security community. I may not have time to blog about each in detail, but want to provide a way to announce that I have found the documents and provide a way to easily find them again.

A new category “InfoSec Site” has been added to the blog, so these documents can be easily selected via the “Select Category” drop down list box.  They can also be found by searching for key words.

My previous post is an example of a InfoSec Site post.  It references a useful Data  Breach reference site.  I hope you find it useful.

DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide.

The Open Security Foundation, as well as our volunteers, feel that there is a distinct need for tools that provide unbiased, high quality data regarding data loss. There are no other open, downloadable, machine parse-able resources out there that facilitate research into this subject matter. By providing this sort of resource, we feel we can help accomplish the following:

• Improve awareness of data security and identity theft threats to consumers.
• Provide accurate statistics to CSO’s and CTO’s to assist them in decision making.
• Provide governments with reliable statistics to assist with their consumer protection decisions and initiatives.
• Assist legislators and citizens in measuring the effectiveness of breach notification laws.
• Gain a better understanding of the effects of, and effectiveness of "compliance".

The following column shows the latest Data Loss incidents:

I learned an astounding bit of statistics yesterday in a webcast presentation by Andrew Jaquith, Senior Analyst, Forrester Research.  Using source data from DatalossDB.org, Andrew reported that in 2009, 138 million data records were breached.  By any measure, that’s a lot of data, resulting in large financial losses to corporations and lots of consternation to individuals whose identities may be included in those data breaches.

Did the majority of these losses result from stolen or lost laptops or thumb drives or backup tapes that fell off the truck? 

Surprisingly, NO! Of the 138 million breached records, a full 133 million breached records occurred at the server level.

Reinforcing this concept, the Verizon 2010 Data Breach Investigations Report stated that compromises of database servers comprised 25% of breaches, but 98% of total records.

So, while we may hear about more case of data breaches occurring from edge devices, the real challenge is protecting the core database from threats.

This reminds me of the Henry David Thoreau quote: “There are a thousand hacking at the branches of evil to one who is striking at the root.”