Know how fast the concept of a trusted insider becomes an oxymoron? Apparently a few nights and weekends--just ask the Georgia Technology Authority.
Asif Siddiqui had worked for the GTA for four years--and for nine in state government--as a programmer before he was fired and arrested last April for downloading and stealing 465,000 files on Georgia drivers during off-hours. Siddiqui horded the files for close to three years, and investigators still aren't sure what he was going to do with the sensitive data, which included Social Security numbers.
What the breach did for GTA was force the organization, which runs telecommunications and data center operations for the state including Georgia's Department of Motor Vehicles, to re-evaluate its hiring processes, institute pre-employment and periodic background checks on established employees, re-categorize data and accelerate its search for a state-of-the-art data center.
The real casualty for GTA, however, was trust. Even long-term employees now merit inspection. Proper authorization and access controls must be maintained, with particular focus on the revocation of rights once an employee no longer needs access to a system. After Siddiqui's arrest, GTA spent significant time hardening its authorization processes and procedures and tightening access to sensitive data.
"You still have to stay vigilant, even with long-term employees, and do so in such a way that employees understand and appreciate what you're doing," says GTA director of security Mark Reardon. "Employees have to appreciate they are in positions of trust. With that comes extra scrutiny. They have to understand that."
There were many layers to Siddiqui's theft, starting with the fact that it dated to 2002 when he was working on the state's driver's license and state health benefits plan systems. He had no legitimate reason to still be logging into those servers last April when an admin noticed he had recently been on the systems and reported it to management. His access rights had never been revoked, making him the most dangerous kind of intruder--one with legitimate access to sensitive data.
Furthermore, GTA did not have a policy of conducting background checks when Siddiqui was hired in 2001. That was another major policy adjustment post-breach, especially for employees with access to sensitive data. In addition, state agency information security officers now review data on every IT system according to NIST and FISMA guidelines. Data is given a rating of low, moderate or high security. New hires working with data rated moderate or higher must undergo an initial financial and criminal background check, as well as periodic checks throughout their employment.
Employees are also required to sign non-disclosure agreements, indicating they will not share or make use of any of the information they handle.
Reardon said a renewed focus on employee awareness will include intranet sites that educate employees about information security and their responsibilities with data.
"It's a lot of, frankly, unexciting basic blocking and tackling," Reardon says. "From an information security perspective, we have to make sure we have an understanding of what information is where and how it's protected, and make sure agencies responsible for data believe in the controls that are in place."
The theft also put additional focus on GTA's need for a new data center to replace its "ancient" facility, according to Joyce Goldberg of the GTA Office of Communications. The new facility has strong authentication requirements--including biometric access controls--redundant system failover and environmental controls.
"We are looking to be in a mode of constant improvement, and it isn't going to be one person; it's going to be a cultural change," Reardon says.
This article originally appears in the April 2006 issue of Information Security magazine. Be sure to vote for which security pro deserves the title as Ultimate Survivor in the latest SearchSecurity.com poll.