Published: 01 May 2002
My plan was ingenious. Although my actions were misinterpreted by the media, I allowed a known inside hacker to compromise my systems to vividly demonstrate the need for improving security to my superiors. And it worked.
As a sysadmin for the Monroe County (Fla.) Sheriff's Office, I'm responsible for systems operations and security for a network used by more than 500 people. I also have the added bonus of securing the system from hundreds of inmates with plenty of free time on their hands.
Inmates on the jail's computers? Yes, inmates have the right to do legal research while awaiting trial. We provide them with a CD-ROM law library to do research. Of course, I secured the inmate accounts as much as possible using access control policies, only allowing them to access the legal software and restricting access to everything else. This arrangement has worked without incident for the last five years.
Unfortunately, things change. After the servers were upgraded to Windows 2000, inmate Michael Tanzi, who was awaiting trial for murder and extradition for another killing in Massachusetts, found a hole in the third-party legal software that allowed him to run Internet Explorer. His first stop -- you guessed it -- was a porn site. Fortunately, our law library is monitored by cameras and periodically checked by correction officers. Tanzi's digital excursion was quickly discovered, and he was ejected from the law library.
My task was clear; I had to figure a way to secure the system. My preferred solution was deploying a firewall, separating the inmate terminal server from everything else, and only allowing inmates access to the law library's CD-ROM server. The other and less expensive approach was placing stricter controls on inmates' accounts and continuing to monitor their activities.
Naturally, the cash-strapped jail administration opted for Plan B. Inmates were given fair warning when we told them that their computer use would be watched more closely. I also set up my Windows Terminal Server so I could take remote control of any inmate session. While these measures were a step in the right direction, I was under no illusions that they would stop a determined inmate hacker.
Enter Tanzi again. We decided to let our resident hacker back into the law library, knowing full well he would attempt to exploit the security hole. I wanted to watch everything that he did and to see how well the new controls worked. Sure enough, he went right back to the hole and successfully reached the Internet.
This process, which took months to unfold, yielded several important lessons.
- Secure the obvious and not so obvious. Yes, I had locked the front door, but I hadn't checked the windows and side doors.
- Match security to the potential threat. Inmates don't care about disrupting the jail's network; they just wanted to get out on the Internet to access porn and other restricted material. The jail's security needed to match its policy of denying inmates unrestricted Internet access.
- Check and double-check. Let someone else, preferably an objective third party, check your security for mistakes and gaps. While not a trusted third party, the inmate did expose some things I needed to fix.
- Use incidents as a learning tool. The people who hold the purse strings often don't understand the need for security until something bad happens. Security incidents provide real examples to justify training and equipment expenditures, and policy changes.
Armed with a new incident and a wealth of data on the inadequacies of the jail's computer security, I was able to justify the cost of a firewall. Once the firewall was installed, we allowed Tanzi in a third time. While he could still access Explorer, he couldn't go anywhere.
While the media -- including Information Security -- poked fun at our apparent folly for letting an accused murderer and known hacker on our system three times, the exercise helped me get everything I wanted and needed. The jail invested in better security, the users (corrections officers and inmates) have a better understanding about the jail's security policies and posture, and I've created a better climate for evaluating and improving security. Mission accomplished.
About the Author: Michael Grattan is a systems administrator for the Monroe County Sheriff's Office in Key West, Fla.