Note to Fannie Mae: Dealing with Logic Bombs
Today, it was revealed that a departing contractor left Fannie Mae with a parting gift – a Logic Bomb designed to take 4000 of the financial giants servers & their data. Since this news broke, a number of concerned CIOs have requested my team for some guidance on how to deal with logic bombs. So here is a quick lesson on these malicious attacks.
A Logic Bomb is a malicious piece of code inserted into a software system that executes when certain conditions are met most commonly a set date. A Logic Bomb that goes off on a particular date is called Time Bomb.
In this case the attack was successful because the contractor’s authorization to access systems was not revoked after he was let go. In technical identity management systems like ILM this is known as deprovisioning.
Logic Bombs are usually indistinguishable from normal code and are inserted into the system by a programmer who has authority to the system. They are a type of insidious attacks called insider attacks. These are the most difficult class of attacks to detect and mitigate. The CSI/FBI 2005 Computer Crime and Security Survey indicated that 56% of organizations reported some level of security breach from within their organization. So a note to all you CIOs/CSOs, if you think that only your internet facing assets face a high risk of attack… think again.
What can you do to avoid a fate like Fannie Mae. Sadly your options are limited and dependent on a strict adherence to process. This is what you can do (in order of immediate to long term):
- Deprovision user accounts for individuals who have been let go while they are on premises or even before you inform them
- For programmers, create a copy of their files and code before they leave. These can be compared with copies of files and code after a few days to look for changes.
- After a person with access to critical digital assets including systems and code leaves the org, invest in having a peer double check for logic bombs that may have been left behind
- Change access credentials to critical systems periodically and consider two factor authentication.
- Use an identity management system to manage provisioning & deprovisioning user accounts
- Invest in a multi-tiered logging and auditing systems with separation of duties between the monitored and monitoring parties. This ensures a trail of evidence for prosecution in the case that you are indicted.
Plan ahead to deny the ability to the disgruntled to plant log bombs; failing that defuse the logic bombs,;failing that hit the deck and hope that the script has a bug.
If you like this post, Subscribe in a readerExplore posts in the same categories: Application Security, Finance, Microsoft, Risk, Security, Strategy