When a DBA goes bad

Certegy Breach

What happens when a DBA goes bad? In the recent case involving Certegy Check Services (a Fidelity National Information Services), the confidentiality of 2.3 million consumer records containing credit card, bank account, and other personal information is compromised.

In the July 3rd press release:

“Fidelity National Information Services Announces Misappropriation of Consumer Data by Employee of Certegy Check Services Division

Data sold to Marketing Solicitation Companies;
No Fraudulent Activity of Identity Theft Detected”

The data was stolen and subsequently sold to data brokers by a high-level DBA at Certegy who was entrusted with defining and enforcing data-access rights. The DBA; a guy named William Sullivan also allegedly owns a side-business named S&S Computer Services in Largo Florida. Allegedly, Mr. Sullivan took the data out of the building "via physical processes" not by transmission.

How does a business protect itself (and customers)?
I can think of two things right off the bat; extensive employee screening for employees with access to sensitive information and segregation of duty.

Employee Screening
Obviously employee screening does very little to protect against someone who has never been caught or someone who goes bad after being hired, but it is a good precaution nonetheless. I would be surprised if this was the first thing that Mr. Sullivan had ever stolen or if this was the first time he had done something unethical if not illegal. Perhaps he would have been screened out, perhaps not. Screening is only one layer of defense.

Segregation of Duty
DBAs are very powerful people in most companies. A DBA typically has access to vast amounts of very sensitive data, defines who else can access the data, and also audits who has accessed the data! Bad news. As security professionals, we should never accept a single entity with all three of these rights. There are good products in the marketplace to audit what DBAs do. Any company storing sensitive (and/or regulated) data would do well to have their security personnel look into these products.

Certegy
Although Certegy assures the public that no fraudulent activity has been detected with any of the personal information that was disclosed, there is essentially no effective way to prevent such things. Once confidential data is disclosed to unauthorized individuals, confidentiality can no longer be assured in any tangible manner. The best thing Certegy can do is take steps to ensure that this will not happen again and disclose to its customers what these steps are.

Certegy's Actions (thus far)

Certegy has filed suit against Mr. Sullivan in the case of Certegy Check Services Inc. v. William Sullivan, No. 076271CI13, Circuit Court, Pinellas County, Florida (St. Petersburg.)

NOTE: This really does nothing to protect the victims (consumers) and will do little to remedy the situation other than make people feel better that someone pays a price.

Certegy is implementing a fraud watch associated with the stolen records, and has notified credit-reporting agencies TransUnion, Equifax and Experian of the incident.

NOTE: TransUnion, Equifax, and Experian are three of the BIGGEST data brokers in the world! I would not trust them to do too much other than alert after the fact.

From Renz Nichols, president of Certegy Check Services "It's a reminder that the best security systems are not immune to rogue employees." I agree with Mr. Nichols in the respect that you cannot stop all rogue employees, but I think you can certainly do more to detect them.

Read more!

Active Directory Account Auditing 101

Windows Security

How many login accounts do you have? What accounts should be disabled or deleted? What accounts are disabled, expired, locked, etc.? What accounts do not have a password expiration “override”, meaning they are not forced to change them? How many accounts are in compliance with your policy? You have a policy right?

In most Microsoft Windows (Active Directory) environments accounts and passwords are everything. Most companies aren’t using biometrics, smart cards, etc. so an account and password become the “keys to the kingdom”. I am going to show you how to do a cursory audit, answer the questions above, and do it in 30 minutes or less. Best of all, this is free!

NOTE: This article is not written to be instructions for a comprehensive account audit nor is it written to audit individual password strength.

Policy
To begin you need a policy. Without policy, information security initiatives are likely doomed. In many organizations the policy that correlates most closely with this audit is Password Policy. Your policy (and/or supporting standards) should specify the rules for login account passwords. You may also have supporting policies such as a privilege user policy or account termination policy.

NOTE: If you do not have explicit consent (hopefully written) to conduct an audit of an organization’s information assets, get it BEFORE proceeding.

The Audit
I use free tools regularly for audits, penetration testing, etc. Why write a tool if someone has already made one for you?

Before beginning an audit, define what you plan on using it for. Do you have a SOX auditor breathing down your neck (most SOX auditors want a list of login accounts with password age). Do you want the audit as FYI material? Do you plan to use the audit to initiate subsequent policy non-compliance remediation efforts? Most of the audits I conduct are used as part of an ongoing information security lifecycle. Typically, I will audit accounts on a semi-annual basis.

Anyway, let’s begin.

The Tool:
We need a tool that will enumerate the accounts and provide us with the information we seek. My old and trusty tool of choice is UserDump.exe written by Joe Richards. The step-by-step:

1. Visit Joe’s site at http://www.joeware.net/freetools/tools/userdump/index.htm and download the tool.



NOTE: Your email address is OPTIONAL. When I am given the option, I opt not.

For the sake of this exercise, let’s download the file to C:\Tools\UserInfo\UserDump.

2. De-compress userdump.zip (“un-zip”).

3. Open command prompt and change the directory so that you are able to run userdump.exe from the command line.

4. Type the following (without quotes), replace %dcnameorIP% with the IP address or name of an Active Directory domain controller:

“userdump %dcnameorIP% > dcusers.txt

5. After userdump has completed, you should have a tab-delimited text file in the directory that you ran it in.

6. Open Excel. Click File-->Open and locate the newly created dcusers.txt file. You will need to change the “Files of type:” option to “Text Files” in order to see it in the Open dialog box.

7. After you select the file, the Text Import Wizard dialog box will appear. Make sure that “Delimited” is chosen and not “Fixed width”, and click Finish.

8. Viola! Your audit is complete. Now maybe this one calls for some remediation.

Conclusion
The audit conducted in this article should give you answers to the questions we posed at the start. In this audit there were 952 accounts, of which 712 were login accounts. There were numerous password age and no password expiration policy violations as well as accounts that were thought to have been disabled and/or expired that were not.

In a simple exercise lasting no more than 30 minutes, we were able to gather good information. Through remediation we should be able to significantly reduce the risk of unauthorized disclosure, modification and/or destruction to this company’s information assets.

Read more!