Database Admin Hacking his Ex Firm - Is It All His Fault?

Data Breaches has just published information about a Former GEXA employee pleads guilty to computer intrusion

According to the article, here is what happened

Kim remotely accessed the GEXA Energy computer network and the GEXA Energy Management System (GEMS) database. While connected to the GEXA Energy computer network, Kim recklessly caused damage by, among other things, issuing various Oracle database commands which created a new data table in the GEMS production database which, when copied to the GEMS staging database, caused the automated script to fail thus impairing the availability of data.

As a result of the Kim’s intrusion into their protected computer system, GEXA Energy incurred a loss of at least $100,000, the costs associated with troubleshooting, securing and repairing the GEXA Energy computer network and the GEMS database. Kim was indicted in June 2009.

We quite agree that the access of the former employee is illegal, and he did probably cause a lot of sleepless nights for the admins, security officers and a lot of stress for the GEXA management.

But GEXA blames the ex-DBA for some wrong reasons. Let us break down the stated loss amount of $100,000:

  • Troubleshooting the issue - the problems were actually caused once the production system was copied into staging, so it is quite probable that the production was not impaired - at least not in any significant way. So troubleshooting was a couple of man-days, and by any salary standards could not cost more then $4,000
  • Securing the computer network and GEXA systems and network- the incident was caused by the inadequate levels of security measures on the procedural, network and database levels. So any costs incurred by GEXA to beef up and revise security would have to be spent, regardless of the incident. In my opinion, these costs should be incurred by the GEXA Information Security Officer, the Head of Internal Audit, the HR Officer and the last external auditor of the computer systems.
  • Repairing the GEXA GEMS database and computer network - this part was mostly a witch hunt for rootkits, trojans and breach of integrity - one that has to be performed after any breach. This part is really the only segment that the Ex-DBA should be accountable for.
In conclusion, GEXA did suffer a lot of grief from this incident, and we commend them on the success in identifying the attacker.

But in reality, the incident is caused by a HUGE lack in security procedures and controls, items for which people at GEXA are accountable for. So a deep look inward is also in order.

Talkback and comments are most welcome

Related posts
San Francisco WAN Lockout - Pointing Fingers at Everyone Responsible
Control Delegated Responsibility


AppSec said...

While I don't disagree that the lack of process and protection was in place.. This is like asking the victim of a mugging to take responsbility for their own actions.

Yes, maybe the person needed to more aware of their surroundings, but please -- let's not get in the habit of pointing fingers at the victim.

Bozidar Spirovski said...

The attacker is by all means guilty of the attack. I am stating that only that the costs of better security should not be dumped onto the attacker - it is the problem of the victim.
But let's stick with the same analogy: Does the victim ask for reimbursement from the mugger because from now on he/she has to use a taxi or take a longer but way which is better lit and with more police presence?

AppSec said...

Honestly, yes. The victim would be right in stating that the attacker cost them that much money.

Would they get it? Probably not. But GEXA (from what I gathered) wasn't going after Kim for the money, they just stated how much it cost them.

This was an attack as a result of internal knowledge (which is one aspect where I have to admit my analogy failed) and had to have known it woudl cause damage and be hard to track down.

Designed by Posicionamiento Web