Kim remotely accessed the GEXA Energy computer network and the GEXA Energy Management System (GEMS) database. While connected to the GEXA Energy computer network, Kim recklessly caused damage by, among other things, issuing various Oracle database commands which created a new data table in the GEMS production database which, when copied to the GEMS staging database, caused the automated script to fail thus impairing the availability of data.
As a result of the Kim’s intrusion into their protected computer system, GEXA Energy incurred a loss of at least $100,000, the costs associated with troubleshooting, securing and repairing the GEXA Energy computer network and the GEMS database. Kim was indicted in June 2009.
We quite agree that the access of the former employee is illegal, and he did probably cause a lot of sleepless nights for the admins, security officers and a lot of stress for the GEXA management.
But GEXA blames the ex-DBA for some wrong reasons. Let us break down the stated loss amount of $100,000:
- Troubleshooting the issue - the problems were actually caused once the production system was copied into staging, so it is quite probable that the production was not impaired - at least not in any significant way. So troubleshooting was a couple of man-days, and by any salary standards could not cost more then $4,000
- Securing the computer network and GEXA systems and network- the incident was caused by the inadequate levels of security measures on the procedural, network and database levels. So any costs incurred by GEXA to beef up and revise security would have to be spent, regardless of the incident. In my opinion, these costs should be incurred by the GEXA Information Security Officer, the Head of Internal Audit, the HR Officer and the last external auditor of the computer systems.
- Repairing the GEXA GEMS database and computer network - this part was mostly a witch hunt for rootkits, trojans and breach of integrity - one that has to be performed after any breach. This part is really the only segment that the Ex-DBA should be accountable for.
But in reality, the incident is caused by a HUGE lack in security procedures and controls, items for which people at GEXA are accountable for. So a deep look inward is also in order.
Talkback and comments are most welcome
San Francisco WAN Lockout - Pointing Fingers at Everyone Responsible
Control Delegated Responsibility
Labels: information security