At first glance, the Duke University lacrosse scandal might not have much to do with enterprise security. The fact is, though, that it is indicative of the root causes of most organizational security issues.
In summary, a group of Duke lacrosse players with a reputation for alcohol and other university policy violations held a party. A stripper was paid to work at the party and accused three of the players with rape and other crimes. An uproar resulted, and the lacrosse coach resigned and the players involved were suspended. Since that time, a wide variety of exculpatory evidence has been produced that calls the accuser's entire story into question and raises concerns over gross prosecutorial misconduct.
From my perspective, the players' misconduct was long overlooked by university officials and their coach, who essentially reinforced the misconduct. Duke's blind eye to their behavior is a contributory factor to the incident and the reaction. Even if the players are innocent of the crimes, Duke is likewise guilty of allowing the situation to degrade to the point where people even believed that the charges were plausible. The coach deserved to be fired for the long-term misbehavior of the players, even if the rape accusations were never made. But none of this justifies false charges against the players, prosecutorial misconduct or the public outrage over the incident.
Bad behavior and corporate security
In all organizations, the greatest security problems occur when questionable behavior is ignored or when people are allowed to behave arrogantly. At Hewlett-Packard, the recent boardroom leaks scandal resulted from management running amok at all levels. First, there was the board member who was leaking information, despite signing confidentiality agreements. Then there were several other HP corporate executives who conducted a wide variety of activities that were egregiously unethical, if not blatantly criminal. Ironically, those involved in these unethical activities included HP's chief ethics officer, who faces charges of fraud, wrongful use of computer data and conspiracy.
Rarely do security-related incidents and criminal behaviors come out of the blue. Even when we discuss national security incidents, you tend to find that even the most damaging espionage cases involved people who were widely known to have questionable characters. According to information available at the time, convicted spies Aldrich Ames, Jonathan Pollard and Robert Hanssen were all known to have questionable personalities and to have committed minor infractions. They all were overlooked until it was discovered that their actions were worse than anyone thought and had caused tremendous damage to national security.
In the corporate world, alcoholics are prime targets for industrial spies. While some people may suspect that a co-worker is an alcoholic, in general, it remains a joke or subject of gossip among co-workers. Even managers choose to ignore the situation as long as it doesn't affect them.
Professional spies, however, operating both legally and illicitly, make it a point to hang out at bars near their targets. They look for people going to bars for lunch or who go after work. These are all indications of people they can either manipulate, or just get to talk about their jobs and get them to divulge sensitive information in their drunken states.
Arrogant attitudes also lead to security problems. When I talk to security managers, arrogance is one of the biggest problems they face. At one large bank, for example, it took the terrorist issues raised after Sept. 11 to finally force employees to wear their access badges. According to these managers, some New York bankers did not want to ruin their US$1,000-plus suits by wearing a clip-on badge. Then, these bank executives became safety conscious when an alternative -- wearing the badges clipped to chains -- was proposed. They claimed that the dangling chains could catch on something and choke them. Again, though, 9/11 demonstrated the clear importance of access control, and more to their egos, it was a way to identify their bodies under their US$1,000-plus suits should something happen to them.
When I perform HIPAA assessments of large hospital systems, one of the big problems I find is that doctors want instant access to all information. Accordingly, data terminals are always left with a user logged in, and anyone walking by can readily access any information. Many people in the hospitals realize this is a problem, but nobody wants to create an inconvenience for the doctors.
Yet another group held in god-like esteem is traders, who place commodity or financial trades for large organizations. Nobody wants to antagonize them because the good ones are in such demand that they can apparently change jobs at will. For example, I was performing a security assessment of an organization where a trade went very badly and the company lost tens of millions of dollars. When I asked staffers there how they knew that the trade wasn't just a bad decision, they responded that their traders were "too good," to make such a mistake.
In the course of the assessment, I found computer passwords for the traders written all over the place. During a late night walk-through, I stepped into an empty conference room and saw sheets of paper laid on a table in front of each chair. I picked up one of the papers and saw that it was a list of all the trades that were going to be placed the following day. By making competing trades, a person could easily make millions of dollars. It turned out that these trades were printed up the night before and left for a traders' meeting early each morning. The traders wanted the list there waiting for them when they came in.
When our team reported back that while we couldn't find any specific smoking gun for the incident of concern, we found the problems described above, and that they had to be addressed immediately. We were thanked for our efforts and told that despite the risk, the company didn't want to change the way the traders worked.
Anytime people have their transgressions overlooked, they are given a message that they can continue their behaviors, and, inevitably, the transgressions will escalate. Security professionals and network administrators have to regularly deal with these issues. I have just touched the surface. The way to deal with this issue is to first document the small problems you see. Most users don't start off with a major security violation. They start off with smaller violations that escalate. By noting and documenting the issues, and handling them as appropriate, you may just head off a major problem.
Clearly, most small violations are unintentional and require some basic awareness as remediation. However, the data you collect also identifies consistent flouting of security policies on the part of some people.
Likewise, you should consider these actions as covering your behind. You only have the authority you are given. If you report infractions appropriately, you are making sure that the personal liability passes to the person in authority. As I previously mentioned, senior managers might choose to ignore problems with some employees, and you have to make sure that you can document that you did what you are supposed to. If your organization allows bad or arrogant behavior to flourish, the enablers are as much to blame for the problem as the offenders.
Ira Winkler is president of the Internet Security Advisors Group. He is a former National Security Agency analyst and the author of Spies Among Us (Wiley, 2005).