What should organizations do?
- Spending time avoiding the consequences and detecting the payload when it executes is a better use of resources and budget. Here are a few recommendations:
- Alert and monitor operations to sensitive information. Take for example the UBS PaineWebber incident where the code erases the disk. A solution should detect this type of sensitive activity – not only when performed from a left-over file, but also when performed by a logged on user, either intentionally or by mistake.
- Detecting suspicious behavior. As mentioned, the TSA uncovered the scheme when security cameras detected after-hours access. It’s this type of irregular access that should be applied to digital systems as well.
- Maintain a detailed audit trail. In the case of an incident, this type of audit may be invaluable for forensics purposes.
- Upon departure disable the employee’s access and continuously monitor dormant accounts. Many of these logic bomb cases are caused by disgruntled employees – within a short time frame after being let go. Fannie Mae did not terminate the contractor’s account until later that evening, given the contractor just enough time to write and deploy the code.
No comments:
Post a Comment