User Indifference Thwarts Electronic Signature Effort

Vince's elation turns to disappointment after the marketing department asks for something simpler

An e-mail from the director of marketing put a spring in my step this week. He and I have locked horns over security issues in the past. Marketing always wants to develop new services and offer our clients access to them online.

Those are good business ideals, but marketing never seems to think about the fallout from such schemes. I've had to steer them away from the plans that were the most—well, I'd call them mad, and they would probably call them innovative.

This healthy tension between taking risks to bring in new business and protecting our brand has meant that although we get on very well personally, professionally we often find ourselves in heated debates about new projects. But for once, the marketing director's e-mail seemed to show that we were perfectly aligned. He wanted to discuss electronic signatures on our Web site, with reference to distributing documents to shareholders and customers.

An e-mail like that makes me want to dance—in the past six months, I've put some effort into sorting out a decent system for pushing out public-key infrastructure and signatures to clients. The result is multivendor compatible, with a distribution system using Mountain View, Calif.-based VeriSign Inc.'s Secure Sockets Layer certificates to authenticate us to our clients.

This system wasn't backed by the business teams because they felt the time wasn't right. Although they didn't stand in the way, we had to beg and borrow the budget for software and equipment to get the system working. But this e-mail showed me that my work hadn't been in vain: Marketing now wanted to take advantage of the setup. No doubt the plan was to use digital signatures to ensure that the information that affects prices couldn't be tampered with while being downloaded.

1by1.gif

THISWEEK'SGLOSSARY


Back door: This is an entry into a system left by a trusted insider so that he can gain access after official privileges have been removed. The greatest back door of all time was developed by Unix co-creator Ken Thompson. He modified the C compiler so that it would recognize when the log-in command was being recompiled and insert code recognizing Thompson’s password, giving him entry to every system.


Normally, a back door could be destroyed by removing it from the source code for the compiler and recompiling the compiler. But to recompile the compiler, you have to use the compiler. So Thompson had the compiler recognize when it was compiling a version of itself. It then inserted the backdoor code into the new compiler.


Having done this once, he was then able to recompile the compiler from the original sources; the back door perpetuated itself invisibly.


Logic bomb: This is a piece of code included secretly in software that will perform malicious acts at a set time if not stopped by the writer. Disgruntled ex-employees have used logic bombs to punish companies for sacking them.


LINKS:


This story tells how Emulex Corp. in Costa Mesa, Calif., lost $2.2 billion in market capitalization through a stock manipulation because it didn’t have effective electronic signatures for its documents. But at least the attacker got 44 months in jail.


Look here for the legal mumbo jumbo behind the Electronic Signatures Act.














1by1.gif






I eagerly set up a meeting that day to discuss the details. I then shared the news with my team, smug about our foresight and how easy it would be to answer every request.


We went to the meeting room and found a harried marketing director. He was obviously concerned about how we could implement the technology swiftly enough to meet his usual aggressive deadlines, I thought.


Then he explained what he wanted. He wasn't interested in electronic signatures as defined in the Electronic Signatures in Global and National Commerce Act. He wasn't interested in ensuring confidentiality and authenticating employees' identities as they exchange company secrets.


No, he wanted to add the scanned images of senior managers' signatures to the bottom of pages to give them the appropriate feeling of authority. Could we relax the restrictions on size and file types at the e-mail gateway, he asked, so he could e-mail these enormous bitmaps to our customers?


That proud feeling sparked by the morning e-mail evaporated, leaving me with the sour task of explaining that while sending out such images posed few security risks, it wasn't such a hot idea and didn't fit with the image of our company being at the cutting edge of electronic document interchange.


Weeks that start well and then go wrong always end up worse than weeks that tick along in the middle or even in the lower half of success, and this one was no exception. After the disappointment of our electronic signatures misunderstanding, I faced a most difficult situation for a security manager.


It started with a manager taking me to a quiet corner. "We are sacking Bill today." he said. "As you know, he is a systems administrator on many of our key systems. Can you just make sure that he can't do anything bad? Thanks."


It wasn't the first time this had happened. Sometimes, we get a bit more notice, but at other times, we just receive a note after the fact. It was too late to fully protect against any malicious acts by this staff member, but in notifying us, his line manager had passed the buck. Now if anything bad happens, he can say that he notified the information security department and that we failed to take appropriate action.


Securing Systems


But what is appropriate in such a situation? In this case, we followed due diligence and changed the passwords and access keys known by this systems administrator, but if he were malicious, he could easily have installed a logic bomb or a back door into the system before he left. This administrator had even been involved in the deployment of the very security monitoring tools that we normally use to identify Trojan horses and therefore could well have known how to disable and circumvent the protections.


How could we protect ourselves without alerting him to our concerns? If we acted as if he might take malicious action, he might have felt untrusted and hence acted in an untrustworthy way.


Some companies deal with this problem in innovative ways. One firm had to get rid of several staffers at once, so it had a fire drill. Once everyone was in the parking lot, the firm disabled the swipe cards of the people they were sacking, so they couldn't get back in after the evacuation. That's not a very enlightened approach toward staff feelings, but it certainly was effective.


We couldn't take that approach and ended up just making a low-key password change. We will have to wait and see if he did anything bad, but nothing has been detected. I think we can trust him, but will we always be so lucky?


I hope the economy turns soon so that I can focus on dealing with foolish ideas about electronic signatures and reduce the time I spend changing passwords and protecting systems from people who leave against their will.


How do you deal with security issues when layoffs affect key employees? I look forward to your ideas in the Security Manager's Journal forum.

Copyright © 2002 IDG Communications, Inc.

8 simple ways to clean data with Excel
  
Shop Tech Products at Amazon