Some Verizon Wireless employees apparently accessed Obama’s cell phone records without authorization. This comes on top of reports during the 2008 election campaign that the passport records of many of the candidates were looked up by employees within the department.
There have been other cases where the medical records of celebrities were accessed and viewed. What is striking about these incidents is that they were all caused by employees of the respective organizations and not by someone from the outside breaking in.
This trend is actually supported by statistics.
Recent surveys show that approximately two-thirds of fraud and identity-theft cases are being perpetrated by company employees and other insiders. The 2006 report of the Association of Certified Fraud Examiners estimates that US companies lose, on average, 5% of their annual revenues to internal fraud.
When I speak with application developers, one question that always comes up is “Do I have to consider security for applications that are intended for internal employee use and are not external facing?” The above mentioned incidents highlight the importance of security even for these types of applications.
For every high profile case that gets into the news, there must be at least a few hundred that do not. One of the principles of security is the Principle of Least Privilege. This means that every user or account should be given the least amount of privileges so that they can perform their required functions efficiently. This is something that a lot of development teams never understand. I was at a customer location last week and speaking with a lead developer. He was complaining that he was being asked by the Ops team to prepare a matrix with all the tables in the database and the access levels (SELECT, UPDATE, DELETE, etc.) that would be required for the application. He contention was that it was a pain to do and that if that changed later, he would have to go over a slow change control process.
When I asked him what his solution to that was, he replied that he was planning to prepare the initial matrix to show that the user required all access to all the tables. That way, he would not have to go through change control later on. My experience has been that whenever there is a conflict between security and convenience, convenience wins almost every time. A sharp eyed security review team along with documented policies is usually required to prevent these kinds of shortcuts that can cause significant problems later on.