News

Insider at Cal Water Steals $9M and Runs

Former auditor at the California Water Services Company used still active electronic key card to get into secured facilities

By Jaikumar Vijayan, Computerworld

Page 2

The latest incident highlights some of those issues. The apparent fact that Abdi was able to access his company's secure facility after he had resigned points to a lack of "leaver" or termination controls, said Brian Cleary, vice president of products at security vendor Aveksa Inc. Such controls require a full understanding of the access rights that a particular user has and on creating a process for removing that access across a multiple applications, he said.

It is also unusual for an auditor to have access to a funds transfer system in the manner that Abdi appears to have, Cleary said. According to the court documents, Abdi used two different password protected computers, located in two separate buildings, to initiate and confirm the money transfers. It is unclear from the court documents whether Abdi stole the passwords to the computers, or if he had some kind of legitimate access to the systems.

However, a well implemented access control system would have allowed the utility to grant access to applications based only on need and it would have been able to monitor, track and log that usage, Cleary said. "The business risk from insider access that is inappropriate or misused is very real and can create serious operation impacts," Cleary said. "This problem is very pervasive within organizations as they don't have the visibility and control over user access."

One big challenge companies face with insider threats is achieving the right balance of controls, said John Pescatore, an analyst with Gartner Inc. "Any security approach that falsely blocks legitimate user action will quickly be turned off," Pescatore said. "If insider actions are legitimate 99.9% of the time and some insider threat detection systems is 90% accurate then for every 10,000 user actions there will be 10 malicious activities but there will be 1,000 alarms," out of which 991 are false alarms, he said.

From a business perspective, such a security control "is often worse than the problem," Pescatore said.

Cal Water spokeswoman Shannon Dean said the utility couldn't discuss the case in detail because of the ongoing investigation. But she said it is because the company had the appropriate financial controls in place that the fraud was detected and the wire transfers intercepted before any funds were lost.