Hacker Mum The School Insider Threat Examined

Not everyone has heard about Hacker Mum yet. Its a bit of a misnomer actually but the story goes like this last month a woman, who had once been a secretary at the school her kids attended, was charged with nefariously accessing that schools grades system to change their grades upward obviously. While she was there, she had a look at some Human Resources areas and emails too. The Mum with the Dragon Tattoo? Did she hack her way in like some character in a Hollywood blockbuster, dodging high level encryption, finding back doors and generally being a criminal, IT mastermind? Erm, no she used someone elses login and password credentials. So not so much Hacker Mum as plain old Opportunistically Dodgy Mum then. Now is as good a place as any to establish which part of the insider threat we are discussing here. Basically, this threat falls into two camps: 1. Inept, poorly informed, unaware and accidental insider threats 2. Malicious intent threats i.e. Selfserving people with an agenda, motivation and/or allegiance or issue. Clearly, we are talking about type 2 in this circumstance, she had motivation and sadly, access to be able to carry out several forays into the school system; the worst kind of insider threat. This raises some very pertinent questions about policy and procedure that we have discussed with schools ourselves, whilst doing one day health checks on school security. Levels of Access and Empowerment The woman in question had been a secretary at the school and had subsequently left. Part of her job while she worked there was to set up user names and passwords for other people. If her own access level had been correct and appropriate, then at least potentially, that part of the security policy might be working. Also if the users she had
Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM

issued usernames and passwords to were required by school security policy to then change their passwords immediately, she would not have been able to access the system. In other words, if the policy had ensured her own clearance levels were not high enough for her to be able to access these areas, the users had been instructed to change their passwords or that being an ex-employee her access was negated, the policy would be working. But in this case, she used someone elses login so lets look at what went wrong there. Is it appropriate for a secretary to be creating logins AND passwords for other users? Especially if this is to include those who should by virtue of their role, have access to areas not appropriate for a secretary, who is a non-teaching staff member? Even at a very basic security level, the user should have been informed by their policy that they should change their passwords upon issue. Realistically, it would seem far more appropriate for teaching staff only to have access to grades. It seems to be taking an awful lot on trust, which is where the insider threat strength comes from. Blind trust, driven by a lack of understanding of insider threat means organisations can place absolute trust in its members without considering they may have any motive for wrongdoing and not considering the value of the information that organisation holds. Its on a need to know basis, 007 The need to know principle doesnt just happen in Mission Impossible and James Bond films, its actually common sense. If an individual in your organisation doesnt need access to a certain area of the network or set of files for instance, dont allow them access. If it is not necessary for them to perform their role, why take the risk of something going wrong (either by accident or design) when it is so easily avoidable? Without the segregation of data/authority, an organisation has little or no control of who can play God with their data. What have we learnt? Schools and educational facilities have a massive amount of data pupil and staff, to guard. That means they have to ensure their security policies and procedures are robust, frequently tested and updated and then tested again. Its a bit like conjugating verbs; it just has to be done properly to make any sense, it cant be half done. In this case, the school identified who the culprit was. If she had never been put in a position to create the usernames and passwords, she would not have been able to carry out her attacks. If school security policy had scoped in her role as password creator for other users, then policy should have dictated that users change their passwords upon
Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM

issue. So keep it real when it comes to appropriate levels of role-related access. If a staff member leaves, passwords should be changed, accounts should be deleted, access denied immediately. Any remote logins should be blocked. Provision for this should be in any school security policy. If there is ever any doubt in the mind of a data guardian, in most cases this would be the Head Teacher or Bursar, the solution is to get it checked out, it will also reassure the key stakeholders of how seriously a school takes its security. If you would like to read about Hacker Mum, the original story is here. http://www.dailymail.co.uk/news/article-2176007/Curious-bored-Tiger-Mom-chargedhacking-school-districts-change-sons-grade-98-99.html?ITO=1490

www.advent-im.co.uk

www.advent-im.co.uk Head Office: 0121 559 6699 London Office: 0207 100 1124 Email: bestpractice@advent-im.co.uk Advent IM is the UK's leading independent information security and physical security consultancy. We specialise in holistic security management solutions for Information Security, HMG Information Assurance, Business Continuity, PCI-DSS and Physical Security and have a proven track record of successful certifications.
Our blogs www.adventim.wordpress.com www.adventimforarchitects.wordpress.com www.adventimforuklegal.wordpress.com www.adventimforgambling.wordpress.com www.adventimschoolsecurity.wordpress.com

Advent IM Ltd 2012 any republishing in part or full with express permission of Advent IM