Digital key in pixeled keyhole, 3d render
A good friend of mine and cybersecurity professional, Cindy vanBree, recently wrote an article on the Korn Ferry case involving unauthorized access by a former employee, David Nosal.
It's a great write-up on an interesting story of insider threats combined with poor access controls and Cindy has give me the permission to post it, in its entirety, in this blog post.
I would recommend reading it below to get the full context, but if you don't have time, here are my key takeaways:
- Implement the principle of least privilege. Cindy describes in the article how some users had access to critical information, even employees that didn't need the information to do their jobs... Do you have this in your organization?
- Implement 2-Factor Authentication where it is feasible. This particular incident would have been far more difficult if access required "what you know" AND "what you have" (like an RSA token).
- Update your termination process to remind transitioning employees (i.e. during the 2-week notice) that exfiltration of the organization's information is against policy and could result in legal action. Consider tighter monitoring of those employees during that period.
- Ensure that your termination process includes removing access to the proper systems in a timely manner. As you'll find in the article, in failing to do so, organizations may jeopardize their ability to pursue legal remediation or compensation after the fact.
Again, I definitely recommend reading Cindy's article below to get the full story.
Much has been made in the media about a recent court ruling upholding the conviction of a former Korn Ferry employee, David Nosal, under the Computer Fraud and Abuse Act (CFAA)[1]. The headlines[2] question whether the ruling makes illegal the ubiquitous practice of sharing passwords to subscription services such as Netflix and HBO with friends and family. There’s no question that the opinion would spur such hypotheticals, even the dissenting opinion by Circuit Judge Reinhardt posited that “This case is about password sharing.”. Reinhardt goes on to say that the CFAA doesn’t make the millions of people who engage in the behavior unwitting federal criminals. While the courts continue to evolve its interpretation of the 30-year-old law, the case offers important lessons for Information Security Professionals and stakeholders in the all-important topic of access and authorization.
David Nosal was a regional executive with Korn Ferry, an organizational and human resources advisory and major executive search firm. Nosal became disgruntled and, after submitting his resignation, recruited three other employees to start up an executive search firm which Nosal would head. Nosal stayed on at the request of Korn Ferry under a contract arrangement to complete specified assignments. Nosal’s information system access authorization was terminated upon his transition from employee to contractor. To complete his assignment, Nosal was authorized to request of employees reports from Korn Ferry’s proprietary information system, Searcher, a database consisting of over a million executive resumes and their biographical information. Access to Searcher was granted to all Korn Ferry employees and did not require a separate password at the time.
Recognizing the competitive advantage offered by Searcher, Nosal had his cohorts download a number of large reports unrelated to his assignment from the database to develop information resources for his new firm. (Nosal’s conviction for violations under the Economic Espionage Act for theft of trade secrets was also upheld.) Over time, two of the three cohorts would resign from Korn Ferry to form the competing firm and the third, Nosal’s former executive assistant, remained at the request of Nosal. The departing employees’ access authorization was also terminated. These former Korn Ferry employees would go on to use the still-active employee’s credentials to access Searcher in order to continue to populate the new firm’s own database. Korn Ferry began an investigation of the matter after receiving an anonymous tip.
Nosal was convicted under the EEA and the CFAA. The conviction was under appeal in the United States Court of Appeals for the Ninth Circuit, No’s 14 – 10037 and 14 – 10275. The opinion turned on a key section of the CFAA in 18 U.S.C.§ 1030(a)(4):
Whoever . . . knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . shall be punished . . .
A definition of the term “exceeds authorized access” is provided in the law as “access[to] a computer with authorization and [using] such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.”[3] However, the CFAA does not define “without authorization”. In its Nosal 14-10037 opinion the United States District Court for the Northern District of California concluded that “without authorization” is “an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. This definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through a back door and accessing the computer through a third party.” In other words, just because Nosal and his co-conspirators were once authorized, they were no longer authorized access to Korn Ferry’s information systems or its intellectual property (IP).
What lessons can the Information Security Professional take away from United States of America v. Nosal? First, the conviction of Nosal for violations of EEA indicates that the information in the Searcher database was found to be a trade secret and yet Korn Ferry did not apply the principle of least privilege. The principle holds that access to information, especially a trade secret, should be kept to the absolute minimum necessary for a user to do their job. Access to Searcher was granted to all employees. Korn Ferry could have restricted access to the database by requiring a second layer of authentication – a unique password for Searcher.
Nosal and his co-conspirators perpetrated the crimes in 2004 – 2005 when two-factor authentication (2FA) was not common and not in place at Korn Ferry at the time. Access to the Searcher database was obtained remotely, using the insider’s credentials. Our firm’s experience is that more than ten years hence, 2FA is still not widely adopted. While 2FA would not have prevented the theft outright, combining that measure with the principal of least privilege would have made the theft more difficult to carry out.
A Carnegie Mellon study found that the “majority of insiders who steal IP do so relatively close to announcing their resignation. This provides a window of opportunity for the victim organization to detect the unauthorized access or exfiltration of information”[4]. Firms should consider instituting an exit interview to remind would-be thieves of their restrictions and repercussions regarding the unauthorized use of the firm’s IP. Firms with the technical capability can begin monitoring the activities of those transitioning out of the organization in advance.
Finally, with regard to the “without authorization” opinion of the Court, unless the victim organization has affirmatively revoked authorized access of its terminated employee, it is at risk of being unable to seek redress for theft of its IP under the CFAA. Our firm encounters many situations where terminated employees’ access authorizations are not revoked after termination. Information Security Professionals should ensure that access to its information systems is revoked immediately upon (or before in certain cases) termination of an employee.
United States of America v. Nosal offered us sensational headlines speculating that ordinary citizens might someday become unwitting federal criminals to be prosecuted under CFAA. Those issues will be sorted out by the courts and public opinion over time. The case and the Court’s opinion offer the Information Security Professional some lessons in access and authorization that could save their firm from serious harm.
About the Author: Cindy vanBree, MBA, CISA, CISSP, QSA, is a Senior Information Security Consultant with Pondurance, LLC.
[1] https://cdn.ca9.uscourts.gov/datastore/opinions/2016/07/05/14-10037.pdf
[2] Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector
[3] The CFAA was enacted by Congress in 1986 as an amendment to existing computer fraud law (18 U.S.C. § 1030).
[4] http://fortune.com/2016/07/10/sharing-netflix-password-crime/; and, http://www.slate.com/articles/technology/future_tense/2016/07/is_it_really_illegal_to_share_your_netflix_password.html