The case “The weakest link” deals with the utilization of a logic bomb with the purpose to disable UBS-Painewebber (UBS-PW) servers and cause a stock price drop. After the nine/eleven many companies faced profit issues, and UBS-PW was not an exception. The organization had to cut its employee bonus program to remain competitive and have an opportunity to restore its business. All employees were informed about the reduction of payment, which meant that they were ready to receive less.
Still, one of the workers, Roger Duronio, started complaining. He was already dissatisfied with his wage, and this situation made him angrier. Even though his boss tried to have the full bonus awarded, he failed. At that moment Duronio was already ready to quit and had his things packed. As he fired, UBS-PW suffered from the logic bomb execution. It disabled about 2,000 servers. As a result, the man got an opportunity to obtain a part of the company’s shares while UBS-PW lost $3 million.
With the course of time, the parts of the code that was utilized in the logic bomb were found when examining the suspect’s home. Both of his computers had this information. Except for that, there was a hardcopy printout in his bedroom (Gaudin, 2006). As a result, the man was charged with “securities fraud (count 1), mail fraud (counts 2 and 3), and fraud and related activity in connection with computers (count 4)” (DeFranco, 2014, p. 136). The legislation that is appropriate for this situation is “The Computer Fraud and Abuse Act (CFAA) [18 U.S.C. Section 1030], which makes it illegal for anyone to distribute computer code or place it in the stream of commerce if they intend to cause either damage or economic loss” (Computer crime laws, 2016, p. 7).
According to this act, the criminal can be put in prison for up to 20 years and can be made to pay a fine even though the action was not intentional but done recklessly. The CFAA does not allow individuals to access the computer without authorization, steal financial data, commit computer fraud, create and use a code that can affect the system adversely, share passwords to influence commerce and to extort (Legal Information Institute, 2016).
Trying to prove his client’s innocence, Duronio’s defense attorney gave the hint during the trial, mentioning that another company could have caused the damage and presupposing that the forensic team made a mistake when assessing the situation. Of course, such claims did not allow Chris Adams to prove the guilt of CISCO and @Stake Inc.; still, they had a particular influence on the situation. Adams wanted to implant doubts in the minds of the jury. His words lacked evidence and authoritativeness but made others consider such possibility and distracted attention from Duronio.
In this way, the members of the jury would be likely to spend some time discussing the defense attorney’s words. As a result, Adams increased the chances of facing the situation when the jury fails to come to the common decision or at least could have more time to find and reveal mitigating factors to commute a sentence (Fulero & Wrightsman, 2008). He might have also wanted to prove that the evidence was planned, and it could not be used during the trial because the suspect was set up.
Chris Adams received an opportunity to reveal such an argument because of the inefficient forensic procedure. First of all, the expert witness whose words proved that the suspect was guilty represented the company that was paid for conducting the forensic analysis. In this way, one could have had biased views (Easttom, 2014). Except for that, the experts were former hackers, and Adams wanted to prove that they are not reliable. Moreover, there was an unknown fingerprint on the copy of the code, which means that someone could have put it in Duronio’s house. All computers were taken from the house before the forensic image was made, which gave the team an opportunity to put the code on the computer.
The fact that several people can use the same user ID and password to get into the system at the same time was a great disadvantage for the organization. It meant that when Duronio was logged onto the system, some other person also had an opportunity to log in under his name. In this way, the real criminal and discussed suspect could have maintained different operations at the same time even not knowing about this. As a result, some other person could have created the code and executed the bomb.
The defense could have used this information to prove that Duronio was not the only suspect, and further investigation was needed. Moreover, Adams could have presupposed that the security provider left the gap intentionally to have an opportunity to get into the system. It also meant that UBS did not have a well-formed IT security organization.
As the same user ID and password can be used by several people at the same time, the same root password can be used by all employees, and they have an opportunity to edit a VPN log (when having specialized tools), it was more difficult to prove and refute Duronio’s guilt during the trial proceedings. Gaps in security prevented the professionals from finding out whether one or several people used the account that belonged to the suspect.
The company considered that productivity was more vital than security and was not even willing to limit access. Claiming that the organization did not have enough resources and powers for decent security, Adams proved that it was not only his client’s fault, and that the damage done to UBS could have being prevented. Moreover, the fact that the manager of UBS did not know much about the security reports and issues proved that the system was not decently operating.
Being hired as an outside consultant, I would try to help UBS recover from the incident. I would recommend the company to be ready to deal with insider threat. In order to improve the situation, the staff should be educated about this threat (Newman & Sharma, 2016). Predictive analytics tools can be implemented to find out that something is going to happen beforehand.
A good password policy should be implemented, as currently, the company has problems with it (Wall, 2015). It might be better to alter the focus from increased production to security. Log reports should be more detailed and privileges should be limited to control employees’ influence on the system. Encrypted protocols can also secure remote access to the system. Finally, I would encourage the company to consider the human factor (Mims, 2016). UBS has already suffered from the action of the dissatisfied employee, and there were suppositions to this. Thus, it would be beneficial to track employees’ actions and evaluate their satisfaction.
References
Computer crime laws. (2016). Web.
DeFranco, J. (2014). What every engineer should know about cyber security and digital forensics. Boca Raton, FL: CRC Press.
Easttom, C. (2014). System forensics, investigation, and response. Burington, MA: Jones & Barlett Learning.
Fulero, S., & Wrightsman, L. (2008). Forensic psychology. Belmont, CA: Cengage Learning.
Gaudin, S. (2006). UBS trial: Parts of attack code found at defendant’s home. Web.
Legal Information Institute. (2016). 18 U.S. Code § 1030.
Mims, C. (2016). How to improve cybersecurity? Just eliminate the human factor. Web.
Newman, N., & Sharma, R. (2016). How can you improve cyber security awareness in your organization? Web.
Wall, M. (2015). Six things firms should do to improve cybersecurity. Web.