[ISN] County security chief under fire

From: InfoSec News (isnat_private)
Date: Thu Apr 03 2003 - 22:52:17 PST

  • Next message: InfoSec News: "[ISN] Wireless Security Steps Up at West Point, Home"

    Forwarded from: William Knowles <wkat_private>
    
    http://www.siliconvalley.com/mld/siliconvalley/5547846.htm
    
    By Karen de Sá
    Mercury News
    April 03, 2003
    
    Peter Ekanem, Santa Clara County's top information security officer, 
    is facing possible criminal charges for unauthorized use of his office 
    computer and cell phone, actions that amount to security breaches.
    
    Ekanem, who is under investigation by the district attorney's office, 
    was placed on paid administrative leave Feb. 3, leaving the county 
    without its top expert on protecting computer systems from intruders 
    while the nation is on heightened alert against terrorism.
    
    Among other actions that violate some of the very policies he wrote, a 
    search warrant says Ekanem e-mailed internal documents to a former 
    county employee in Africa.
    
    Assistant District Attorney Karyn Sinunu said a decision about whether 
    to file charges will be made ``shortly.'' A separate administrative 
    review also is concluding, which may result in Ekanem's termination, 
    county officials said.
    
    Ekanem's absence has set back the rollout of the security policy he 
    developed, said Chief Information Officer Satish Ajmani. But Ajmani 
    added that the ``guiding principles'' he wrote have not changed, and 
    an outside contractor is now implementing the plan.
    
    Ekanem said he could not discuss his situation.
    
    His co-workers in the information services department first raised the 
    alarm in an internal review that ``uncovered evidence of a potential 
    compromise of county information security,'' the affidavit states.
    
    Ekanem has reportedly engaged in long personal calls during work hours 
    and pursued a master's degree on county time without employer 
    authorization. Ekanem -- one of only two people in the county to 
    possess a written report of every weakness and vulnerability within 
    county computer networks -- listed his county cell phone number as his 
    contact for a property he rents in Richmond, a fact an Internet search 
    quickly revealed.
    
    In his own security policy, Ekanem wrote that employees should expect 
    their e-mail to be monitored and that the county specifically forbids 
    use of the network ``for personal profit or running a business.''
    
    Ekanem, who is 44 and earns $106,000, also is charged with sending 
    internal county documents by e-mail to a former colleague in Ghana, 
    who picked them up at an Internet cafe. The documents he released by 
    e-mail are not believed to have jeopardized the county's security, but 
    the fact that they were sent out of the county, by the official in 
    charge of information security, prompted the inquiry.
    
    In his 18-month tenure, Ekanem wrote the county's information 
    technology security policy, which set up a security system to protect 
    the confidentiality of personal information about taxpayers, such as 
    Social Security numbers, medical records, birth and death 
    certificates. The 245-member department he works for supports all the 
    county's computer networks, including data kept by the hospital, law 
    enforcement and social services.
    
    
    Where trouble began
    
    Problems first arose early this year, when Ekanem's co-workers alerted 
    administrators in the information services department that he appeared 
    to be spending an excessive amount of time on personal calls. That led 
    to a review of Ekanem's cell phone bill and his e-mail correspondence, 
    which raised more alarms.
    
    County officials remain tight-lipped about the case, citing employee 
    confidentiality. But they did release a copy of one document Ekanem is 
    said to have e-mailed to a former information services department 
    employee, Kwaku Nsiah, while Nsiah was in Ghana earlier this year.
    
    The two men are believed to have exchanged a series of e-mails, 
    including discussions about the county's disaster preparedness and 
    recovery plan.
    
    Nsiah, a former senior information technology project manager, was 
    fired for incompetence in May during his probationary period. One of 
    the documents Ekanem later sent him was a highly technical report from 
    KPMG Consulting, laying out how it would structure the county's 
    e-government service, if awarded a contract.
    
    
    One expert's view
    
    It is rare to have a security officer lose his post for a violation of 
    information system rules, said Kevin Dickey, chief information 
    security officer for Contra Costa County, and an adviser to the state 
    on security issues. Dickey, whose last job was to secure the state 
    lottery, said he has ``no knowledge of a security person in my line of 
    work that was suspect.''
    
    ``Simply put, the guy should have known better,'' he said. ``Security 
    is accountability, integrity and confidentiality, so if your job is to 
    secure those things for your organization and you compromise it -- 
    well shame on you.''
    
    Dean Hipwell, an information security consultant and professor of 
    computer science at National University, said he found Ekanem's case 
    ``surprising.''
    
    ``There are a couple of cases where a network administrator was fired 
    by their organization and, of course, contractors are notorious for 
    not observing the rules,'' he said. ``But I still cannot recall a 
    security officer being placed on administrative leave.''
    
    In August 2001, a Sutter County network administrator for the 
    department of information technology was arrested on charges of grand 
    theft and using a computer with the intent to defraud. The man later 
    pleaded guilty to the charges, said the Sacramento Valley High-Tech 
    Crimes Task Force.
    
    Finding a new security officer is a top priority for the information 
    services department, but filling the post will not be easy in these 
    times of budget cuts and a countywide hiring freeze.
    
    Ekanem was praised as highly qualified when he was hired. He received 
    special thanks in March 2002 from the California County Information 
    Services Directors Association for his participation in a ``Best 
    Practices'' information security forum.
    
    The forum was held to shore up county information systems, including 
    telecommunications, networks and facilities, ``in light of the 
    horrific events of Sept. 11, 2001'' and threats from terrorists and 
    foreign and domestic Internet attacks.
    
    Part of the policy to which Ekanem contributed includes this piece of 
    advice: ``Protect people as well as data. Don't forget that people can 
    make or break a policy.''
     
    
    
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ================================================================
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Apr 04 2003 - 01:31:18 PST