County security chief under fire

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.siliconvalley.com/mld/siliconvalley/5547846.htm

By Karen de Sá
Mercury News
April 03, 2003

Peter Ekanem, Santa Clara County's top information security officer, 
is facing possible criminal charges for unauthorized use of his office 
computer and cell phone, actions that amount to security breaches.

Ekanem, who is under investigation by the district attorney's office, 
was placed on paid administrative leave Feb. 3, leaving the county 
without its top expert on protecting computer systems from intruders 
while the nation is on heightened alert against terrorism.

Among other actions that violate some of the very policies he wrote, a 
search warrant says Ekanem e-mailed internal documents to a former 
county employee in Africa.

Assistant District Attorney Karyn Sinunu said a decision about whether 
to file charges will be made ``shortly.'' A separate administrative 
review also is concluding, which may result in Ekanem's termination, 
county officials said.

Ekanem's absence has set back the rollout of the security policy he 
developed, said Chief Information Officer Satish Ajmani. But Ajmani 
added that the ``guiding principles'' he wrote have not changed, and 
an outside contractor is now implementing the plan.

Ekanem said he could not discuss his situation.

His co-workers in the information services department first raised the 
alarm in an internal review that ``uncovered evidence of a potential 
compromise of county information security,'' the affidavit states.

Ekanem has reportedly engaged in long personal calls during work hours 
and pursued a master's degree on county time without employer 
authorization. Ekanem -- one of only two people in the county to 
possess a written report of every weakness and vulnerability within 
county computer networks -- listed his county cell phone number as his 
contact for a property he rents in Richmond, a fact an Internet search 
quickly revealed.

In his own security policy, Ekanem wrote that employees should expect 
their e-mail to be monitored and that the county specifically forbids 
use of the network ``for personal profit or running a business.''

Ekanem, who is 44 and earns $106,000, also is charged with sending 
internal county documents by e-mail to a former colleague in Ghana, 
who picked them up at an Internet cafe. The documents he released by 
e-mail are not believed to have jeopardized the county's security, but 
the fact that they were sent out of the county, by the official in 
charge of information security, prompted the inquiry.

In his 18-month tenure, Ekanem wrote the county's information 
technology security policy, which set up a security system to protect 
the confidentiality of personal information about taxpayers, such as 
Social Security numbers, medical records, birth and death 
certificates. The 245-member department he works for supports all the 
county's computer networks, including data kept by the hospital, law 
enforcement and social services.


Where trouble began

Problems first arose early this year, when Ekanem's co-workers alerted 
administrators in the information services department that he appeared 
to be spending an excessive amount of time on personal calls. That led 
to a review of Ekanem's cell phone bill and his e-mail correspondence, 
which raised more alarms.

County officials remain tight-lipped about the case, citing employee 
confidentiality. But they did release a copy of one document Ekanem is 
said to have e-mailed to a former information services department 
employee, Kwaku Nsiah, while Nsiah was in Ghana earlier this year.

The two men are believed to have exchanged a series of e-mails, 
including discussions about the county's disaster preparedness and 
recovery plan.

Nsiah, a former senior information technology project manager, was 
fired for incompetence in May during his probationary period. One of 
the documents Ekanem later sent him was a highly technical report from 
KPMG Consulting, laying out how it would structure the county's 
e-government service, if awarded a contract.


One expert's view

It is rare to have a security officer lose his post for a violation of 
information system rules, said Kevin Dickey, chief information 
security officer for Contra Costa County, and an adviser to the state 
on security issues. Dickey, whose last job was to secure the state 
lottery, said he has ``no knowledge of a security person in my line of 
work that was suspect.''

``Simply put, the guy should have known better,'' he said. ``Security 
is accountability, integrity and confidentiality, so if your job is to 
secure those things for your organization and you compromise it -- 
well shame on you.''

Dean Hipwell, an information security consultant and professor of 
computer science at National University, said he found Ekanem's case 
``surprising.''

``There are a couple of cases where a network administrator was fired 
by their organization and, of course, contractors are notorious for 
not observing the rules,'' he said. ``But I still cannot recall a 
security officer being placed on administrative leave.''

In August 2001, a Sutter County network administrator for the 
department of information technology was arrested on charges of grand 
theft and using a computer with the intent to defraud. The man later 
pleaded guilty to the charges, said the Sacramento Valley High-Tech 
Crimes Task Force.

Finding a new security officer is a top priority for the information 
services department, but filling the post will not be easy in these 
times of budget cuts and a countywide hiring freeze.

Ekanem was praised as highly qualified when he was hired. He received 
special thanks in March 2002 from the California County Information 
Services Directors Association for his participation in a ``Best 
Practices'' information security forum.

The forum was held to shore up county information systems, including 
telecommunications, networks and facilities, ``in light of the 
horrific events of Sept. 11, 2001'' and threats from terrorists and 
foreign and domestic Internet attacks.

Part of the policy to which Ekanem contributed includes this piece of 
advice: ``Protect people as well as data. Don't forget that people can 
make or break a policy.''
 


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.