Last week, a NY Police Sergeant admitted he made unauthorized accesses to the FBI’s National Crime Information Center database in December 2007.
Sergeant Haytham Khalil obtained records for an acquaintance embroiled in a custody dispute. He was charged with a misdemeanor of “accessing a computer and as a result exceeding his authority by obtaining information belonging to a department and agency of the United States.” Sentencing, scheduled for April 14th, could result in a $100,000 fine and one year of supervised probation.
Sergeant Khalil used another officer’s account credentials who did have appropriate access privileges. The fellow officer left the credentials available for any of his co-workers to access the National Crime Information Center database when he wasn’t around. Obviously, there was a violation of the researched individual’s privacy.
The biggest problem with this scenario isn’t the Sergeant,although his actions were well outside of the code of conduct by reviewing the records. No, the biggest problem is the fellow officer’s equivalent of taping his password to the monitor, and the expectation of the co-workers within the department that the sharing of credentials should be normal operating procedure. This type of user name/password sharing essentially amounts to a Role Based Access Control (RBAC): every user that needs access to the system uses the same information. Any time a system utilizes RBAC, administrators lose a great deal of accountability. Was it officer A or B, or the guy who we promoted six months ago, or fired a year ago? Hopefully you see the problem.
By assigning specific rights to individual users, and limiting the overlap and assignment of those rights (resulting in essentially two person controls), the system may not be gamed. Individual users are then responsible for their actions. There is no finger pointing, reviewing the video tapes, etc. Policy should then dictate disciplinary action or even dismissal for sharing credentials. One step further is some sort of biometric access control, which should be easier for the end user’s compliance. Further still RFID badges, where you may either log in or leave the building. These measures don’t completely eliminate a user’s logging in, then letting someone else sit at the controls, but it certainly increases the complexity.