LA PALABRA: MEDIADORA ENTRE LA LITERATURA Y LA SOCIEDAD

The scene is a very large corporation with numerous mission-critical applications running on a variety of platforms. As with most large companies whose systems have evolved over the years, this organization has Unix, LANs, stand-alone PCs, and mainframes. Some of these systems are, not surprisingly, somewhat fragile in that they are old, as are the platforms on which they run. It is in this critical and sensitive, albeit fragile, environment that our case study begins.

As with most large organizations, our victim company is run, at least in part, by politics. That’s a reality managers at all levels in big business have learned to live with. However, it can be a mixed blessing. On one level, politics is the corporate version of Darwin’s survival of the fittest. On another level, it may promote deceit, back room dealing, and emphasis on survival of the individual instead of the good of the organization. Companies flourish that have their politics under control. Those that don’t either stagnate or perish. A study by a major management consulting firm reported, in Fortune magazine, that managers estimated they spend more than half their time politicking. Those in organizations reorganizing or downsizing spend as much as 80% of their time at protecting their backs.

In the case of our example, the company had undergone and would undergo several reorganizations. Dissatisfaction within the labor force was running high. Management was focused on protecting itself, and the executive suites were working overtime to keep the company competitive and profitable. A relatively obscure

system administrator decided to take steps to protect her job. Her steps nearly resulted in serious damage to a system that was among the company’s most critical.

Another system administrator returned, after a weekend, to work to find his system in need of clean-up. Over the weekend the Unix computer for which he was responsible had complained it was running out of disk space. This was nothing new — the administrator had seen it many times before and had developed a process for dealing with it. He simply went into the system logs, which routinely grew to epic size, and archived them. Next, he pruned them down to size and proceeded to reboot the computer. To his horror, the computer would not reboot.

The administrator got out the system disk, a CD, and booted the computer. He than examined the critical files and found several missing. Well, they were not exactly missing — they had been reduced to zero length. It was clear they had been deleted and “touched,” a technique which creates a zero-length file. He restored the damaged files from a backup and reported the incident.

Upon investigation, we were satisfied there was no reasonable explanation for the damage, except that someone had attacked the computer. At the client’s request, we began an investigation. We discovered there was some question that what few logs were in existence may have been altered. We performed numerous tests and concluded that there was little doubt that the damage to the files was intentional. We reported that fact to the client and were encouraged to find the culprit.

After several interviews and days of analyzing logs from every computer that might possibly have participated in the incident, we were able to recreate a minute- by-minute chronology of what probably occurred and what was the probable source of the damage. We reported our findings to the client, only to be met with disbelief and support for the administrator who we believed had caused the damage. It was only a matter of hours before a full-scale cover-up was in progress.

Meanwhile, our suspect proceeded to shut down a system under her control ungracefully, resulting in the destruction of the file system. Over a period of several weeks, we reconstructed the events surrounding the incident several times, only to be met by resistance from all quarters, including corporate security, who denied that an incident had ever occurred. The party line, it appeared, would be that there was never an incident and that the lost files were due to an aging computer that often failed. Why? In the course of our investigation we learned the following:

• The system was unique — a one-of-a-kind application built by a contractor who had a good relationship with the department for which it was built. It was so good, in fact, that the company was considering standardizing on the application and porting it to a more robust platform, certainly a boon for a consultant in individual practice.

• The suspect was known to her management to be a bit of a “loose cannon.” However, her supervisor had never taken any action to bring her in line with best practices and the professional expectations of her position. This, of course, placed her supervisor in a bit of a bad light at a politically inopportune time.

• The group using the application was known to be very “independent.” • Reorganization was a pending threat to all involved.

• The suspect had believed for a long time that the administrator of the victim machine was not competent to administer the system.

• The suspect had a history of “tinkering” with online production systems. • The suspect had accessed all involved systems at about the time the damage occurred; the victim administrator was out of the state at the time. • User IDs, with superuser rights not legitimately assigned to the victim machine, were present in the victim’s password file. These turned out, by her own admission, to have been created by the suspect, both on the victim computer and on several others.

In the face of this seemingly damning evidence, the client passed the whole incident off as a failing computer, quashed our findings, and terminated the inves- tigation. Why? What could have been done to carry the investigation to its proper conclusion? Could we have ever achieved positive results in this environment? The answer to the last question is, sadly, “no.”

When this type of cover-up occurs, is there anything you can do to make “lemonade out of a lemon”? There is, and in this case we did. We were able to get the client to admit that, whether or not the incident had occurred, for a great many technical and administrative reasons, it could have. Thus, there was good reason to shore up the system’s somewhat weak security so that such an incident could not occur in the future. We were able to turn the whole fiasco into a good example of “lessons learned.” While our egos may have been bruised, the client, in the long run, benefited. Today, that system has been rebuilt on a more robust platform and is a model for applications of its type.

Let’s follow this incident and examine our own set of “lessons learned.”