• silicon.com
• Management
• Public Sector

By Anne Broache, 17 July 2006 11:05

COMMENT

What made the FBI decide on Lockheed Martin as the primary contractor in March? Will there be other companies working on Sentinel as well?

Azmi: The contract was completed under the National Institutes of Health's [procedure]. There were a number of vendors that actually bid on this, and Lockheed was the one that was selected based on their proposal and their strategy for developing this program. Lockheed has a number of [subcontractors] under it. About 10 primary subs are working with Lockheed to support Lockheed in this endeavor. [Some of them are Accenture, Computer Sciences Corp., and CACI.]

The Washington Post recently reported that a former contractor broke into secret FBI systems without proper authorisation. The contractor that broke in, working from a field office in Virginia, apparently took advantage of an antiquated security mechanism (/etc/passwd files in cleartext) that the private sector abandoned a decade ago. Why was the FBI so behind? Do you plan changes in security with Sentinel?

Azmi: It's two different issues - first of all, let me clarify that the individual who had access to our networks was a privilege that was granted to him because he was part of our system administrative staff when he was deploying Trilogy. So he already had access to the system, took advantage of those privileges, so that's how he was caught.

Sentinel is actually an application that has its own security mechanism, which is different and actually does not even relate to the case in Springfield at all, because we manage passwords and security in Sentinel much different than what happened in Springfield. Springfield was [about] access to the network, and Sentinel is access to an application, two different things.

Statements were made that this guy cracked the passwords and that's how he gained access to the network. That's not true. He had the privilege already to the network, and he abused that privilege and that's how he was caught.

We knew of the vulnerability, and we also are protecting our password files, but the fact that this guy had the administrative rights to our system, that's what made it vulnerable, and that's why we call it insider threats. It's very difficult to defend against that. It's almost like you shouldn't give anybody administrative rights, but who's going to manage the system? So there's a balance you always have to reach.