Cavirin Blog

Last night I had the pleasure to attend a panel hosted by the EC Council on insider threats.  Panelists included the CISO from San Francisco, the VP of Systems from Macy’s, and most interestingly, Eric Snowden’s former boss at Booz Allen Hamilton.   All three were covering various aspects of the STRIDE model.   For example, the crisis that SF ran into about 8 years back, where a single employee held the city network hostage by collecting router passwords, was a combination of disclosure and elevation.   It took the mayor, at the time, to diffuse the situation.

The NSA suffered the same, with Snowden, in the first week of his new assignment in Hawaii, requesting passwords from colleagues and spending off hours on-site.   More damaging, it is rumored but not confirmed that his credentials from his former IT role were not revoked.   This, married up with his new access to higher levels of classification, created an opportunity.    And it is never a single issue.   His CIA HR records, if shared with the NSA, which they were not at the time, would have raised additional flags, and at the time, employees were not subject to daily exit searches, providing him with the opportunity to exit with his USB dongles.

Left to Right - 

Steven Bay, former boss of Eric Snowden

Joe Voje, CISO, City of San Francisco

Brian Phillips, VP, Macy’s Systems and Technology

And, Macy’s was the first to admit that their procedures in place to address insider capture of PCI data were not up to snuff.   They are now, and just recently the company has taken a very aggressive approach on limiting data access as part of their announced store closures, since there is an interim period where employees have been notified but are still employed.

Net-net, the last decade has been a learning experience, across both commercial and government, but with increased focus, awareness, and sharing of best practices, we’re making progress.


Most people find stories like the Uber snooping lawsuit pretty unsettling.  If you heard nothing of this but the accusation of Uber's use of "God View" as explained in a recent series of articles by Forbes , it is important to know that Uber collected customer and employee information, and used that information in a manner that was well outside of reasonable use by the standards of California Privacy Legislation.

“Exhibit A contains customer data collected by Defendant and constitutes Defendant’s confidential, proprietary, and private information about its users — the very existence, content, and form of which are of extreme competitive sensitivity to Defendant in that they demonstrate what data Defendant considers important enough to capture, how that data is stored and organized, and could, individually or in the aggregate, provide Defendant’s competitors with insights into how Defendant views, analyzes and executes certain aspects of its business,” Uber wrote in a court filing.

Cavirin provides security management across physical, public, and hybrid clouds, supporting AWS, Microsoft Azure, Google Cloud Platform, VMware, KVM, and Docker.



5201 Great America Pkwy Suite 419  Santa Clara, CA 95054

- 1-408-200-3544

Cavirin US Location