Marc Hudavert, ActivIdentity: IT administrators go ‘rogue’, minimising the threat from inside
Tough times for the economy often mean that businesses need to look at reducing costs. Typically, a company’s largest overhead will be its staff, but IT managers may want to think twice before shrinking headcount in their department. A recent survey by Cyber-Ark highlighted that 88 per cent of IT administrators would steal passwords and valuable data from the network if they unexpectedly lost their jobs. This statistic, as concerning as it seems, doesn’t even touch upon the problem of those left behind, simmering in discontent at the sudden increase in workload for no extra pay. What power is being left in the hands of people who could potentially use their knowledge and expertise to wreak havoc on your network?
The city of San Francisco recently experienced the effect of this power at first hand when disgruntled system administrator Terry Childs held the city’s network to ransom by harvesting lists of colleagues’ usernames and passwords; attaching devices to the network that would enable illegal remote access; and creating a super password that gave him exclusive access rights to the IT system which he refused to surrender to police.
With much of the local government email traffic, payroll systems and police department communication conducted over this network, Childs was well aware of the level of control he could wield over his superiors with this kind of information at his fingertips. Not only was it likely to cost the city – and taxpayer - millions of dollars to repair the vulnerabilities in the network, his bosses’ embarrassment was deepening with every minute this sensitive data was being exposed. So what can companies do to protect themselves from a potential Terry Childs situation? The key is to remember some basic principles that should underpin good working practices at any point in time, and to ensure that the appropriate technology is in place to help maintain the necessary equilibrium between access and control.
Segregation of duty: One of the key recommendations of Sarbanes-Oxley legislation, and a sensible principle for a company of any size or status, is the concept of segregation of duty. Ensuring that no single individual has control over two or more phases of a transaction or operation is a simple method to safeguard against workers undertaking processes from start to finish without being subjected to an internal audit procedure. Unfortunately, however, the strength of this rule begins to wear down as departmental headcount reduces; fewer bodies are available for the checks to pass through and more responsibilities are loaded onto individual people. This is when IT managers need to be able to deal with administrative tasks as well as managerial responsibilities. Rather than adopting a hands-off management approach, they need to educate themselves as to the minutiae of the tasks and responsibilities of administrators so in the event of absence, sickness or redundancy, the manager isn’t left in the lurch and has the knowledge and understanding to step into the role when required.
Role-based access: In addition to segregation of duty, it’s important to work to the principle of least privilege. Each individual should only be awarded a level of network access that is essential for them to do their job. These access rights and privileges can be most effectively managed through a centralised system which grants staff access to both buildings and systems, facilitated by the use of smart card technology.
Smart card technology works on the principle of two factor authentication, requiring a form factor (something you have) with something you know (a password or pin number). This means that even if an employee leaves the company without surrendering the physical card, building and system access rights can be instantly revoked, rendering the password – and thus the smart card – invalid. Password management: The use of one-time passwords (OTPs) can help protect the validity of passwords in the authentication process. Ensuring critical passwords are automated to change after each use (as opposed to static passwords) significantly diminishes the risk of rogue administrators harvesting individual log-ins for unauthorised remote access, or using the data to block all users from the network. By removing the constant need to update, change and respond to forgotten password queries, the use of OTPs also reduces the administrative burden on the IT department. Any solution that minimises the stress and workload of the overstretched IT administrator definitely has to be welcomed.
Hardware: Conduct regular audits of all devices supplied to staff during a period of employment, ensuring no unauthorised equipment is attached to the network or removed from the building without permission. Siphoning data from the system to be stored elsewhere is often one of the first signs that an administrator is planning to operate below the radar.
Taming the rogue: Of course, it’s not 100 per cent possible to safeguard completely against the wrath of the IT administrator scorned. A clever individual with highly tuned technical abilities and a resentful nature will always find a way to get round the system. However, with the right operational policies and effective management technologies in place, there’s no reason why an equally clever IT manager can’t make it that bit more difficult for the rogues to try.