I was intrigued by a January 18th Computerworld article about rogue IT workers titled, “Security Fail: When Trusted IT People Go Bad”
While we all hope that our trusted employees don’t do anything malicious, and most of the times they don’t, when they do it can be costly and devastating. The article goes through some very interesting cases that unfortunately can’t be standalone cases or unique only to the companies involved.
The first highlights issues of a PA retailer alerted by the Business Software Alliance (BSA) that Microsoft had uncovered a licensing issue. They discovered over a half million of pirated software as well as the fact that it was purchased from a company secretly run by a “trusted” IT administrator. Wait, it gets better. They also found an internet porn site being run by this admin on company servers as well as an Excel spreadsheet on the administrator’s workstation that contained hundreds of valid credit card numbers obtained from the company’s e-commerce site.
When senior management moved to confront him they were alerted to the fact that he was the only one who had critical administrative passwords. Fearing what he might do, they arranged for him to take a fabricated trip to the west coast. During the 5+ hour flight, when they knew he was in the air and not able to access the systems, they went around changing all the administrative passwords. He was greeted upon arrival by the COO who terminated him on the spot.
Another story tells the tale of an IT employee for a Fortune 500 company described as one of the organizations “most trusted and capable IT workers”. Doesn’t this already bring to mind those news stories where they interview neighbors of some serial criminal only to hear them describe the psycho as a nice, quiet individual who never bothered anyone?
As a key go-to IT person, she had amassed a significant amount of privileged accounts. When the company decided to outsource IT operations to India, she was angry and decided to seek revenge by planting a series of logic bombs across on a full set of production and redundant servers. Way to leave on a high note.
The final case is about a Fortune 100 company that found a “trusted” 8+ year IT staffer who added a page to the company’s web site to sell pirated satellite TV equipment. When he caught wind of the fact that it was uncovered and he was to be fired, he used his privileged credentials to delete the corporate encryption key ring which was the company’s only way to decrypt critical information. Anything these employees had encrypted over years became instantly indecipherable and unusable.
The article states, “Threats from privilege-laden IT employees are especially hard to detect.” But, they don’t necessarily have to be. The article provides some advice on what can be done to help prevent such incidents, including things like background checks and being better prepared when terminating employees. While these are important, they don’t go far enough.
We’ll continue to get into trouble if we continue to use the same day-to-day practices we’ve always employed around managing privileged access. The logic tends to be that only a small percentage of employees have such privileged access so there is less of a risk. Often, these privileged access are some of the most loosely controlled, as we saw in the cases mentioned.
Instead, organizations have to look carefully at a comprehensive Access Assurance strategy focused on ensuring that the right users have the right access to the right resources and are doing the right things with it. The “right users” include our “trusted” administrative users, who by the nature of their day to day functions hold some of the highest level privileges in our organization.
Organizations should carefully consider access assurance solutions that also include privileged account management (PAM). PAM enables organizations to require administrators to “check out” privileged credentials to better track which individuals are using and have access to these credentials. Upon check-in those passwords are automatically changed (avoiding the need of that one retailer to put an admin on a cross-country flight). They are done quickly, efficiently, and immediately. Moreover, these solutions enable the organization to track and monitor exactly what administrators have done to quickly identify rogue activity and tie it back to specific individuals.
This all goes into a full access assurance strategy. Organizations need to define the policy around what privileged users should be able to access. They need to assess the risk that comes with these credentials, especially if they contain highly sensitive data. They need to enforce the access policy to ensure only the right people are using these credentials. They need to verify that access policy is being followed and identify suspicious activity.
How many times do we have to hear about “keys to the kingdom” and the trouble it gets companies into? When implementing an access assurance strategy, it’s important to understand the risk associated with privileged access. It’s like I tell my kids. I trust you, but it doesn’t mean I’m not going to be checking on you. The same holds true with our employees.
Let’s stop handing out keys to the kingdom. Or, if we do, at least let us set up some controls on who is using the keys and what they’re doing after they’ve crossed over the moat.