Networking

How do you keep your sys admins from stealing company secrets?

Administrators of your network resources are valuable assets, assets that keep services flowing to your business users. But proper oversight of these critical employees, and their network rights and permissions, is an important part of security management.

Administrators of your network resources are valuable assets, assets that keep services flowing to your business users. But proper oversight of these critical employees, and their network rights and permissions, is an important part of security management.

-------------------------------------------------------------------------------------------------------------------

The infamous stealing of government network access in California this summer naturally resulted in a plethora of “I told you so’s,” and “our solution will help” and various renditions of “the sky is falling.” Like many other security professionals, I was concerned about the possibility of this happening across most public and private organizations—possibly resulting in my missing a pay check.

When these events happen, it’s important to put them in perspective. For example, what is the risk of IT personnel doing the “wrong thing” when terminated, angered, or just bored? I was surprised by one possible answer to this question, provided in the form of survey results from Cyber-Ark.

A staggering 88 percent of IT administrators admitted they would take corporate secrets, if they were suddenly made redundant. The target information included CEO passwords, customer database, research and development plans, financial reports, M&A plans and the company's list of privileged passwords. The research also revealed that, of that 88 percent, a third would take the privilege password list to gain access to valuable documents such as financial reports, accounts, salaries and other privileged information.

[…]

The survey also found that one third of IT staff admitted to snooping around the network, looking at highly confidential information, such as salary details and people’s personal e-mails.

Source: Most IT staff would steal company secrets: survey, Computerworld, 28 August 2008

Even if these numbers don’t accurately reflect attitudes of IT professionals world-wide, business and security managers need to take a closer look at network administrator management processes just because it’s the right thing to do.

The following are some thoughts I have about practices limiting IT personnel access to network resources:

  1. In the spirit of least privilege, restrict network administrators to only those resources they actually manage. For example, many organizations divide network admin tasks among two or more teams. A help desk might manage account creation and group memberships. A LAN/WAN team might implement and control switches, routers, etc. Server engineers may only be responsible for keeping servers running and optimized. No one in any of these groups needs complete access to all network resources. Design access controls to limit resource use to only what is absolutely necessary to perform job tasks. As with other sensitive company resources, segregation of duties applies.
  2. It’s a fallacy that everyone in IS—or at least all the techies—need to know the domain administrator passwords or be members of all domain admin groups. Each admin access request must be vetted to ensure access is needed to perform one or more daily tasks. Further, access to the enterprise domain admin account—for example, the administrator account at the root of an Active Directory implementation—should be tightly controlled. Even administrators granted access to these all-powerful accounts should have to “check them out” when needed, with the check outs logged. Use of a password repository, like eDMZ’s Password Auto Repository, can help. Further, key personnel (read more than one) should have access to configure and manage the repository. Logging/alerting should make it difficult, if not impossible, to make PAR repository changes without at least two people knowing about them. Finally, you can configure some repository solutions to automatically change critical passwords each time they’re used.
  3. Daily checks of additions to admin-level groups should be facilitated by security or other analysts responsible for access control oversight. For example, we have a script that runs each night, which compares an authorized list of admin accounts to members of AD admin groups. If a user account is found in an admin-level group, and it isn’t in the authorized list, it is removed from the group and an email sent to security. We occasionally find that one of our users with administrator access “forgot” to follow the process for adding an account.
  4. Every administrative activity on the network—and I mean every activity—should be logged. Logging isn’t just a good idea when looking at ways to identify intruders. It’s also a good way to validate that IT personnel are following policy-guided processes. Log management doesn’t have to be a boulder chained to internal staff. Managed security service providers, like CentraComm Communications, provide excellent log aggregation, correlation, and alerting services. Regardless of who actually reviews the logs, make sure expected security and control outcomes expected from reviews are clearly defined. The person reviewing the logs should clearly understand what constitutes anomalous behavior and what it looks like in individual or aggregated log data. The OWASP provides an excellent list of log review guidelines.
  5. When a member of an IT team is terminated, or quits voluntarily with attitude, he or she should be immediately escorted to his or her desk to collect personal items, security badges and keys. At the same time, an account administrator should be disabling appropriate resource accounts. Under no circumstances should the now former employee be allowed access to any information resources from the time he or she is terminated to the time he or she is escorted to the door.

I’m sure you can think of additional ways to protect network resources from disgruntled IS administrators. However, these are practices I believe every organization should practice at some level—yes, even SMBs.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

51 comments
bfordham
bfordham

I worked for a very small business and we "let go" our system admin. They forgot to ask him for the keys to the office. I told the President and they changed the locks. They remembered changing the passwords to the servers, but the physical keys to the building is a VERY important thing as well.

rijooo
rijooo

You should have a password provisioning system that handles password management. Here each admin prior to access will justify the need to access and such records will provide appreciable control of admin misuse

RU_Trustified
RU_Trustified

Warning: Approaching shameless plug. Trustifier technology is a counter-espionage technology that assumes evil admins, (even trusted admins can be compromised). Auditing as prescribed is a must, but it must also be tamper-proof to act as a deterrent. Trustifier is a kernel level policy and behavior enforcer, so that one can give IT staff the access to systems and networks to do their jobs, but by excluding them from user groups where sensitive data is held, they will not be able to access it. This is generally an enterprise solution, but is more affordable and effective than other enterprise solutions, so I hope that it will eventually find its way into SMBs as well.

george.kincer
george.kincer

The smart way, "Hire good people, deal with them as people not as machines or things and vet your choices with back ground checks." Under no set of circumstances do you ever get a guarantee that the person is not going to stab you in the back. But if you refuse to hire someone who stabbed his previous employer in the back, no matter how good he is, you will have a fighting chance. Dealing with people is not the same thing as dealing with a server, workstation or switch. You can not tell me there were not signs of serious discontent and personality disorder in the San Francisco story. Aside from trusting only one person with the Root, his manager did not maintain enough contact with the guy to tell he had issues or is it he did not have the gumption to be a manager. If you don???t monitor the person like you monitor the system you have only done half the job. ???Locks only keep honest people honest??? is a security truism but serves to scale the problem. A Root Admin has the power to do what ever he/she wants. If you don???t monitor the person and their activities in one form or other then you have no locks on your secrets. The Root admin is particularly problematic role with all of the time and power to do anything and it would behoove the owner/manager to deal with the ???person??? fairly.

seeless
seeless

I think you mischaracterize the actions of Terry Childs. The cnet article you cite was written before additional information about the case came to light. Far from stealing network secrets, it appears to me that Terry was defending the network from an unskilled bureaucrat who failed to understand basic details of network management and security. Please see: http://www.networkworld.com/news/2008/072108-terry-childs-rogue.html http://www.pcworld.com/businesscenter/article/149159-5/sorting_facts_from_fiction_in_the_terry_childs_case.html In far too many shops, unqualified and misguided managers demand to know domain and root passwords, and go on to damage networks and systems undetected. As you rightly noted, one part of the solution is proper account management and auditing. The Terry Childs case brings up another vitally important issue. While enterprises and small business won't blink at buying RAID arrays and even hot site services, organizations need to staff properly as well. An organization should not have a just one person with skills vital to the company, whether it's domain and network administration, or databases and web site management. This means that cooperative network management, which requires documentation, written policies, and procedures to change configurations are vitally necessary. The vast majority of organizations I've worked for in 30 years were penny wise and pound foolish in this regard. Network administrators are not the enemy of the organization - unskilled, incompetent management is. Managers need to know almost as much technology as the people they manage. Only highly technical CIO's know this. Managers need to be held to a higher standard of accountability. =seymour=

Original Eggman
Original Eggman

A former employer/client used a committee system for root level access to 'the system.' There were 11 people in the division/committee. Each held a unique password, generated by the system and known only to them. Passwords were generated with phonetic algorithms to help them be more memorable. Penalties for writing down your root code were not inconsequential. Access to root/master level of the primary controllers required any three of the eleven passwords. They have since added biometrics and may have changed the ratio. One master record of all passwords was dumped to a disk and the disk went into the [classification] vault, all under close supervision. While still not foolproof, the odds of a conspiracy of 3, or 3/11 being unavailable are reasonably low.

Dukhalion
Dukhalion

The "secret" is treating your sys admins (and everybody else) FAIR. I would never steal anything from someone who treats me fair, but if I was treated unfairly, don't I have the "right" to some kind of compensation? Why should a company who treats their employees badly get away with it? It's most likely not a question of dishonest employees, because then they would have stolen continuously during their employment, and the real culprit would then be the one who did the shoddy background checking before employing them. After all, you don't get to be a sys admin just like that.

The 'G-Man.'
The 'G-Man.'

You stop your Financial Controller ruining your finances and skimming money. You stop HR discriminating against a potential employee due to personal views and ending up with a law suit on your hands.

kwaller
kwaller

Welcome to the life experience. A small percentage of people in IT will misuse or appropriate information for personal gain/revenge/whatever, just as a percentage of people that work around money will misuse or appropriate funds for personal gain/revenge/whatever. Most of my career has been in the IT field and most of the incidents I can recall relating to misuse/misappropriation of company "stuff" has been in disciplines other than IT (sales staff, executives, etc.). It is just highlighted more in IT because we are at the focus of the funnel of corporate resources as they flow in and out of the corporate domain.

borkanserbian
borkanserbian

I think this it is a matter of personality and moral ethic more then something it can be considered only as security issue - although it truly is.. No way to protect from people like that except not having them in company at all. You may install as much security gadgets you wont, including camera staring at theirs face, they would always think the way to revenge and make you a damage if something is not according to their will. For example, Last year I was working 15 days in one company and their general issue was their mail server, who was under sort of virus-spam attack - used as relay to self distribute spam and overload their server capacity, make their queue list so big, actual email would never be able to reach even it is officially accepted from the server and does not return delivery failed message so it would be hard to determine what's going on...I had to stop server working to be able to delete all spam from the que and filter regular mail - I manage to solve the problem only when I created secure authentication method and change the ports they were internally using for their outgoing mail And the whole thing was set up by their ex system administrator who considered him self damaged in the way company has failed to fulfill agreements. (what was very true) Ok - the problem was solved and my services were not longer needed and I never got payed for it :-) So my advice to good and sincere people, employers and employees as I truly believe there are still many so, pay your attention on who are you dealing with rather then how will you protect your self - as there is no way to protect from evil as well as evil cannot last if it's being saturated with goodness. Be good

rich
rich

At some point you are going to have to have some trust in your employees. If you don't and suspect everyone, maybe being in the position of employing people will prove to be just too stressfull. Give up now and become a hermit if you want my advice. Or you could just build an organisation around trust and respect for your employees and maybe they'll repay you with like.

reisen55
reisen55

This a given and should NEVER be questioned, any sys admin - any company employee really - is exposed to PRIVATE DATA and it is OUR JOB TO KEEP IT THAT WAY. There are many tales of late of IT people selling personal data for private gain and they should face maximum prosecution. That is how you keep them from doing it. ENFORCE THE LAW PERIOD.

jeff
jeff

As has all ready been stated, if those vitally important to the business are treated well and recognised as such, their loyalty will be much more predictable. However good background checks of potential new hires is an important factor as well. Verify Integrity before and ensure loyalty afterwards will yield the best results in my opinion. Unfortunately as long as IT is viewed as a cost center and not an asset, you'll have a hard time with the 'loyalty' aspect. That being said, there are just some very BAD people in the world which is where practices like the author notes have their place to a degree depending on how critial the data you are trying to protect is.

NotSoChiGuy
NotSoChiGuy

88%??? That seems awfully high to me. It's hard enough getting 75% of any demographic to agree that the sky is blue, let alone getting 88% to admit to offenses that go up right to, and may extend past, the illegal. Of course, given that the study was funded by a firm that makes its money on security services/products, well..... ;) On a serious note, I do think this should be a serious concern for organizations; particularly those under increased scrutiny due to government mandates. Much as the Enron/Andersen/WorldCom fiascos opened the eyes of many to the insidious side of financial accounting (I just finished a financial accounting class and I must honestly say I came away amazed at how relatively easy it is to fudge significant numbers), this situation may open the eyes of people to recognizing the perils of entrusting all of the keys to the kingdom to any one individual (particularly one with a criminal background). On the flip side, this could be used as another reason to push towards cloud computing and/or outsourcing.

jeremy.gonyea
jeremy.gonyea

Pay them better. Sorry if that sounds a little bitter, but keeping up with good raises and such goes a long way in showing that you care about your IT admins. Then they will have a less likely chance of retaliating against the company.

Marty R. Milette
Marty R. Milette

There are a thousand ways an 'evil' administrator can use to compromize a system if they have the urge to do so. Considering the power had by Service Account passwords -- I've found this to be one of the most obvious yet overlooked security holes there is. I can't say I've seen it all, but have seen: - Fired admin coming in through a secret dial-up access. (Using the company Internet connection for his own personal use.) - Fired admin coming in through service account and remote Internet access. (Sabbotaging the systems and stealing data.) - Night auditor downloading pirated DVDs during night shift (racking up a bill for $15,000 in excess traffic charges.) The list goes on. Main point -- if the admin is smart enough -- there is almost nothing that can be done to stop him -- there are too many ways to get in once you've had access at the admin level.

mjd420nova
mjd420nova

I think the idea of system admins stealing company secrets would only apply to the IT businesses. Web developers and those who understand how to manipulate information and its representation to the public domain would have a great deal of difficulty putting together any scientific information that would create a threat to any real manufacturer of consumer products. For example, an IT manager wouldn't have any idea of what information to steal to sell to a competeitor for a fuel formula for better gas mileage. Or a system admin to hijack a formula to better clean soap scum off of a bathtub or other ceramic bathroom hardware. This is a problem for internet type businesses only.

techrepublic@
techrepublic@

I agree completely! :) Seriously, a proficient server/network administrator, with some hacking, can extend his privileges on a system/network if he already has a foot (and probably more than that) in the door. Also, logging everything and anything probably will not help you much either since logging can be compromised like the rest of the system. If you want to protect information then use encryption as much as possible. Encrypted email, files or database data are a much harder obstacle to unauthorized access than privilege restriction/segregation/separation.

J.Z
J.Z

This is a real good one. However for those SMBs they usually only have one IT person or outsourcing service providers. It's getting really hard to control. The key thing is that how you trust and treat the IT guy I guess. :)

drl.techrepub
drl.techrepub

I'd install a decent door entry system and CCTV at the building entrance because THAT is the biggest hole for data and wiley criminals to slip through. I'd have IT savvy security guards and enforce the "no holding the door open" rule. I'd make sure HR had nothing to do with employing staff that require security clearance. I'd warehouse data remotely if necessary. Even though I'm an athiest I'd pray I'd done everything I could.

Locrian_Lyric
Locrian_Lyric

If you don't lay them off, they won't take anything with them when they leave. Good will goes a long way. Plus, while a good deal many of us are hotheads, when it comes to actually DOING something, most of us wouldn't risk our careers, much less jail time (oh, we'd do well in jail, wouldn't we?) for a bit of revenge. Treat people right, and they tend to treat you right.

Jaytmoon
Jaytmoon

Where does security "oversight" stop and real management end? At some point in the chain of command/security/support, there must be at least one Individual who has "ultimate" password access to all of a Companies data. I doubt that the President or CIO would be able to maintain a complete record of all access. Is there a market for an "Ultimate" security Directory? One who is Bonded and insured for such authority? Wow, would that be a stress free position to be in!

marie-noelle.baechler
marie-noelle.baechler

In my experience, system administrators may be good at managing routers, firewalls, protocols, servers, databases, application servers and son on. but this does not mean that they understand the information system which relies upon this infrastructure. It does not mean that they understand the datas that are stored in them, nor the way they are organized. And it seems to me that the increase of n-tier applications heavily relying on frameworks like hibernate has made tings even more difficult for them. There are more and more cases where we need both technical and business people people to solve problems, even the ones that look mainly technical. Obviously, there are risks, but it seems to me that the people who have the ability to steal some really important informations are the ones who have quite a lot of business knowledge, in order to make sense of the data they collect.

tuomo
tuomo

Yes, products and technologies as Trustifier are nice and work but if used / useful as standalone only not so useful for security especially if the limitations are not understood or forgotten (as usually!) If rogue administrators would be the only security problem, the life would be easy but they are actually a very, very small problem. If your oil rig blows up or your CEOs hidden compensations appear on first page of a newspaper based on information stolen by a rogue administrator the real problem isn't really the stolen data but the whole security chain failed. Why - maybe it wasn't the administrator after all who stole the data, maybe it was the legitimate user, a Cxx, a manager, etc who goes bad or works for competition and was given access to information without any extra auditing and alarms going on? Or maybe it was a SQL injection problem or a web page which had access to information it shouldn't have or a lost laptop or a printout in wastebasket or whatever without a trace or alarm. So, point solutions don't work in security without a strategy, planning, design, continuous enhancements, changes, monitoring, etc - thinking otherwise is buying snake oil or just being lazy, i.e. incompetence! Any proprietary, closed solution will have problems seamlessly merging with old or other technologies. And so on. Of course it is up to a company / corporate to select what strategy / methodology they use for security but the current situation is not good! Amazingly, for example Microsoft (or maybe not so amazingly?) is currently working with their new management solution which will be based on open standards (as much as you can hope MS really not doing it wrong?) Because they are a big company it will be very complex and bloated, at least first - anyone around when RACF came from another big company and remembers what a mess it was? But at least it gives the building blocks and base for future technical solutions, not just a closed, expensive and one source product - I hope! By the way - it is platform independent and open standards based IF done right! I know other companies are also working on same technology but not as openly for whatever reasons they have.

fmurphy
fmurphy

While the concept of BC's are wonderful - and personnel departments thrive on delivering specialized tests to determine a persons "viability" based on (what is essentially) an ink-blot interpretation of personality.... I seriously doubt that ANY background check will shed an ACCURATE light on what a person would do in this kind of situation. Lets fact facts. "Administrators" of IT truly have the self given 'power' to be the master of their own domain. That domain, in their eyes, is everything that they have access to. Period. I am sure that I am annoying all admins out there, but it is true nonetheless - they just will not admit this fact. Admins as a 95% general rule will not abuse their rights within the context of corporate intellectual property. Fact. Period. Also, to other points already made, admins should be repsected for their diligence in maintaining the integrity of the systems they are responsible for. The bottom line question is: How in the world can you actually (and accurately) predict when an employee will go "postal" with sensitive information? You cannot. Therefore, if an admin is to be release from the company's employment, thorough diligence must be done PRIOR to that persons departure and that person should be escorted out. All backdoors should be considered, all systems should be evaluated, the list would go on. How can a company do all this gethering of potential security holes? It must be gathered by, IMHO, an independent 3rd party. If only for the simple fact that an unscrupulous admin *might* not be forthright and tell their employer of all the security holes. It all comes down to "corporate trust". Remember the days when you could ACTUALLY trust that the company would take care of you and put your interest in the forefront? Unfortunately, the corporate world today is not that of "right to work", (meaning work hard and you get rewarded appropriately) rather it has the built in statement of "at will" employment - meaning that a person can be let go at any time for any reason whatsoever! Until corporate America wakes up to the fact that they need to treat their employees better will they ultimately reap the benefits of employee loyality.

JamesRL
JamesRL

It is never appropriate to steal information or violate the trust you've been given, even if you feel you have been treated unfairly. If you think you've been treated unfairly, then leave. You never ever have the right to steal. That shows a complete lack of integrity. You do have to do background checks, and continuously monitor actitivies, even with the most trusted employees. I don't have access to the datacentre in my office, even though some of my employees do, because its deemed I don't need it. Thats a principle that others would do well to follow, give people only what access they need to do their job. And I have worked at a job where employees were disciplined for holding the door open. I don't have a problem with that. I've seen the reverse, where layoffs hit a company, and laptops started to go missing. James

W_L_O
W_L_O

True, the HR department has more than their share of snoops and blabber-mouthed drama queens.

jeff
jeff

As has all ready been stated, if those vitally important to the business are treated well and recognised as such, their loyalty will be much more predictable. However good background checks of potential new hires is an important factor as well. Verify Integrity before and ensure loyalty afterwards will yield the best results in my opinion. Unfortunately as long as IT is viewed as a cost center and not an asset, you'll have a hard time with the 'loyalty' aspect. That being said, there are just some very BAD people in the world which is where practices like the author notes have their place to a degree depending on how critial the data you are trying to protect is.

ljansch
ljansch

This reminds me of the old joke about the argument between body parts about who gets to be in charge. The part that the other parts laugh at shuts down in anger and all the other parts suffer. As long as the executives treat critical employees like utterly replaceable hired help, animosity and these self-preservation acts by sys admins will continue. Make them an integral part of the company and involved in operations/decisions and this will go away.

jmarkovic32
jmarkovic32

If you don't want admins reading priviledged docs then encrypt or password protect them.

buddyfarr
buddyfarr

"I'd make sure HR had nothing to do with employing staff that require security clearance." bad idea. They should always be the first step. Let them get the background checks done beforehand so the easy checks are done before you have to waste your time.

computab
computab

in my experience staff with access to confidential data sign a Confidentiality Statement, then everyone knows what will happen, 'cos the law will come down on them like a ton of bricks if they do anything wrong!

kryan
kryan

I suppose that may be true but if you stole the customer database for profit i suppose who ever bought the information would understand it's contents. depending on the company how much would a customer database be worth, what about a mobile phone database records and personal information of thousands of contract customers along with there contract renewal dates.

tuomo
tuomo

Right but I think not understanding makes things even more dangerous, what may seem a non-issue or not harmful to them may cause a lot of harm to company and/or customers. The question "How do you keep.." : Same way as you keep your accountant, Cxx, etc stealing the company secrets. Sorry, I was in information security long before it started to be an IT/IS issue. Three basic rules to be prepared - hire trusted persons, monitor them and be ready to take an action. Rules, policies, laws, whatever have never stopped someone who wants benefit or revenge, nice to have but not the answer. Many good but partial answers. Many answers which for example try to blame the companies not treating personnel right? Well, of course you should but what is right? And why would "not right" make a person to break the trust - very immature. I have left a company or laid of a couple of times - every time still helping them anything from three weeks to two months and later consulting - even working with competition at the same time. That's what you get with trust and you should never break it! I also have a small problem believing the numbers. Yes, many people have access to more information the company feels comfortable and that's how it has always been and will always be but in my 35+ year career I have met only some (very few) out of thousands who misuse the trust. It's always a person behind any mischief and it gets more tempting the more authority he/she has. Centering to administrators or any other group is a big mistake. The security vendors try to sell "solutions" to a problem which is a symptom, not the cause. And inexperienced management if falling to that trap. Security has to cover the whole company (and customers, etc)! Locked doors, actually doesn't have to be a problem done right, is already physical, not IT security. But there are many ways to get information out of premises. Even monitoring data in/out is kind of physical. They are only partial solutions and almost never can really prevent the incidents just move the problem in some other place if even that. First, security is a corporate issue, not IT or any other organization alone no matter how important they think they are! If the security is handled as an whole it gets much easier and much, much less expensive. I have been lucky to work on security in companies which had to worry about information security long before it came an IT/IS problem also. These companies did well a long time - until maybe late 80's when IT started to separate from other corporate functions. The security decisions merged with other job functions which caused conflicts - you have a responsibility of something, you are given another responsibility which is seen as waste of time or just nuisance because you can't see any benefits of it in your career - guess which suffer? Or maybe seen a method to grab more power, tempting, isn't it? Part of problem is that managers are seen as gods today - isn't it amazing the talk today is how administrators or programmers or .. are to blame or problem, never the management? Giving a password to your CEO or manager just because is never done in secure environment, no matter what!! Yes, more than one person have to have an access to keys, sound business decision, but not by whim and never, ever without an audit trail immediately available and reversible in case of problems. Easy and not expensive IF (IT / corporate) infrastructure is designed that way, very difficult and expensive using point solutions and / or added later. Sorry about long rant but after designing and building a couple of corporate security infrastructures these "blame these individuals or corporate functions" is mostly useless, just part of power play and/or "successful" marketing. Security is much more than just one incident and it doesn't have to be intentional, mistakes happen (will always happen for whatever reason) and the whole system must be ready for those - controlling just part of security is going to fail otherwise. We all have seen that (too) many times, especially today!

Locrian_Lyric
Locrian_Lyric

It's just more of the old 'blame the IT folks' game.

storch
storch

Well said fmurphy. Regarding an employee going postal usually involves more factors than just what is going on at work. What if a series of diasters struck a person culminating in the person getting fired on the same morning his wife left him after cleaning out the bank accounts and he just got news that his dad died? It might be enough to push him over the edge even though he had been a person of the highest integrity his entire life. Interesting discussion and one I personally find ironic. I'm not a network administrator, just a tech. But I am always going on about security with the managers. They consider me paranoid. Someone on this list said to me, "I thought that was part of your job description." Indeed it should be!

The 'G-Man.'
The 'G-Man.'

Both sided have to play fair (two rights) for things to work. A company that knowingly treats staff unjust or unfairly is just asking for this kind of thing. Similar things ca be said for a staffer who treats their 'good' company with contempt. This is not a one sided case I feel.

jorge.blat.palacios
jorge.blat.palacios

Let's be realistic here. There is a much higher chance of an average staff from any department bringing confidential information with him "whether fired or not" than the chance of an IT guy bringing data with him. In most cases, it is the way the company treats the IT Employee that causes him to go crazy. In my years of IT Knowledge (15 to be exact) I have seen many more occurrences of senior management staff losing thumb drives (unencrypted), floppy disks, notebooks and other electronic stuff or using external email applications to send confidential documents, photocopy key contracts and data to bring it home "for further study" which by the way appears to be ok, than an IT Staff stealing info. The best part of all? In my experience, the biggest mistake commonly made by business staff is leaving confidential printed documents unattended at the printer for a whole day. How many people gets to know key information before the CEO discloses it? Come on, another quick one. How much information (and how fast) do you think you can obtain from a disgruntled payroll HR Staff? Companies should treat the sys admin like a doctor. Even if he knows secrets (which we all know by the way), it is part of his job to keep them confidential. Same as lawyers, HR staff, finance, business development and so on...

No User
No User

"Make them an integral part of the company and involved in operations/decisions and this will go away." I would add that many other problems would go away as well.

techrepublic@
techrepublic@

It seams obvious! I rarely come across anyone that takes security and privacy seriously.

drl.techrepub
drl.techrepub

... in practice the best person to vet an employee is (a) somebody who has the same skillset as that required, and (b) someone who has worked with the public. I don't know about you but I could pick the unsuitable characters out within 10 minutes or so of having a conversation with them in the canteen.

cowen80194
cowen80194

We charged 3 hours per man at 20 men times 2, once for entry and exit. that had to pass through one at a time with tools and materials to start, do, and clean up from a job for 3 weeks. When the forman makes 30 and hour and the guy who sweeps makes 10 and hour then all the level 1 and level 2 tech average 20 an hour. I am glade you are willing to pay that bill.

buddyfarr
buddyfarr

A confidentiality statement is not going to stop a thief or disgruntled worker from stealing or messing up the network or data that is held on it. That is why you go with rule #1. If you have a reason to not trust any of your IT staff then get them out and lock them out.

JamesRL
JamesRL

Thats the ethical thing to do, as opposed to condoning or excusing unethical behaviour. Its good to remember, its a small world, and we often bump into people later on down the career path. If a hiring manager hears that a sys admin did something unethical at a previous employer, no amount of excuse about how the previous employer treated the sys admin will overcome the issue. James

tuomo
tuomo

Correct. Long known in security world, take a person to relaxed environment, find what they really think, forget the technical, and bingo - sometimes it takes more than 10 minutes and may include more socializing and maybe a couple of beers in a hard cases but then you know much more of their character. This works even afterwards, people change so it is very useful to keep doing that. A standard procedure in good security control and auditing (and may be fun!)

drl.techrepub
drl.techrepub

The reality is that you have to choose any two from the following three: 1) Security 2) Inconvenience 3) Cost I'll get you started just in case it isn't obvious what I mean. You can have convenient security if you pay more for the system. If you are prepared to put up with inconvenience you can have security at a cheaper price. If you don't have security then you are in for one hell of a lot of inconvenience and cost! Now, what do you want? Those are your choices and that's all the choice there is. The simple answer for your problem is to either isolate where the workmen are working, or if that can't be done then as a condition of the job have them leave all tools on site so there is far less to do when they arrive and leave. Another alternative is to have customised security that only they are subjected to. It's not exactly rocket science. It's only a problem if you don't look at it with an open mind.

Editor's Picks