Leadership

Video: Five ways to keep your own IT staff from stealing company secrets

The arrest of a network administrator who hijacked the city of San Francisco's network brought attention to a dangerous and often ignored threat--your own admins. In this IT Dojo video, Bill Detwiler discusses security practices to protect company secrets from the very people who should be keeping them safe.

High-profile breaches of private data are often the results of lost or stolen equipment, malicious hackers, or improperly disposed of storage devices. Yet, the July 2008 arrest of a network administrator who hijacked the city of San Francisco's network focused the spotlight on a potentially more dangerous threat--your own admins.

In this IT Dojo video, I discuss the following five security practices that will help protect your company secrets from the very people who should be keeping them safe:

  1. Follow the rule of least privilege
  2. Not all IT staff should be domain admins
  3. Monitor additions to admin-level groups
  4. Log all administrative activity
  5. Immediately revoke admin rights for terminated IT staff

After watching the video, you can read more on these five security suggestions in Tom Olzak's article, "How do you keep your sys admins from stealing company secrets?"--the basis for this video.

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

33 comments
webegeeks
webegeeks

the NSA needs to implement controls so intercept operators are doing valid message intrusion rather than listening in on soldiers talking dirty to their wives while in Iraq!

reisen55
reisen55

This is true by the way. At Aon Group in Manhattan, 199 Water Street - a 1,200 user community I used to support until outsourced out in December, 2005 --- IT headcount for on-site technical support is now... ready.......... 1 again 1 One onsite technician. ONE for a user community of 1,200 people.

Photogenic Memory
Photogenic Memory

And you wanted to share it with the whole world via torrent!! May the downloads begin, right? Just kidding. You should get FIRED for THAT unless your the one who solely developed it yourself, LOL! In that case; it's all good, LOL! Just funin a bit.

beckumsca
beckumsca

I just have to wonder at what point do security measures become overkill? Don't get me wrong, I agree that companies, big and small, have to protect themselves. But like was said before .... Who's going to watch the watchdogs? And who is going to watch them? Does trust of other people get thrown out the window in the process? Are we doomed to always go from not doing enough before something happens to doing everything imaginable to the point of lunacy? Or is it just the American way? It make me wonder sometimes. Hope all of you out there don't take offense to this, and have a great day!

reisen55
reisen55

Examine all user accounts for backdoor entry points, terminated admins love to leave such dark alley entrances behind. Any current employee having anything to do with a terminated employee beyond social networking should be warned - any internal contacts that violate company security should lead to immediate disciplinary action. Internal security review every month or two months. Maintain inventory and update. My daughter was terminated from a job and the server with hardware inventory crashed and died. The terminated sysadmin refused to come back and repair so many terminated employees found themselves the new owners of much expensive hardware. That they were given 1 day notice was also unfair and in violation of the Federal WARN act. Make sure terminated employees return equipment. If you have a 30 day mass termination approaching, watch for missing hardware. IT staffers love to appropriate hardware when they know in 30 days they are history.

abraham.ranjit
abraham.ranjit

In addition to the mentioned tips, I suggest one of the System Administrators (rotationally selected) should conduct a periodic (preferably monthly) Security Audit Report to check for any violations and intrusions.

Wally Bahny
Wally Bahny

Where do you get your clip art and images? I especially like the one of the creepy-looking guy in the prison outfit. :-D

Bill Detwiler
Bill Detwiler

The arrest of a network administrator who hijacked the city of San Francisco's network focused the spotlight on dangerous and often ignored threat--your own admins. In an IT Dojo video, I discuss security practices to protect your company secrets from the very people who should be keeping them safe. Original blog post: http://blogs.techrepublic.com.com/itdojo/?p=182 I know some IT personnel dread the thought of policing their end-users, let alone their fellow IT staff. But as I say in the video, "IT leaders and security managers must put aside any reservations on monitoring IT personnel and implement appropriate controls on the network administration process. Even small and medium-size businesses." Does your IT organization have an internal watchdog group? Is an external department responsible for keeping tabs on IT? Who do you think is best suited to police IT?

Photogenic Memory
Photogenic Memory

1 tech to about 600 users. Don't ask me why? And that's just the first floor!! It's a banking institution so I guess it's not all that shocking!! I feel for ya bro!

jbrin
jbrin

.. every problem looks like a nail. One of the problems I have with an alarming video like this is it fails to mention the scope of its application. While all the things mentioned probably have some decent merit within enterprises with large IT staffs (dozen or more), the problems surface when a principal in an SMB (say, less than 50 client computers; serviced by outsource or < 3-4 internal) views this, panics and overreacts. He'll end up making his IT staff miserable while adding a significant chunk to his IT support budget (as it will certainly result in more wheelspin while performing common tasks) and, most likely, the company's overall operation will suffer from the added burdens. Even as it is, in servicing such smaller clients, I burn more time and earn more money chasing down users' forgotten passwords so I can start to troubleshoot a problem, than, probably, from any other common activity. I can only imagine what adding a hyperactive security initiative to those environments would do. Also, the vid would be better if it included a brief discussion of the law and employee/vendor contract terms.

abear4562
abear4562

Its hard to feel sorry for a company that terminated a sysadmin, and then discovered they didnt have any backups. Makes me wonder if the admin knew that, had been yelling about it, then was fired for making too much noise...

TheGratefulNed
TheGratefulNed

[quote]Any current employee having anything to do with a terminated employee beyond social networking should be warned - any internal contacts that violate company security should lead to immediate disciplinary action[/quote] Certainly current employees shouldn't be giving out personal/sensitive/proprietary data to terminated employees (or anyone else not authorized for that matter). If you've worked with someone for several years, know their family, hang out with them socially, drink with them in the evenings or on weekends, it's not only absurd for the company to expect you to stop doing so just because they were fired/laid-off/quit it's also quite possibly illegal for them to ask or even infer as much. My job responsibilities pertain to my work, not my personal life. My boss can tell me to do anything work-related, as soon as he/she tries to say "oh and you can't hang out with John anymore" I'm gonna laugh in their face. [quote]Examine all user accounts for backdoor entry points, terminated admins love to leave such dark alley entrances behind.[/quote] This is generally only a problem with admins who know or expect to get fired/laid-off or with ones who plan in advance on quitting.

leberg
leberg

We do audits and we have audits done buy an outside vendor. You can never be too safe.

Bill Detwiler
Bill Detwiler

We buy most of our stock images and video footage from iStockphoto.

cbulla
cbulla

You know, its not always the accounts that are the best doors. I have a freind who works elsewhere now who used GoToMyPC to demo its use while director and administrator at our previous job. At last check, it was still installed on a workstation thats used for administration of network activities which we found to be unlocked and open for use under the current managers name after hours...way after hours. It was checked because we'd realized the program was still on her laptop and it was being reappropriated for some simple email tasks and we said "I wonder... nahhh, but it would be funny... no way~!!" Short story is the whole OS was reinstalled and on internal network stuff only now.. The admins have their hands full and a backdoor account is only one avenue. How many audit their firewall or workstations.

RU_Trustified
RU_Trustified

Disclaimer: ALthough I work for a security vendor, the following points are presented for the sake of discussion. At a NIST software assurance forum I was at last week, the subject of code ransom came up. San Fran was not an isolated case. One way to combat unauthorized code tampering and manipulation is to use of multi-level integrity enforced by a kernel level policy enforcer. By ranking code higher for integrity than any system user, at least for back-ups, code can not be tampered with, which also acts as a deterrent for unauthorized activity by users with access privileges. What is required is the means to enforce and limit data access policies that are separate from network and system privileges. We have a means to allow IT staff to perform their work without being allowed to access any data domain in an unauthorized fashion. Why does IT need to see HR or accounting data?

uberg33k50
uberg33k50

Ok so one untrustworthy guy does something he shouldn't and now our "we have to justify our existence" media have to make this a priority. How about this...if you cannot trust the person --DON'T hire them. If you find out they cannot be trusted after you hired them -- then fire them. I think most people are pretty trustworthy if you trust them to begin wih... when you start sending the message that you do not trust your people before they give you any reason not to trust them -- then you WILL have problems.

Beoweolf
Beoweolf

This particular case has been pushed through the media as an illustration of many unrelated different problems. My understanding of the case is the system manager did not steal any data, did not corrupt the data base nor is the system compromised - other than he refused to trun over the system administrator password to someone he felt was unqualified to run the network. By most accounts, the system has been configured to automatically protect the undisclosed administrator password by various means - along the lines of what is normally use to prevent hackers, intrutions or harvesting of passwords by unauthorized persons. Yes, he has stepped way over the line by refusing to devulge the password to his new supervisor, but has done nothing that rises to the level of hijacking. What we have is a difference of opinion - 2 stubborn people refusing to compromise bring this matter to a reasonable conclusion. This started when they sought to terminate his employment, in a less than honest and forthright manner. After finding that the system was capable of protecting itself without the administrator present - they chose to threaten rather than disscuse the issues. I think the administrator may have lived too long with machines but this was not an issue that any amount of oversight, investigation could have prevented. At best it illustrates that treating staff as adults might have prevented this "hijacking" in the first place.

Ou Jipi je
Ou Jipi je

Do you guys have really nothing to do other than writing this rubbish? Computer security is not a set of rules that can be applied globally to every situation/ company. How the highest level of security can be reached at a specific customer, depends on the requirements of their senior management. Only than a tailored solution is developed to meet the requirements. Is the requirement to police end users? So be it. Is the requirement not to police end-users? Fine as well. Stop putting your opinions in front of the requirements. Anything else than firm requirements from a senior management is often just a mediocre attempt of middle managers and other idiots to show that they are doing a good job by presenting what they have read in a computer security magazine. Ask them a question: Who is going to watch the watchdog group? It is the requirements, the technology and factual knowledge that protects your network and not politicians and other types of morons.

MikeGall
MikeGall

As far as I know it would be illegal where I am (Dresden, Germany). We aren't allowed to log internet use for example. It is good and bad, employees are explicitly trusted and have privacy if they need to do some personal web stuff during breaks or whatever. But the reverse is also true if we have problems we don't have a log.

Wally Bahny
Wally Bahny

We don't either. As there are only three of us (soon to hopefully be four), there's not exactly "extra manpower".

LarryD4
LarryD4

Current location does not have a watchdog group but of all places, the State Judiciary should...

JCitizen
JCitizen

I think most would look at this in a more practial light. Implementation would come in stages over time and in logical order. It wouldn't necessarily jam up the organization. When HIPAA hit the nonprofit I was contracted with, our CIO took this same practical approach and implemented every step mentioned in this video. With the small exception of a few ruffled feathers from former "power users"; there was little dissent. There was little interruption in IT staff activities, although great changes were made. By having regular staff meetings to discuss strategy and building a good communication between teams, we actually improved our performance. One thing not mentioned here was remote desktop priveledges. Only key personel manning the helpdesk were givin a possition in the server firewall to be able to access desktops for the clients. Lower IT support staff really didn't need this ability as they were hands on techs anyway. This allowed a more focused energy toward problem solving and streamlined our operation. OnTrack was implemented to keep IT staff and supervisors apprised of progress and what was being done, if anything, to solve difficulties. This worked so well that the supervisors in our client staff started using it to track progress in non IT projects! I think this was a very pertinent article, and I can report that it works very well. We've had some very belligerent IT staff that were let go and quickly sealed against network access. We never had a problem with disgruntled employees trying shenanigans against the network, as they new they would be had. This kind of policy also help us keep up with the disipline of cleaning up old profiles and former employee data. Good article Bill!

MikeGall
MikeGall

You can't fire my friends. You can only fire your employees. The normal security policies should work. Obviously talking to your friend/former co-worker and doing something like complaining that they haven't bothered to change passwords or something would probably be a bad idea. That would be the same as telling them what the passwords are. But non-confidential, random work talk shouldn't be a big deal, and I don't think it would be legal grounds for dismissal in any country I've ever heard of.

PVBenn
PVBenn

The company I work at gets audited yearly by outside auditors both Financial and IT Security specific. Some think they are Gods gift to the Security industry and others are decent to work with. You cannot be too sure of yourself and I appriciate getting autided as it tells me where Potentail flaws are. As well I like getting an audit with little or no issues as it shows my boss I'm keeping ahead of the pack and keeping the wolves at bay. Less Security issues = More time for fun Projects.

Bill Detwiler
Bill Detwiler

I would normally reply to each criticism within the original post's discussion thread, but I believe this situation creates a perfect opportunity to explain why I still believe "hijacking" correctly defines Childs' actions and why it's important to remember that we don't "own" our employer?s network. Please read my reply: http://blogs.techrepublic.com.com/itdojo/?p=186

lmarks
lmarks

Describing the San Francisco event as a "highjacking" is indeed a gross mischaracterization. It reflects badly on TechRepublic's credibility.

Dr_Zinj
Dr_Zinj

People who complain about security requirements usually fall into two categories: those who have a legitimate complaint that should be looked at to improve the business, and those who have their personal agendas interferred with by the security requirements that aren't necessarily in the best interests of the company. This is definately not rubbish. Normal I.T. turnover puts newer, less experienced people in the drivers seat; for which periodic reminders like this are helpful. And especially because senior managers turn over and are new, inexperienced, possibly I.T. ignorant (yes, there's a lot of them still out there). It's OUR jobs as information system and technology professionals to advise management on security best practices and to recommend policies/requirements that provide the most protection (least risk) for the lowest cost (in terms of time, money, and resources).

raym444
raym444

How the highest level of security can be reached at a specific customer DOES NOT, depends on the requirements of their senior management because the Senior Manager has no idea what is required to secure their systems/data. There are definitely rules and policies that can and should be implemented in EVERY situation as well as others that should be implemented (or not) according to the clients' (which is what they're called, not customers. After all, we're not in the retail business here.) needs and restrictions. As far as restrictions go, the only restriction with security should be when it degrades system performance and/or client productivity.

BigHamster
BigHamster

Somebody having a bad coffee day. OuiJi?

Devin_MacGregor
Devin_MacGregor

I understood what he was talking about. Clients are customers. Customers are clients. Retail has nothing to do with the name. Sure there are BASIC rules for every situation but that is not what he is talking about. Sometimes people like to centralize so much in the name of security that it restricts IT itself from functioning. In order to get something done you rely on that one guy in a different timezone who does not see your situation as priority but you have a client/customer who you know what needs to be done but can't do it because someone has implemented restrictive security policy. And most certainly YOUR client/customer is the one PAYING you. You inform them. If they do not require that much restriction then that is THEIR call. Your job is to consult them on what is needed and implement what they approve. You do not implement systems without their consent and approval. It is THEIR system NOT yours. You are just babysitting it for them. If they want orange curtains then they get orange curtains. It is THEIR data not YOURS. Companies come in different sizes and shapes so going beyond a basic security scheme may not be a one size fits all.

Ou Jipi je
Ou Jipi je

having said that - obviously - I do feel a bit frustrated by the amount of pointless information sometimes posted on these forums.

Editor's Picks