IT's dark little secret

[claidheamhmor]

This article was interesting.

IT professionals have keys to your personal details
20 June 2008 at 06h00

Frankfurt - One in three information technology professionals abuses administrative passwords to access confidential data such as colleagues' salary details, personal emails or board-meeting minutes, according to a survey.

US information security company Cyber-Ark surveyed 300 senior IT professionals and found that one-third admitted to secretly snooping, while 47 percent said they had accessed information that was not relevant to their role.

"All you need is access to the right passwords or privileged accounts and you're privy to everything that's going on within your company," Mark Fullbrook, Cyber-Ark's UK director, said in a statement released along with the survey results on Thursday.

"For most people, administrative passwords are a seemingly innocuous tool used by the IT department to update or amend systems.

"But to those in the know, they are the keys to the kingdom," Fullbrook added.

Cyber-Ark said privileged passwords get changed far less frequently than user passwords, with 30 percent being changed every quarter and nine percent never changed at all, meaning that IT staff who have left an organisation could still gain access.

It added that seven out of 10 companies rely on outdated and insecure methods to exchange sensitive data, with 35 percent choosing email and 35 percent using couriers, while four percent still relied on the postal system. - Reuters

Source: IOL

This sort of thing is one of IT's dark little secrets. A network administrator in most companies can access just about any data in the company, whether people's mailboxes or even their personal files on their PCs. What's more, they can generally do it completely undetected, and even if there are suspicions, getting security auditing logs into some useful form is an almost impossible task.

Now, I'm not one of those admins who does dig around in confidential files, except in the direct line of work. I regard myself as having a position of enormous responsibility at work, and I try to treat data the way I would want mine treated. Digging around in people's files for salary information or whatever would be unethical, and anyway, I don't think I want to know about it.

Comments

[windrider-09.livejournal.com]

Unfortunately, security policies when it comes to IT admin are not being implemented. This leaves a tremendous potential for abuse.

[claidheamhmor]

It's not even a case of the security policies. Set up security policies that protect data to a high degree, and support staff simply cannot do their work effectively.

[windrider-09.livejournal.com]

I don't agree. The point of security policies goes beyond the need to protect the data.

[claidheamhmor]

Of course they do - but part of what security policies do is control access to systems and data.

Do you not agree with me saying that tighter security policies have a trade-off in ease-of-use?

[windrider-09.livejournal.com]

I think that following security policies in the IT department instead of disregarding as often the practice is what prompts the increase in security in the first place.

Yes, increased security is a trade-off in ease of use, but increased security is often a direct result of not following the original policies in the IT department.

[kennitalternity.livejournal.com]

That story reminded me of a meeting I had when working for an investment company. Their were 30 IT people responsible for the system used to manage all of the transactions, and the highest level of management called a meeting with all of us one day to ask a very good question.

"How many of you would need to work together to rob this company blind?"

We spent the rest of the afternoon figuring out how it could be done, Then we outlined a plan for increased security that was reviewed and implemented. That is the only time in my career I have ever had a company do anything like that.

We figured out that all it would take to embezzle millions, were three people working together: any Sys Admin, any Accountant, any Programmer. It was a rather fun experiment, and resulted in a far more secure system. The trade off was an added delay in the process of implementing changes to the system.

Later

[claidheamhmor]

That's really smart of the company; it shows a broader way of looking at the issue than just controlling security on the systems. Most companies simply look at protecting each system, rather than looking at how violations can happen.

[jonty.livejournal.com]

This is interesting... because with such security loopholes in systems, SABOX should be f*cking this companies up.

[claidheamhmor]

SABOX?

[jonty.livejournal.com]

Oops sorry, I meant SARBOX.
It is basically the outline for best business practices, guidelines and standards in companies.
Our company is huge on SARBOX and we have regular audits on what needs to be upto standard.

[claidheamhmor]

Oh, SOX (Sarbannes-Oxley, I think). :) Yeah, those standards can be very stringent, though some bits are just plain silly. The requirement to control administrative access, for example, is almost impossible to actually implement.