News

Alarming Number of Superusers Lurking Near Sensitive Data

When it comes to having superuser privileges in an IT environment that's host to sensitive information, absolute power can absolutely corrupt, a study shows.

The annual "Trust, Security and Passwords" survey conducted by Newton, Mass.-based IT security consultancy Cyber-Ark Software found that as many as a third of IT administrators said they still had access to the enterprise environment after leaving the job. Moreover, many also came clean about routinely abusing their admin privileges by accessing company systems and snooping through confidential files, databases and documents.

"What this says about the IT space is that organizations have spent so much time protecting against outside or server-side threats and have given the keys to the kingdom to their in-house staff," said Adam Bosnian, a vice president of product strategy at Cyber-Ark. "The most surprising thing to us is how many people -- anonymously, of course -- admitted to snooping or keeping network passwords when they left the job. Not many are going to admit to this, so what this means is that there are many more unaccounted for."

The results were gleaned from a survey of about 300 mostly senior IT professionals attending the recent Infosecurity Conference in London.

Among the confidential bits of information IT pros admitted to looking at were salary details, merger and acquisition or executive share-sale plans and initiatives, personal e-mails, board meeting minutes and correspondence, and other pieces of personal information.

What's more, nearly half the respondents -- about 47 percent, in fact -- said that, at the very least, they have at times accessed information not relevant to what they're supposed to be doing.

Bosnian and others point out the irony in the fact that at many businesses, users are routinely asked to change their passwords every 90, 60, sometimes even 30 days. But when it comes to generic superuser accounts -- i.e.,"SYSADM" and "SECADMIN" -- which have access to every corner of the IT environment, not so much.

"The amount of shared generic accounts with one password that only a few people know is not only astounding, it's a recipe for disaster," Bosnian said. "While it's easier and more efficient to do this and then trust your IT people, it's dangerous because these passwords hardly ever change and are passed on Post-it notes from one IT guy to the next."

The Wolf and the Orphan Accounts
Last month, right around the time Cyber-Ark was collecting its survey data, another security services consultant -- Los Angeles-based Symark International -- conducted a study of its own on orphaned accounts that go to the root of the inside-job phenomenon.

Ellen Libenson, Symark's vice president of product management, feels some vindication now that what she had been saying since the beginning of the year about insider threats seems to be coming to fruition -- and people are starting to take notice.

"This is a textbook wolf-and-hen-house issue," Libenson said. "This is especially prevalent at smaller companies where separation of duties is absent. In this instance, a developer might be the systems admin, the network admin and the programmer, and it's unlimited access."

Indeed, evidence of this emergent threat has been around for a while and promises to get worse. A recent SANS Institute report cited insider threats as a major problem going forward. And Libenson and her peers in the IT security arena contend that even if there clearly aren't enough staff in an IT shop, there should be some level of monitoring -- even by people who may not have an IT background.

For instance, physical security tracking can still mitigate risk if staff members have to sign in during off-hours or an independent consultant periodically reviews system activity or processing environment log-ons. This way, an independent auditor, consultant or someone from another department charged with periodically reviewing activity can swoop in with a fresh eye and take a look at things.

"What you need in situations like this is either an automated tool or a procedure in place that lets you know that between 3 and 3:40, Adam Bosnian was on the system, or at least cut down on the amount of superuser log-ins so that it's impossible not to tell who was doing what," Bosnian said. "Because survey aside, it's the people that don't jokingly admit to what they're doing that you have to worry about."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured