Alarming Number of Superusers Lurking Near Sensitive Data
- By Jabulani Leffall
- June 23, 2008
When it comes to having superuser privileges in an IT environment that's host
to sensitive information, absolute power can absolutely corrupt, a study shows.
The annual "Trust,
Security and Passwords" survey conducted by Newton, Mass.-based IT
security consultancy Cyber-Ark Software found that as many as a third of IT
administrators said they still had access to the enterprise environment after
leaving the job. Moreover, many also came clean about routinely abusing their
admin privileges by accessing company systems and snooping through confidential
files, databases and documents.
"What this says about the IT space is that organizations have spent so
much time protecting against outside or server-side threats and have given the
keys to the kingdom to their in-house staff," said Adam Bosnian, a vice
president of product strategy at Cyber-Ark. "The most surprising thing
to us is how many people -- anonymously, of course -- admitted to snooping or
keeping network passwords when they left the job. Not many are going to admit
to this, so what this means is that there are many more unaccounted for."
The results were gleaned from a survey of about 300 mostly senior IT professionals
attending the recent Infosecurity Conference in London.
Among the confidential bits of information IT pros admitted to looking at were
salary details, merger and acquisition or executive share-sale plans and initiatives,
personal e-mails, board meeting minutes and correspondence, and other pieces
of personal information.
What's more, nearly half the respondents -- about 47 percent, in fact -- said
that, at the very least, they have at times accessed information not relevant
to what they're supposed to be doing.
Bosnian and others point out the irony in the fact that at many businesses,
users are routinely asked to change their passwords every 90, 60, sometimes
even 30 days. But when it comes to generic superuser accounts -- i.e.,"SYSADM"
and "SECADMIN" -- which have access to every corner of the IT environment,
not so much.
"The amount of shared generic accounts with one password that only a few
people know is not only astounding, it's a recipe for disaster," Bosnian
said. "While it's easier and more efficient to do this and then trust your
IT people, it's dangerous because these passwords hardly ever change and are
passed on Post-it notes from one IT guy to the next."
The Wolf and the Orphan Accounts
Last month, right around the time Cyber-Ark was collecting its survey data,
another security services consultant -- Los Angeles-based Symark International
a study of its own on orphaned accounts that go to the root of the inside-job
Ellen Libenson, Symark's vice president of product management, feels some vindication
now that what she had been saying since the beginning of the year about insider
threats seems to be coming to fruition -- and people are starting to take notice.
"This is a textbook wolf-and-hen-house issue," Libenson said. "This
is especially prevalent at smaller companies where separation of duties is absent.
In this instance, a developer might be the systems admin, the network admin
and the programmer, and it's unlimited access."
Indeed, evidence of this emergent threat has been around for a while and promises
to get worse. A recent
SANS Institute report cited insider threats as a major problem going forward.
And Libenson and her peers in the IT security arena contend that even if there
clearly aren't enough staff in an IT shop, there should be some level of monitoring
-- even by people who may not have an IT background.
For instance, physical security tracking can still mitigate risk if staff members
have to sign in during off-hours or an independent consultant periodically reviews
system activity or processing environment log-ons. This way, an independent
auditor, consultant or someone from another department charged with periodically
reviewing activity can swoop in with a fresh eye and take a look at things.
"What you need in situations like this is either an automated tool or
a procedure in place that lets you know that between 3 and 3:40, Adam Bosnian
was on the system, or at least cut down on the amount of superuser log-ins so
that it's impossible not to tell who was doing what," Bosnian said. "Because
survey aside, it's the people that don't jokingly admit to what they're doing
that you have to worry about."
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.