Skip Links

6 tips for guarding against rogue sys admins

CISOs, security experts offer advice about ferreting out thieving employees

By , Network World
September 27, 2010 06:08 AM ET
Insider threat

Network World - One of the biggest threats that organizations face is losing sensitive data -- such as payment card or personally identifiable information about customers or employees -- to theft from their own employees. The threat is greatest from systems and network administrators, who have privileged access to vast amounts of corporate data and are responsible for most compromised records in insider cases.

Biggest insider threat? Sys admin gone rogue|
Houston hotel on watch for threats from inside and out|
How to keep employees from stealing intellectual property

"Today, I worry about insider threats more than hackers because that's where we are weakest," says Jason Benedict, CISO of Fordham University. "We have firewalls. We have intrusion protection. We have antivirus. We've mitigated the external risk rather successfully. The hole in the university is the insider threat. I don't think we've ever had an insider become malicious and take information and sell it. But we often see …people browsing information that they are not privileged to see. People with high-level privileges have been known to browse employee salary rates because they can."

Security quiz: How well do you know the insider threat?

Heather Wyson, vice president of the fraud program at the BITS Financial Services Roundtable, says there has been an increase in insider incidents among U.S. financial services firms.

"You have intentional breaches like theft of financial or propriety information and placement of logic bombs and malware, but you also have the unintentional breaches caused by insiders such as employees accidentally opening an infected file, installing unauthorized software or threats from social media," Wyson says. "We've seen an increase in the intentional and the unintentional" insider-related security breaches.

We spoke with CISOs and IT security experts about what practical steps IT departments can take to minimize the insider threat. Here's their advice:

1. Restrict and monitor users with special privileges.

Nearly half – 48% -- of all data breaches come from insiders, according to Verizon's 2010 Data Breach Investigations Report. And the insiders that you need to watch closest are those with special privileges. Verizon recommends that CIOs use pre-employment screening to eliminate potential employees who have violated usage policies in the past. BITS offers its members a fraud-prevention service where they can share information about former employees who were found guilty of crimes but not prosecuted. Also, employees should not be given more privileges than they need for their current job, and duties should be separated so that too much access and power isn't concentrated in one employee. ‘'Privileged use should be logged and generate message to management," Verizon recommends. "Unplanned privileged use should generate alarms and be investigated."

2. Keep user access and privileges current, particularly during times of job changes or layoffs.

Verizon found that 24% of the insider incidents involved employees who had recently undergone a job change. Half of them had been fired, while others had resigned or assigned a new role within the company. Breaches were caused when employees' accounts were not disabled quickly enough or the employee was allowed to finish the workday after being terminated. That's why Verizon recommends that companies have "termination plans that are timely and encompass all areas of access."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News