Skip Links

Biggest insider threat? Sys admin gone rogue

IT workers with privileged access seen as high risk

By , Network World
September 27, 2010 06:08 AM ET
Insider threat

Network World - What's one of the biggest insider threats to the corporate network? The high-tech folks that put it together, make changes to it, and know more about what's on it and how it works than anybody else.

When the database, network or systems administrator goes rogue -- stealing data, setting up secret access for themselves, even in anger planting logic bombs to destroy data , or just peeking at sensitive information they know is off limits -- they become the very insider threat that the IT department is supposed to be guarding against.

Houston hotel on watch for threats from inside and out|
6 tips for guarding against rogue sys admins|
How to keep employees from stealing intellectual property

Indeed, IT workers with privileged access to the network are often considered a greater risk and potential danger than other types of employees.

"They're different because there's a high risk associated with the potential damage they can do," says Donna Durkin, chief information security and privacy officer for Computershare, a global financial services company.

Security quiz: How well do you know the insider threat? 

Mike Theis, executive director of insider threat technology for Raytheon, agrees that sys admins and others with privileged-user access are a bigger potential threat than other types of organizational employees. He says his decades-long experience as an investigator in the federal government and commercial sector has shown him that half of detected anomalies -- lapses in accepted protocol -- come from such insiders.

"It doesn't mean they're guilty of anything," Theis adds. "Sometimes they're just trying to get the job done, but they're outside the bounds of the organizational policy."

Sometimes IT workers are pushed by demanding users, such as business and sales managers, to perform tasks in a hurry or to violate official IT policy by, for instance, adding printers on network segments where that's not allowed.

One main concern about privileged access is making sure that IT workers have appropriate access only to the resources they need even as their job function may change. In North America alone, Computershare has about 100 IT workers with privileged access to IT resources who undergo monthly "entitlement reviews" to make sure their access to systems and data is appropriate to the function of their role.

Computershare is moving from what Durkin calls a more "manual process" for entitlement review -- which requires input from business and IT managers as well as the human resources department -- to an automated system from vendor Sailpoint, where software will take feeds from various applications to keep a database of predefined rules and roles.

By focusing on the insider threat, Computershare is targeting a real and growing problem. Insiders participate in 48% of all data breaches, according to Verizon's 2010 Data Breach Investigations Report, an analysis of 275 data-breach cases that occurred in 2009. This figure is up from 26% the previous year.

The Verizon report points out that external agents such as hackers are responsible for stealing far more records than insiders. Nonetheless, the report says that most insider cases -- 90% -- are deliberate and malicious, and they usually involved misuse of privileges. The report notes that employees often get more privileges than they need to perform their job duties, with monitoring usually insufficient. Another finding is that 24% of crime tied to internal agents was associated with those undergoing a job change, whether being fired or resigning, newly hired or changing roles within the organization. 

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News