Insider controls still lacking

* Cyber-Ark survey offers depressing results

My colleague Tito de Morais, a security-awareness expert in Portugal has kindly allowed me to reprint some information he sent me that, as he said, "stresses the importance of background checks or perhaps psychological evaluations of personnel who can access critical or personal information."

He pointed me to the results of a survey released by security software vendor Cyber-Ark Software. The report has particular significance given the events of last week, when a network administrator for the City of San Francisco allegedly locked up the city's computer systems.

Here are some highlights of the report:

• 300 senior IT professionals, mostly from companies with more than 1,000 employees, responded to the survey questions carried out by Cyber-Ark.

• About half admitted to accessing “information that was not relevant to their role” using administrative passwords.

• About a third admitted to accessing confidential information such as salary details, personal e-mail, and meeting minutes.

• About a third of the administrative passwords are changed only quarterly and about 9% are permanent, “giving access indefinitely to all those who know the passwords, even when they've left [their employer].”

• Half the respondents said they needed no authorization from anyone else to use the privileged accounts that granted access to information they had no business accessing.

• Almost three-quarters of the companies in the sample set used insecure channels for transferring confidential data to business partners: about a third used e-mail, about a third used couriers, about a quarter used FTP and 4% used postal mail. Apparently “12% of these senior IT personnel who were interviewed also choose to send cash in the post!”

Tito de Morais continued his commentary to me as follows:

“This reminded me of a case I followed closely in which a tech support guy had access to a PC where the payroll Excel file was stored. The file was used to process salaries and it contained banking details about where the salaries were supposed to be deposited every month. The tech support guy just inserted his bank account details on a director’s record and started receiving the director’s salary each month. The scam lasted some six months – until the day the bank manager called the director because the account lacked funds!”

Everyone involved in system and security administration must pay attention to personnel management and policies for effective control of information; in my series on “Personnel and Security” which began in May 2000, new readers may find materials of value in thinking about controls over hiring, management and firing of personnel. In addition, the PowerPoint file or PDF notes on “Employment Practices and Policies” from my IS342 “Management of IA” course at Norwich University may be useful in prompting discussions at security-group meetings or at brown-bag lunches organized by the IT staff.

Learn more about this topic


Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022