Incident Response, Network Security, TDR

Process over trust: Will we ever learn?

Time and time again we have learned that IT administrators – especially disgruntled, departing ones – can deal catastrophic damage to an organization.

Last year, a disgruntled San Francisco computer engineer, blocked the city from accessing their own emails, payroll files, and jail inmate bookings even as he sat in jail with five million dollars in bail. And just this year Fannie Mae discovered that a laid-off IT contractor maintained remote access to sensitive systems for months, which he attempted to use for sabotage.

Today the threat is worse than ever before. About half of employees claim their company has low morale and the Bureau of Labor Statistics reports nearly 300,000 people a month have been losing their jobs to mass layoffs. The economy is shrinking the IT workforce and Gartner expects 30 percent of American IT jobs will be exported by 2015. Many IT staff feel overworked, underpaid and underappreciated.

Compensation disputes and fear of layoffs drove Yung-Hsun Lin, a former IT administrator for Medco Health, to attempt to destroy a critical corporate database. Yung-Hsun's motivations are becoming increasingly common.  When the company decides to give angry IT employees the boot, the form of retaliation is a no-brainer.

Paradoxically, the users who have the opportunity, access and know-how to wreck the most damage to an organization are also most often given access on the basis of trust alone. Shared accounts, a lack of monitoring and lax account management offers little assurance IT administrators are not abusing their privileges. A root password that is shared by all administrators in the department is often the only security measure in place.

In no other area of IT is this approach considered acceptable. Best practices in IT service management, such as the IT Infrastructure Library (ITIL), emphasize the value of defining, implementing and continuously improving verifiable and repeatable processes for assuring reliable IT control.

A survey from Enterprise Management Associates (EMA) found that 94 percent of high performers in IT risk and compliance properly define, implement and monitor consistent processes for IT management's access. These high performers in risk and compliance have half the disruptive security incidences, more successful IT changes, and more of their IT projects are completed on time and within budget.

Clearly, to give businesses greater confidence in privilege management, while providing auditors a reliable record of integrity, we must define, implement, monitor and enforce processes for delegating administrative access. Currently, many organizations do not have proper processes in place.

In the case of Fannie Mae, an IT contractor maintained network access for months after leaving the company. According to a Symark survey of 850 security, IT, HR and C-level executives, this is not unusual. 42 percent of companies have no idea how many orphaned accounts exist in their organization and 30 percent have no procedure to locate them.

EMA calls it “an astonishing reality” that privileged access management remains one of the most visible gaps among enterprises that are otherwise mature in IT control. During a time of economic uncertainty, the group of high risk, disgruntled, laid-off IT savvy individuals with motive and know-how is making the issue more important than ever before.

The bottom line is that nobody should let the company hinge on the trust of a small number of privileged users. Everyone should have a process. Here are four critical IT risk controls to consider:

Define processes

You'll need a documented process for:

  • Deprovisioning employees, contractors and other users – Whenever someone is no longer employed by the company, a termination process should be in place that disables all of that person's access to the company's physical locations, networks, systems, applications and data. When mass layoffs occur, it is important to have the tools and processes to be able to identify and terminate such access on an immediate and global basis.
  • Logging administrative activities and monitoring that information for suspicious behavior – The ability to log, monitor and audit activities can provide the company with the data to discover and investigate suspicious insider actions before more serious consequences can occur. In addition to helping prevent unauthorized system changes, loss of intellectual property and theft of customer information, periodic monitoring can assist companies with their overall data leak prevention strategy.
  • Prohibit application-to-application access – In order to simplify integration of multiple applications and databases, access for interactions between applications are often hard-coded username and password credentials in the integration code. This can put credential in an easily discovered format for malicious discovery and exploit. Make it the company policy not to use this corner-cutting strategy.

Implement and monitor processes

  • Shutting off computer access when people leave the organization is just one step. You should also keep tabs on current and former employees who are using company data systems remotely. One of the biggest challenge companies face is from people with external access. To prevent this, it's essential to implement software that can detect, analyze and report on what people do inside a firm's computer system down to the keystroke.
  • To guard against tampering with the audit trail, make sure the logs are immediately stored on a different system, preferably one to which few administrators have access.
  • More caution should be used with administrators and other privileged users because of their technical ability and access to commit and conceal malicious activity. Checks-and-balances procedures, such as separation of duties (SOD) and two-person rule for critical administrative functions, can help limit the ability for an administrator to commit a crime without the cooperation of another individual. Implementing the Principle of Least Privilege, where insiders are authorized to perform only the tasks necessary to do their jobs, is another effective method.

Respond to detected issues

  • IT administrators or DBAs should only have access where there is a defined business need to enter the systems as a privileged user.
  • Every company needs to have a process in place to detect suspicious behavior that may be an abuse of access privileges.
  • Having visibility into the user's access will enable a quicker response if they are tampering with the company's IT infrastructure and can prevent it with proper tools in place.

A company should have an insider incident response plan that will respond to an insider attack and help mitigate any damages. The challenge here is that the people assigned to the response team are the exact same people who are most likely to use their technical expertise to commit those crimes in the first place. Should an attack occur, the company would need to identify the insider, gather the forensic evidence and follow up appropriately.

Having these steps to defining transparent, reliable and enforceable processes is KEY for your organization to get a handle on its IT control and ultimately eliminate the myriad of security threats out there.  

Jeff Nielsen is the director of development and quality assurance for Symark International, a developer of identity and access management products.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.