My baby is leaving home, aged 23. We are now negotiating
what he is legitimately allowed to take with him. First up is the
TV. When you're setting up your own home, it's important to get
your priorities right. The other main item is the door keys. In my
book, if he going on his own, then he leaves them behind. Living
here for 23 years does not entitle him to walk in when it suits
him, writes Calum Macleod, Western Europe director for
CyberArk.
But my son appears to share the view of
Harold
James Boomer of Kansas City. On the day he left
Midwest
Technology Connections (MTC) in June 2006 to set up on his own,
he created an administrator account that gave him complete access
to the network, and allowed him to monitor the e-mail accounts of
key employees. He also installed
hacking software that gave him access to all of MTC's
customers' data. In effect, he copied the backdoor key. For this,
Boomer has just started a 10-month prison sentence, and has to pay
$24,000 in restitution to Midwest Technology Connections.
It's not like he didn't know what he was doing. His new company
offered services such as
"ethical
hacking". His website stated, "Companies cannot afford to have
hackers infiltrating their systems and stealing their valuable
information and assets." It also said, "We have found that security
requirements are rarely addressed adequately in the design of new
IT systems or projects. Our testing will highlight any security
areas that may have been overlooked, as well as allowing a more
complete test of compliance with your security policy."
Boomer was speaking from experience when his website proclaimed
that more attacks come from the inside (from "trusted folks") than
from the outside. "Systems administrators should evaluate their
users and the assets they have access to," he advised.
What he didn't say is that studies show that systems
administrators are the biggest risk to corporate information.
From a security perspective, shared or administrative identities
are the most powerful IDs on any system because they are required
to access so many system and security functions. This is especially
true of most distributed systems, such as Windows, Unix, firewalls
and network appliances.
Because speed and effectiveness of response are so important in
a crisis, systems administrators all too often share passwords and
other access devices, sometimes even while they are working their
notice.
Sharing the password of a privileged account leaves an
organisation vulnerable to unplanned or malicious changes, and also
makes it difficult to hold individuals accountable for their
actions. This means it is always risky to share passwords related
to these shared IDs.
If the password is shared, any of the administrators can change
the password, thus locking out all other administrators from the
affected system. Also, if the password is lost, recovery typically
means taking down the entire system. And, of course, they can
create new accounts with administrator privileges or use their
privileges to install nasty software.
In general, the most risky accounts cover the functions of
system administrator, system function operator, application
function accounts (for example, "db2inst"), application admin
accounts that are hard coded in applications, operational support
accounts, and batch/embedded/service accounts where account
information is retrieved using a script-specific password or other
authentication mechanism.
Many organisations rely on paper-based procedures known
generally as "emergency envelope procedures". They have policies
that are rarely, if ever, enforced. They take little or no account
of physical disaster situations. They forget or ignore the risk
posed by IT staff.
We know from UK surveys that about one-third of IT staff leave
their employers still with access to privileged accounts. Some even
think this is some sort of compensation that they are entitled to
when they leave.
What we need is a way to manage and audit privileged passwords
and their use in multi-user, multi-system environments. Had MTC
done this, Boomer might still be free - but he would certainly not
have hacked the firm.
Just so you know, my baby will be leaving the backdoor key
behind and the TV is staying exactly where it is. The only niggling
question is, should I change the locks, just in case?