System administrators are biggest risk to corporate data

My baby is leaving home, aged 23. We are now negotiating what he is legitimately allowed to take with him. First up is the TV. When you're setting up your own home, it's important to get your priorities right. The other main item is the door keys. In my book, if he going on his own, then he leaves them behind. Living here for 23 years does not entitle him to walk in when it suits him, writes Calum Macleod, Western Europe director for CyberArk.

But my son appears to share the view of Harold James Boomer of Kansas City. On the day he left Midwest Technology Connections (MTC) in June 2006 to set up on his own, he created an administrator account that gave him complete access to the network, and allowed him to monitor the e-mail accounts of key employees. He also installed hacking software that gave him access to all of MTC's customers' data. In effect, he copied the backdoor key. For this, Boomer has just started a 10-month prison sentence, and has to pay $24,000 in restitution to Midwest Technology Connections.

It's not like he didn't know what he was doing. His new company offered services such as "ethical hacking". His website stated, "Companies cannot afford to have hackers infiltrating their systems and stealing their valuable information and assets." It also said, "We have found that security requirements are rarely addressed adequately in the design of new IT systems or projects. Our testing will highlight any security areas that may have been overlooked, as well as allowing a more complete test of compliance with your security policy."

Boomer was speaking from experience when his website proclaimed that more attacks come from the inside (from "trusted folks") than from the outside. "Systems administrators should evaluate their users and the assets they have access to," he advised.

What he didn't say is that studies show that systems administrators are the biggest risk to corporate information.

From a security perspective, shared or administrative identities are the most powerful IDs on any system because they are required to access so many system and security functions. This is especially true of most distributed systems, such as Windows, Unix, firewalls and network appliances.

Because speed and effectiveness of response are so important in a crisis, systems administrators all too often share passwords and other access devices, sometimes even while they are working their notice.

Sharing the password of a privileged account leaves an organisation vulnerable to unplanned or malicious changes, and also makes it difficult to hold individuals accountable for their actions. This means it is always risky to share passwords related to these shared IDs.

If the password is shared, any of the administrators can change the password, thus locking out all other administrators from the affected system. Also, if the password is lost, recovery typically means taking down the entire system. And, of course, they can create new accounts with administrator privileges or use their privileges to install nasty software.

In general, the most risky accounts cover the functions of system administrator, system function operator, application function accounts (for example, "db2inst"), application admin accounts that are hard coded in applications, operational support accounts, and batch/embedded/service accounts where account information is retrieved using a script-specific password or other authentication mechanism.

Many organisations rely on paper-based procedures known generally as "emergency envelope procedures". They have policies that are rarely, if ever, enforced. They take little or no account of physical disaster situations. They forget or ignore the risk posed by IT staff.

We know from UK surveys that about one-third of IT staff leave their employers still with access to privileged accounts. Some even think this is some sort of compensation that they are entitled to when they leave.

What we need is a way to manage and audit privileged passwords and their use in multi-user, multi-system environments. Had MTC done this, Boomer might still be free - but he would certainly not have hacked the firm.

Just so you know, my baby will be leaving the backdoor key behind and the TV is staying exactly where it is. The only niggling question is, should I change the locks, just in case?

Read more on Privacy and data protection