AUGUST 9, 2006 | Pop quiz: Who's most likely to tamper with sensitive
data in your enterprise?
- An external hacker with no privileges on your network.
- An end user who needs a password just to access the company holiday
schedule.
- An IT staffer who owns the root passwords to every server in the
enterprise.
The answer is obvious. Yet, while 99 percent of security technologies
and policies are geared to restrict the access of A and B, virtually
nothing is being done to protect systems and data against tampering
by the one organization that could most easily do it: The IT
department itself.
As the keepers of the keys, IT and security staff have the best
chance to access sensitive corporate data without being detected.
Officially, IT people say they never access systems or documents
except on authorized business, such as an audit or a security
investigation. Unofficially, many IT people concede that they
regularly see abuse of security privileges.
"It happens all the time," says Richard Stiennon, founder of IT-
Harvest Inc., a security consultancy. "I have heard them tell stories
of checking on an executive's browsing habits, reading email, just
about everything you would fear."
Of course, some functions require security staffers to access, even
read, sensitive documents as part of everyday system surveillance, an
audit, or an investigation of suspected policy violations. But how
often do IT people extend their "snooping" beyond those functions,
just because they can?
"In the average Fortune 500 company today, I would say there is a 100
percent probability that an employee with privileged access to
systems and data is looking at records that they don't have any
reason or authorization to look at," says Larry Ponemon, founder of
the Ponemon Institute, an independent research firm specializing in
data protection and privacy issues. "They feel like it's their right
as IT and security people."
It's difficult to quantify the online behavior of IT people,
principally because they are capable of excluding themselves from
most efforts to analyze online activity.
"One of the first things IT staffers do when they implement our
products is configure them so that they, or the whole IT department,
will be exempt from monitoring," says Roy Pareira, vice president of
marketing and business development at Snipe Networks, which makes
tools for tracking user behavior and anomaly detection. "In other
cases, our software might detect suspicious behavior from a certain
user, and the IT manager will say, 'Oh, that's just Joe, he's on my
staff,' and nobody ever checks into it."
Because most of IT's activity goes undetected, it's impossible to say
how prevalent such snooping is, or exactly what types of data are
being accessed. In his research, Ponemon found that IT people are
usually interested in their colleagues.
"Payroll records and employee files are two of the most common
destinations," Ponemon says. "They want to see salary information,
performance evaluations, that sort of thing. Usually, the CEO and the
CIO are the top targets."
Most snooping goes undetected because IT people are smart enough to
keep what they learn to themselves, Ponemon says. "Unless they're
leaking it to the local newspaper or selling customer data records,
they usually don't leave much of a trail."
However, when an IT staffer is unhappy or disgruntled, this abuse of
security privileges can escalate to a much more threatening level. In
fact, 86 percent of "insider" computer sabotage -- malicious system
attacks that don't involve fraud or information theft -- is
perpetrated by employees in technical positions, according to a study
published last year by the U.S. Secret Service's National Threat
Assessment Center and the Carnegie Mellon Software Engineering
Institute's CERT Program.
"We've seen cases where IT staff planted logic bombs, installed back
doors, and changed or vandalized computer records," says Dawn
Cappelli, senior member of the technical staff at Carnegie Mellon's
CERT Program and a chief author of the report. (See Ex-UBS Sys Admin
Found Guilty.) One logic bomb inflicted more than $10 million in
damage at a defense manufacturing firm, leading to the layoff of more
than 80 employees.
"There may be some eavesdropping going on in your IT organization,
but that kind of damage is not caused by a happy person who comes
into work every day and loves their job," Cappelli observes. "If you
want to prevent that sort of attack, you need to be watching your
employees."
In most cases, insider sabotage is triggered by a negative work-
related event," Cappelli explains. "It's not always someone getting
demoted or fired. It could be that they get a new boss, or they get
moved to a new group, or their vacation request gets denied." In most
cases, the attacks are preceded by outbursts or other behavior
changes, followed by a period of laying the technical groundwork for
an attack, she says.
It usually isn't possible to track the keystrokes of every IT
employee, but there are tools for monitoring the online behavior of
specific individuals -- even in IT, Cappelli notes. While she
declined to endorse any single vendor, Snipe Networks and Vontu were
mentioned by other experts. IT administrators should be wary of
employees who display erratic behavior, and at that point, it may be
a good idea to use one of these tools to be certain that they are not
laying the groundwork for sabotage, Cappelli says.
Monitoring an IT employee's behavior can be tricky because the IT
department is usually aware that a monitoring tool is being
installed, Stiennon observes. "I had a client at a publicly-traded
company whose confidential inside information was being posted to
Yahoo! Financial," he recalls. "When I suggested various forensic
tools, the chief counsel admitted that their primary suspect was the
security admin. They could not install a sniffer or anything without
his knowledge."
In some cases, internal IT attacks are sophisticated enough to hide
the perpetrator's tracks. "We've seen some very smart people in some
of these incidents," Cappelli says. In a few cases, the attacker has
even altered system logs to turn the blame toward a colleague, she
says.
In most cases, though, the abuse of security privileges leads to more
snooping than sabotage. Even in those cases, however, it's a good
idea to have the ability to monitor IT staffers' behavior.
"It's surprising to see how people's behavior changes when they know
they're being monitored," Ponemon says.
