Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

IT's Roving Eyes

From snooping to sabotage, your IT department might be your enterprise's greatest unchecked security threat

Pop quiz: Who's most likely to tamper with sensitive data in your enterprise?

  1. An external hacker with no privileges on your network.
  2. An end user who needs a password just to access the company holiday schedule.
  3. An IT staffer who owns the root passwords to every server in the enterprise.

The answer is obvious. Yet, while 99 percent of security technologies and policies are geared to restrict the access of A and B, virtually nothing is being done to protect systems and data against tampering by the one organization that could most easily do it: The IT department itself.

As the keepers of the keys, IT and security staff have the best chance to access sensitive corporate data without being detected. Officially, IT people say they never access systems or documents except on authorized business, such as an audit or a security investigation. Unofficially, many IT people concede that they regularly see abuse of security privileges.

"It happens all the time," says Richard Stiennon, founder of IT-Harvest Inc., a security consultancy. "I have heard them tell stories of checking on an executive's browsing habits, reading email, just about everything you would fear."

Of course, some functions require security staffers to access, even read, sensitive documents as part of everyday system surveillance, an audit, or an investigation of suspected policy violations. But how often do IT people extend their "snooping" beyond those functions, just because they can?

"In the average Fortune 500 company today, I would say there is a 100 percent probability that an employee with privileged access to systems and data is looking at records that they don't have any reason or authorization to look at," says Larry Ponemon, founder of the Ponemon Institute, an independent research firm specializing in data protection and privacy issues. "They feel like it's their right as IT and security people."

It's difficult to quantify the online behavior of IT people, principally because they are capable of excluding themselves from most efforts to analyze online activity.

"One of the first things IT staffers do when they implement our products is configure them so that they, or the whole IT department, will be exempt from monitoring," says Roy Pareira, vice president of marketing and business development at Snipe Networks, which makes tools for tracking user behavior and anomaly detection. "In other cases, our software might detect suspicious behavior from a certain user, and the IT manager will say, 'Oh, that's just Joe, he's on my staff,' and nobody ever checks into it."

Because most of IT's activity goes undetected, it's impossible to say how prevalent such snooping is, or exactly what types of data are being accessed. In his research, Ponemon found that IT people are usually interested in their colleagues.

"Payroll records and employee files are two of the most common destinations," Ponemon says. "They want to see salary information, performance evaluations, that sort of thing. Usually, the CEO and the CIO are the top targets."

Most snooping goes undetected because IT people are smart enough to keep what they learn to themselves, Ponemon says. "Unless they're leaking it to the local newspaper or selling customer data records, they usually don't leave much of a trail."

However, when an IT staffer is unhappy or disgruntled, this abuse of security privileges can escalate to a much more threatening level. In fact, 86 percent of "insider" computer sabotage -- malicious system attacks that don't involve fraud or information theft -- is perpetrated by employees in technical positions, according to a study published last year by the U.S. Secret Service's National Threat Assessment Center and the Carnegie Mellon Software Engineering Institute's CERT Program.

"We've seen cases where IT staff planted logic bombs, installed back doors, and changed or vandalized computer records," says Dawn Cappelli, senior member of the technical staff at Carnegie Mellon's CERT Program and a chief author of the report. (See Ex-UBS Sys Admin Found Guilty.) One logic bomb inflicted more than $10 million in damage at a defense manufacturing firm, leading to the layoff of more than 80 employees.

"There may be some eavesdropping going on in your IT organization, but that kind of damage is not caused by a happy person who comes into work every day and loves their job," Cappelli observes. "If you want to prevent that sort of attack, you need to be watching your employees."

In most cases, insider sabotage is triggered by a negative work-related event," Cappelli explains. "It's not always someone getting demoted or fired. It could be that they get a new boss, or they get moved to a new group, or their vacation request gets denied." In most cases, the attacks are preceded by outbursts or other behavior changes, followed by a period of laying the technical groundwork for an attack, she says.

It usually isn't possible to track the keystrokes of every IT employee, but there are tools for monitoring the online behavior of specific individuals -- even in IT, Cappelli notes. While she declined to endorse any single vendor, Snipe Networks and Vontu were mentioned by other experts. IT administrators should be wary of employees who display erratic behavior, and at that point, it may be a good idea to use one of these tools to be certain that they are not laying the groundwork for sabotage, Cappelli says.

Monitoring an IT employee's behavior can be tricky because the IT department is usually aware that a monitoring tool is being installed, Stiennon observes. "I had a client at a publicly-traded company whose confidential inside information was being posted to Yahoo! Financial," he recalls. "When I suggested various forensic tools, the chief counsel admitted that their primary suspect was the security admin. They could not install a sniffer or anything without his knowledge."

In some cases, internal IT attacks are sophisticated enough to hide the perpetrator's tracks. "We've seen some very smart people in some of these incidents," Cappelli says. In a few cases, the attacker has even altered system logs to turn the blame toward a colleague, she says.

In most cases, though, the abuse of security privileges leads to more snooping than sabotage. Even in those cases, however, it's a good idea to have the ability to monitor IT staffers' behavior.

"It's surprising to see how people's behavior changes when they know they're being monitored," Ponemon says.

— Tim Wilson, Site Editor, Dark Reading

  • Snipe Networks
  • Vontu Inc.

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Edge-DRsplash-10-edge-articles
    7 Old IT Things Every New InfoSec Pro Should Know
    Joan Goodchild, Staff Editor,  4/20/2021
    News
    Cloud-Native Businesses Struggle With Security
    Robert Lemos, Contributing Writer,  5/6/2021
    Commentary
    Defending Against Web Scraping Attacks
    Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-16632
    PUBLISHED: 2021-05-15
    A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
    CVE-2021-32073
    PUBLISHED: 2021-05-15
    DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
    CVE-2021-33033
    PUBLISHED: 2021-05-14
    The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
    CVE-2021-33034
    PUBLISHED: 2021-05-14
    In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
    CVE-2019-25044
    PUBLISHED: 2021-05-14
    The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.