Pop quiz: Who's most likely to tamper with sensitive data in your enterprise?
- An external hacker with no privileges on your network.
- An end user who needs a password just to access the company holiday schedule.
- An IT staffer who owns the root passwords to every server in the enterprise.
The answer is obvious. Yet, while 99 percent of security technologies and policies are geared to restrict the access of A and B, virtually nothing is being done to protect systems and data against tampering by the one organization that could most easily do it: The IT department itself.
As the keepers of the keys, IT and security staff have the best chance to access sensitive corporate data without being detected. Officially, IT people say they never access systems or documents except on authorized business, such as an audit or a security investigation. Unofficially, many IT people concede that they regularly see abuse of security privileges.
"It happens all the time," says Richard Stiennon, founder of IT-Harvest Inc., a security consultancy. "I have heard them tell stories of checking on an executive's browsing habits, reading email, just about everything you would fear."
Of course, some functions require security staffers to access, even read, sensitive documents as part of everyday system surveillance, an audit, or an investigation of suspected policy violations. But how often do IT people extend their "snooping" beyond those functions, just because they can?
"In the average Fortune 500 company today, I would say there is a 100 percent probability that an employee with privileged access to systems and data is looking at records that they don't have any reason or authorization to look at," says Larry Ponemon, founder of the Ponemon Institute, an independent research firm specializing in data protection and privacy issues. "They feel like it's their right as IT and security people."
It's difficult to quantify the online behavior of IT people, principally because they are capable of excluding themselves from most efforts to analyze online activity.
"One of the first things IT staffers do when they implement our products is configure them so that they, or the whole IT department, will be exempt from monitoring," says Roy Pareira, vice president of marketing and business development at Snipe Networks, which makes tools for tracking user behavior and anomaly detection. "In other cases, our software might detect suspicious behavior from a certain user, and the IT manager will say, 'Oh, that's just Joe, he's on my staff,' and nobody ever checks into it."
Because most of IT's activity goes undetected, it's impossible to say how prevalent such snooping is, or exactly what types of data are being accessed. In his research, Ponemon found that IT people are usually interested in their colleagues.
"Payroll records and employee files are two of the most common destinations," Ponemon says. "They want to see salary information, performance evaluations, that sort of thing. Usually, the CEO and the CIO are the top targets."
Most snooping goes undetected because IT people are smart enough to keep what they learn to themselves, Ponemon says. "Unless they're leaking it to the local newspaper or selling customer data records, they usually don't leave much of a trail."
However, when an IT staffer is unhappy or disgruntled, this abuse of security privileges can escalate to a much more threatening level. In fact, 86 percent of "insider" computer sabotage -- malicious system attacks that don't involve fraud or information theft -- is perpetrated by employees in technical positions, according to a study published last year by the U.S. Secret Service's National Threat Assessment Center and the Carnegie Mellon Software Engineering Institute's CERT Program.
"We've seen cases where IT staff planted logic bombs, installed back doors, and changed or vandalized computer records," says Dawn Cappelli, senior member of the technical staff at Carnegie Mellon's CERT Program and a chief author of the report. (See Ex-UBS Sys Admin Found Guilty.) One logic bomb inflicted more than $10 million in damage at a defense manufacturing firm, leading to the layoff of more than 80 employees.
"There may be some eavesdropping going on in your IT organization, but that kind of damage is not caused by a happy person who comes into work every day and loves their job," Cappelli observes. "If you want to prevent that sort of attack, you need to be watching your employees."
In most cases, insider sabotage is triggered by a negative work-related event," Cappelli explains. "It's not always someone getting demoted or fired. It could be that they get a new boss, or they get moved to a new group, or their vacation request gets denied." In most cases, the attacks are preceded by outbursts or other behavior changes, followed by a period of laying the technical groundwork for an attack, she says.
It usually isn't possible to track the keystrokes of every IT employee, but there are tools for monitoring the online behavior of specific individuals -- even in IT, Cappelli notes. While she declined to endorse any single vendor, Snipe Networks and Vontu were mentioned by other experts. IT administrators should be wary of employees who display erratic behavior, and at that point, it may be a good idea to use one of these tools to be certain that they are not laying the groundwork for sabotage, Cappelli says.
Monitoring an IT employee's behavior can be tricky because the IT department is usually aware that a monitoring tool is being installed, Stiennon observes. "I had a client at a publicly-traded company whose confidential inside information was being posted to Yahoo! Financial," he recalls. "When I suggested various forensic tools, the chief counsel admitted that their primary suspect was the security admin. They could not install a sniffer or anything without his knowledge."
In some cases, internal IT attacks are sophisticated enough to hide the perpetrator's tracks. "We've seen some very smart people in some of these incidents," Cappelli says. In a few cases, the attacker has even altered system logs to turn the blame toward a colleague, she says.
In most cases, though, the abuse of security privileges leads to more snooping than sabotage. Even in those cases, however, it's a good idea to have the ability to monitor IT staffers' behavior.
"It's surprising to see how people's behavior changes when they know they're being monitored," Ponemon says.
Tim Wilson, Site Editor, Dark Reading