Security Watch | Matt Hines | InfoWorld | Study - IT staffers are snoops | May 31, 2007 10:27 AM

MORE ENTRIES

Study - IT staffers are snoops

May 31, 2007 | Comments: (0)

Study - IT staffers are snoops

Security experts have long-suggested that one of the biggest sources of IT threats comes from the very people charged with building and maintaining corporate computing systems, but a new study backed by password management specialists Cyber-Ark Software puts some startling stats behind the concept.

According to a survey the company conducted at last month's Infosecurity Exhibition Europe in London, one in three of the roughly 200 IT employees participating in the study admitted to somehow gaining unauthorized access to company systems for the purpose of reading sensitive materials.

Among the specific items snooped by those responding to the survey were private files including those bearing sensitive wage data, personal e-mails, and HR data.

The favored method of choice for hacking the information? None other than the special administrative passwords that lend IT workers privileged and anonymous access to the systems they work on.

According to Cyber-Ark, one admin taking the survey chortled out loud:

"Why does it surprise you that so many of us snoop around your files, wouldn't you if you had secret access to anything you can get your hands on!"

Um, no. First because it's illegal and could result in an immediate loss of one's job, income and reputation, or some form of legal prosecution , if discovered; secondly, because most people are more interested in their own lives.

In that sense, the study not only backs up the idea that insiders do represent a significant threat to corporate data, but also that some IT people are openly lecherous.

In a broader sense, the study also validates the idea that companies aren't sufficiently watching the activity of their IT administrators.

Even worse, the survey found that one third of those polled at the conference retained access to IT systems at companies they no longer worked at, highlighting issues in the password lifecycle problems that Cyber-Ark and many other authentication firms aim to solve with their products.

Roughly 25 percent of respondents said they knew of another IT staff member who retained access to sensitive networks after departing an employer.

The survey also unearthed insufficient controls among IT workers to protect passwords that grant administrative access to systems and networks. Some 50 percent of those surveyed admitted to using Post-It notes to keep track of the highly-sensitive passwords.

One individual told Cyber-Ark:

"Sure, it's easy for an employee to update the personal password to their laptop, but to change the Administrator password on that same machine? It would take days for IT to do them all by hand. In the end, we just pick one password for all the systems and write it down."

So, it sounds as if admins could use some more effective tools for keeping track of such information in a more secure manner. Although, no one has ever hacked a Post-It to my knowledge.

Some 20 percent of those responding to the study admitted that they also rarely change their administrative passwords, with 7 percent claiming they never alter the access codes. Another 8 percent of respondents said that the manufacturers default administrative passwords on their companies' critical systems had never been changed. Many OEM pass codes are published on the Internet.

The study also indicates that companies should do a better job of storing their admin passwords, with 57 of respondents reporting that their companies store administrative passwords manually, with another 18 percent doing so in spreadsheets.

In a nod to the recall capabilities of IT staffers, 82 percent of hose surveyed said they simply memorize passwords -- which is probably what designers of such systems had in mind when they implemented passwords in the first place. However, Cyber-Ark and other vendors often point out that while secure, the memorization approach makes it hard for companies to manage their authentication efforts.

On the topic of insider threats, 15 percent of those interviewed reported that their firm had been the victim of some form of insider sabotage.

Calum Macleod, European director for Cyber-Ark, said in the report:

"It's surprising to find out how rife snooping is in the workplace. Gone are the days when you had to break into the filing cabinet in the personnel department to get at vital and highly confidential information. Now all you need to have is the administrative password and you can snoop around most places, and it appears that is exactly what's happening. Companies need to wake up to the fact that if they don't introduce layers of security, tighten up who has access to vital information, and manage and control privileged passwords, then snooping, sabotage and hacking will continue to be rife!"

Posted by Matt Hines on May 31, 2007 10:27 AM

RATE THIS ARTICLE:

COMMENTS

As alarming as these findings may seem, according to other IT professionals, this is actually pretty commonplace. Of course many IT professionals think that reading a co-workers love e-mail to his girlfriend is harmless.

But just because the IT admin is not finding the co workers bank account password and snooping around in their online banking doesn't mean it's not wrong. Either way you are invading someone else's privacy!

As unfair as it may see, many It professionals even get paid higher to keep information confidential. You would think people would have higher morals and keep the secrets that their jobs entail because it's their job. But now they're getting paid MORE for doing what should already be part of their job. What is this world coming to?

Perhaps the answer lies in looking for security solutions that are not 100% handled by 1 person. For example, using an in-house server hosted by a security company to encrypt confidential files and not giving the IT admin the keys to decrypt the data.

Posted by: mroonie at May 31, 2007 12:26 PM

Personally I believe that unless I have to view the contents of a file in order to fix a problem I have no reason to access that (or any) file. If the file I need to access is a data file then I seek specific authorization to view the required file(s). Anything less is unethical and potentially dangerous to me. Ignoring my ethical and moral obligations to my client, not snooping in what is none of my business if good for me.

Law enforcement organizations encourage snooping, under the guise of "protecting us" so that people will rat each other out over percieved "wrongs", saving energy and money from the authorities actually doing their own work.

Organizations are often guilty of creating the circumstances leading to security breaches because they are interested only in making money with no willingness to spend what is needed to do the right thing. And what is the right thing you ask? Not my problem in this instance because we should ALL be thinking of "What is the right thing to do?".

Posted by: Mark Douglas at June 1, 2007 10:29 AM

I'm not sure what batch of criminals were surveyed but I for one do not "snoop" around in my user's personal data even though I could. I think of it like an accountant that handles millions or even billions of dollars in transactions. The vast amounts of money mean nothing, they're just the things that he/she is charged with managing. Same thing for me and IT systems. I pay no attention to personal info on my servers and, in fact, make it a point to not even pay any attention to what I see in someone's inbox when troubleshooting an e-mail client issue. I'll double-click on a message to verify that it opens but I won't give a thought to what might be contained in the message. Also, my users and managers trust me so even if I am put in a position to have to view confidential materials, it is understood that it will remain confidential. Trusting your IT people has to come with the territory. I don't here anyone chirping about how at-risk HR data is because the HR staff have access to it. I'm sure that in any position that requires confidentiality, you will find a percentage of people who abuse their access to privileged information. "Pssst...You wanna know how much the boss makes??"

Posted by: KFoley at June 1, 2007 10:41 AM

>>>>>>>>>
But just because the IT admin is not finding the co workers bank account password and snooping around in their online banking doesn't mean it's not wrong. Either way you are invading someone else's privacy!
>>>>>>>

As a sidenote, it's not "Someone's" privacy, it's the company's privacy. Personally, I love employees who use the company's email to send personal email, some harmless and some down right criminal, and then turn around and complain that the company is monitoring and *gasp* even reading "their" email.

IT personnel, or any personnel, are charged with a certain level of professional and ethics and like everyone else, should be discplined when that trust, professional or ethics are broken.

Posted by: Snoopy at June 1, 2007 11:22 AM

This study was done in England, where it is often illegal to look at personal files of employees. This type of activity is COMPLETELY legal in the US, I believe having been re-affirmed by the courts as recently as a half year ago. The US courts consistently find that a work computer is just that: if a person places personal information on it it is subject to being viewed, deleted, whatever by the company that person works for.

The author(s) should have mentioned this as it is a case of apples and oranges.

Posted by: Paul at June 1, 2007 11:36 AM

For many years I had access to my boss's user directory, as well as those of several other managers. Did I "snoop"? NO!!!! I'd stumble upon things occasionally when asked to fix something, but, like most people who have access to confidential information, I certainly didn't go looking for things or divulging what I knew.

I think the basic problem is a lack of maturity amongst IT professionals today. Reading others' e-mails "because you can" is sophomoric at best and blatantly illegal at worst.

Posted by: DBaldwin at June 1, 2007 12:15 PM

I'm a consultant who works for many small businesses, and for consumers on occasion. My policy is to behave like a physician or psychologist or priest: what's on the machine under examination does not belong to me, and whatever I may happen to see in the course of my work is none of my business whatsoever.

And I've seen some things in the 20+ years I've been doing this, believe me.

To abuse the trust of the people who pay me by actively snooping their data has never crossed my mind, and I am personally outraged that some jackasses feel comfortable enough about their contemptible practices to brag about them. In my opinion, people who get caught abusing their access to other people's data are slime, should be publicly outed and shamed, and should be prevented from working in IT ever again, perhaps by means of registries analogous to the sex offender's registries now so commonplace.

One strike and you're out. This is too important. I understand the dangers of false positives, so due process would have to be designed and implemented, but clearly we need someone to guard the guardians. Unfortunately.

Posted by: SmallBizAdmin at June 2, 2007 02:46 PM

My philosophy on peeking was simple, because I have access to all the keys, I am the first person who is looked at when something leaks. I had full access to everything in the shop and never peeked. In fact, I did not what to know what was in the files. My reward was trust. If that were lost, I would become useless.

Posted by: Roy at June 4, 2007 06:56 AM

ZERO DAY PODCAST

Listen to the latest podcast:

MP3 •

•

• Archive •

Technology White Papers

InfoWorld Technology Marketplace

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert