350 DBAs stare blankly when reminded super-users can pinch data Enterprises are ripe picking grounds for would-be Ed Snowdens, according to a survey conducted by the Ponemon Institute for Raytheon that found hundreds of organisations did not have policies to limit the amount of sensitive data staff can access. The survey of 700 techies found Snowdens-in-waiting were typically database …
never met a sysadmin or DBA who gave a hoot about private customers info. Yes we could read it but had much more entertaining things to do, coffee to slurp etc. Something from from the BOFH archives mentions this, decades ago. Perhaps report could mention destructive CEOs as an organisational threat. Internal staff doing their jobs plus extras are a potential threat indeed, but would love to see a comparison of worst costs for feral admin/DBA versus PHB. A few companies spring to mind as prime examples. Some have two letter acronyms, some have 3.
Bang-on. Well, at least in my experience.
Sure there might be the odd sysadmin who deliberately goes snooping through a particularly attractive user's document folders to look for personal photos (nothing saucy - just for a G-rated perve) but that's a very easy and soft target - doing a search for JPGs - and usually takes about 1 minute.
The 'problem' is that the requirement for this kind of security and awareness is a security + tech conscious person making the decisions. More often than not, the people actually setting the access rarely are part of the decision process about who gets access.
I left a job quite some time ago after being royally chewed-out for, essentially, adhering to the security policy. At that point, I was rather lower than I am now and rather less experienced and I ended up quitting. These days I would try to explain why I was correct, showing the reasons for the policy and why it is essential that it be followed without individual IT staffers using their own judgment to make exceptions* for 'important' individuals.
In other words, these days I would have explained that it was in the MD's best interests that I didn't reset his password with nothing more than a phone call insisting I do so.
But then these days I am in a position to speak one-to-one with those upper-level managers and defend my team's adherence to the policies, which I have co-authored, rather than having my manager agreeing with me privately but not supporting me officially.
----------------------------------------------
* - With which the road to Hell is paved . . .
Same here, most IT people are either furniture or professionals and as such either happy where they are forever or looking for the next decent career prospect neither of which are helped by stealing company data.
Most companies don't have data that is worth enough money to set you up for life somewhere the law can't get you that you'd like to live in nor morally objectionable enough that' you'd be willing to go to prison for it.
On the other hand driving companies into the rocks is common practice for CEOs who see the company as their own little empire putting friends and yes men into all applicable positions whilst slowly milking the company for all its worth then jumping ship to let the next leach in.
I think the problem there is you're using "sysadmin or DBA" in a technical manner as opposed to the MS label for people who are only using the system.
The problem is, most companies don't understand their actual risk profile. Two instances from a company I worked at.
1. Jr Network admin who was more competent than most of the Sr. Network admins commenting on a new security initiative: "I'll start taking security seriously right after the remove the backup app they have installed on all the user dba systems that has the default MS SQL admin active with the password set to blank." The backup app was third party using an embedded MS SQL engine. It was installed on all the dba desktops because: 1) They had sold a customer on desktops being more cost efficient than a SAS server, 2) They decided it was cheaper to use over the wire than buy the extension for the network backup system plus the additional tape storage they would have needed for all the desktops. Yes, they did promise all of the healthcare related information they were analyzing had been sanitized before it was put on those computers. Honest.
2. Sr. Network admin: "Yeah I told them they couldn't give me the password for the system they use to transfer money from the primary company accounts to the payroll account because right now that's the ONLY password I don't have for our systems. I need some level of protection if something bad happens."
I don't disagree, but be careful how you go about it. If you start treating your sysadmins like criminals don't be surprised when morale drops and they start thinking about what they could take to their next job (more likely to be useful scripts than data, but it's still company IP). Or backdoor systems "because they can". Or spend more time justifying their actions than actually doing the work you need them for.
One sort of thing I often do is a quick check of a large number of boxes, for example to see if they have enough disk space for a service pack install. If I have to request access & log into each box individually, that would take 100 times as long. And I won't be able to to do quick healthchecks that aren't pre-programmed into the enterprise server monitoring.
How about implementing security measures that would actually make me more productive? e.g. passwordless ssh from a trusted jump-off system? a login management system so I don't have to remember, look up or change hundreds of passwords? That simplifies adding and deleting users/roles? Or decent server monitoring software that doesn't generate more errors than it detects?
Hey, if you're holding me responsible for these boxes, you've got to give me the tools to do the job.
</rant>
The logical conclusion from this is that organisations need to track all users' activities, and pay particular attention to the activities of the admin types.
Yes, but we've known this forever. It's a security commonplace that trusted insiders are the most dangerous attackers, and there are any number of security guidelines that address this problem specifically. The Orange Book criteria impose auditing at level C2, and extend it at levels B1, B2, and B3. At level B2, as part of the Trusted Facility Management section of Operational Assurance, the TCB is required to support separate "operator" and "administrator" functions, and at B3 there has to be a "distinct auditable action to assume the security administrator role".
Of course, if your trusted attacker can alter the audit logs, auditing doesn't do any good.1 The stricter rules for the higher B levels are intended in part to make it more difficult for even a trusted attacker to alter the logs.
1There are nuances to "can alter", as the Internet Auditing Project discovered (search for "they're heeeere"). The attacker in that case could certainly have covered up all the audit trails, but apparently wasn't aware of one home-grown one.
> The report says staff can cause more damage to organisations than external attackers.
... is how little abuse there is.
Given that any sysadmin worth his / her / its salt can do pretty much anything and not be detected, or that they can hack the detection to cover their tracks, why is there so little advantage taken of this ultimate power?
Apart from the oh-so-boring opportunities to sell state secrets to the baddies (or to give them away to the good guys, depending where you work), almost all the naughtiness we experience is some twerp somewhere selling lists of email addresses for the price of a beer.
Where's the wholesale reading of the CEO's email to warn of future restructuring
Where's the "checking" of the finance department's databases for insider trading gains?
Where's the planting of nasty pictures on the boss's computer to get the promotion when they are arrested and jailed?
How come so few disaffected fire-ees don't "take out" that one single, critical machine when they are let go?
Surely someone must have considered adjusting their HR file to improve their company image?
I don't believe that every instance of IT badness gets discovered, fixed and the perpetrator then gets kicked out without a fight. Apart from anything else, some industries are legally obliged to report incidents of fraud. So are we really such an honest lot, that everyone plays nicely. Are we all so afraid of being caught, that even thinking of stepping out of line makes us break out in a sweat. Are we all so good at doing these things that none are ever caught and sanctioned.
I find all of those possibilities equally implausible. So the only alternative (almost as unlikely) is that we're all quite happy with our lot and don't seek additional gain, promotion, revenge or professional advantage. That would surely make IT the most honest group of professionals in the world.
Where's the wholesale reading of the CEO's email to warn of future restructuring
Seen that one, only it was done by a low level employee, not the sysadmin. Technically still the sysadmin's fault because of the configuration, but in his defense, this was at least 5 years before security even became an inkling of an image on the early warning radar. And after it was discovered, it was fixed post haste. Including the employee who engaged in the spying being canned even faster.
How come so few disaffected fire-ees don't "take out" that one single, critical machine when they are let go?
Sort of seen this one too, although again it was at the employee level. All critical files on their network and local drives were wiped. Yeah, they were keeping the bulk of their data on the local against company policy. But then again there was no enforcement mechanism.
And the biggie: stealing customer files before walking. Seen that one twice. First time it was a sales guy who copied the list the second month he was with the business. Next time it was more heard of rather than saw. Agreement in place when I was hired as a field tech. Previous lead tech walked off with the company customer list. But in that case I'll still call him employee as opposed to sysadmin because we were all field techs.
I've been making the same point about all the veterans getting screwed by the Veterans' Administration here in the US. You hear about civilian hospital violence but almost never a vet. I'm terminal and my prognosis is extremely ugly. Because of the VA.
But to return on point: I don't want to know someone's individual, or any system's, password. Hell, I'd be quite happy not knowing my own! At least not on any system that I haven't personally contracted for or owned. And I sure as hell don't want to know what's lurking out there if I could avoid it. I might be legally or contractually obligated to do something about it! I've got quite enough extremely classified shit banging around in my head as is.
However, give me a policy or regulation and yes, it will be enforced even you are C-level and I don't back down. There's more than a few Flag Officers and other high level types that found that out while I've been everything from the junior sysadmin/dbA/E through CIO.
Why do I *like* IT? 'Cause there's almost always at least one new puzzle to solve aside from the usual. And I'm a puzzle-person.
Given that any sysadmin worth his / her / its salt can do pretty much anything and not be detected, or that they can hack the detection to cover their tracks
An overstatement. There are grown-up organizations using grown-up OSes and grown-up procedures where system administrators don't have the power to alter audit trails. Of course they're very much in the minority, but they do exist.
It always amuses me when these "analysts" pick numbers out of the air to justify some consulting boondoggle. They are about as accurate as the "street value" numbers the police claim on drug busts.
The potential costs of a rouge DBA stealing your data are nothing compared to a mismanaged takeover (and they are all mismanaged), or, a PHB deciding to install an SAP package.
No, the one customer case I listed above was far more expensive than you'd think. Business owner lost half his business, plus lawyers costs, plus an expensive audit from MS because the rogue former employee accused the owner of pirating software. I think the audit took a year and at the end they determined he was out of compliance for 1 desktop for 1 rental for at most 1 month. And he had to revise his business practices as a result.
It always amuses me when these "analysts" pick numbers out of the air ... The potential costs of a rouge DBA stealing your data are nothing compared to a mismanaged takeover
Huh. It always amuses me when someone complains about someone else's research by making a wildly overgeneralized and unsupported claim.
But that's probably because I know how to think critically. It offers endless opportunities for entertainment.
I don't like the way that Edward Snowden is used as a metaphor for wrongdoing.
He served the greater good. One can in no way suggest that he profited from his actions. If anything, he has suffered for his principles and will probably die for them.
Who here would not be happy if a DBA published evidence of gross malfeasance that lead to steps being taken to prevent such malfeasance happeing again?
I'm a "consultant" (read techincal specialist) for one of the big players working in the information management sphere. I go back to customers occasionally and I still have full sudo access to most boxes and full DBA rights to a lot of them even years after the original install. I leave detailed instructions of which accounts they need to revoke rights on or delete, but it's "easier" for them when I next pop in for everything to be as it was when I left. It's the same with badge access to buildings, I have a small collection building up at home and walking around London I'm rarely far from somewhere my work laptop won't connect and authenticate to their wireless.
IMO rights revocation is not up to standard anywhere, even those that do periodic checks for continuing business need only do so every year at best and it's usually a "yes I need it" without justification why from anyone else.
Anytime I went on-site somewhere, I always made sure they got the access message, turned on the master account and got to work. When departing, I made sure at least my access was revoked. CYA. Part of anyone's departure included getting our blessing (deleted user). I was never so happy as I was finally departing to revoke my own access and making damn sure the sysadmin account password was (invisibly to me) changed as well. Major CYA.
So we're all to implement systems and controls to restrict what sys admins do. That's all fine and dandy.
But who's going to monitor the people giving out the rights to sys admins? Who's going to monitor the logs of all the sys admin activity?
The more complex you make access control and security, the more likely it is going to be turned off or worked around. (I've seen this *so* many times over the years)
Somewhere along the line, you're going to have to trust these pesky "humans" to only do what they're told.
If only many IT-security researchers over the past few decades had thought to consider this very problem! Publishing their ideas in a number of well-known books would have been helpful, too. Perhaps some of them could have taught classes in the subject at research universities. A missed opportunity.
Really? I've known more than a few people in the role of DBA, sysadmin, etc who were not, in fact, even a little "technically savvy". And I'd guess a few other folks here could say the same.
Of course I've also known many people in those roles who are extremely intelligent, well-informed, and competent. But it's hardly a universal condition.
"Damage caused by privileged users is the most extensive, the hardest to mitigate and the hardest to detect as it is done by authorised users doing things they are authorised to do,"
They are talking about the likes of CEOs and CFOs cooking the numbers?
"They are often very technically savvy and have elevated access to systems making it easy for them to cover their tracks ... cases of fraud and theft by privileged users often go undetected and unsolved."
Like what happened at Enron and Bernard L. Madoff Investment Securities LLC ? Yeah, a bunch of DBAs, Network ops and Sys admins criminals...
"About a third of respondents said access right policies were well defined and controlled by IT."
Well trained and well informed companies?
"Organisations had been defrauded by staff stealing real estate client lists, patient health care records and corporate intellectual property."
Yeah, a gang made of DBAs, Network ops and Sys admins...
Privileged user is not necessarily equal to DBA for the relevant context. In most of my above examples, the people who stole the data had privileged access even if they weren't DBAs or sysadmins.
Like what happened at Enron and Bernard L. Madoff Investment Securities LLC ? Yeah, a bunch of DBAs, Network ops and Sys admins criminals...
No, but Barclay's was certainly a privileged user who should not have had the access he was granted. And the DBAs certainly should have prevented it.
I concur that most sysadmins and dba's are honest people trying who aren't trying to rip off the company. The problem is, it only takes a couple bad apples to do an awful lot of damage. And the DBAs and Sysadmins are on the front line for keeping the bad apples at bay.
When I was doing third-line support, a user couldn't believe that I could work on the problem with his account unless he gave me his password.
As for audits and security, I know of someone who once pinched the payroll database by taking the old backup tape that was due to be recycled for the latest backup, and replacing it with a new tape.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
