Keeping the Fox Out of the Hen House

Some years ago, a small manufacturing firm was hijacked by its IT employees. They didn’t use any weapons, but they did commit murder: They killed the business.



Unfortunately, they were aided and abetted by the company’s own lax security policies. The firm had ignored the best practice of segregating duties: The IT employees who developed the core manufacturing software also were tasked with administering the system, supporting the end users and managing the backup process. When business conditions required the company to reorganize its IT staff, some of the employees who were to be laid off took revenge by sabotaging the mission-critical application. They erased audit trails, reassigned user rights, and even destroyed the backup tapes. The manufacturer never recovered from the assault.

That’s an extreme example of the havoc supposedly “trusted” insiders can wreak upon a company. Yet it’s not an isolated instance. Most privileged users have earned their organizations’ trust, but a single rogue employee can do great damage, disrupting or destroying systems or stealing corporate data. Even if these acts don’t leave a company in ruins, they may expose a business to heavy financial losses, fines for compliance violations, or negative publicity. 

Many organizations have yet to pay close attention to combating this threat. Companies in recent years have focused on the external threats, from hackers to phishers, which the media has so well covered. Yet privileged users within organizations can represent an even more significant risk. Their credentials often supply them with the “keys to the kingdom” that enable them to access and view data that they should not, and access and manage IT systems in a manner that could damage operations. Sometimes, the damage is the result of an accidental error, but it’s equally likely that malicious intent is behind the disruption.

Some startling facts about the risks posed by insiders are revealed in The Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors. The May 2005 report, published by the U.S. Secret Service National Threat Assessment Center and the Carnegie Mellon Software Engineering Institute’s CERT program, focused on nearly 50 cases of insider sabotage carried out between 1996 and 2002. It found that 86% of insiders engaged in sabotage were employed in technical positions, the majority as system administrators, Most of them had privileged access to systems when hired, though less than half had authorized access at the time of the incident. Fifty-seven percent of insiders exploited systemic vulnerabilities in applications, processes or procedures, or a combination of these. In 81% of the affected organizations, insider activities resulted in financial losses—in at least one case, amounting to tens of millions of dollars. Three-quarters of the affected organizations suffered negative impacts to business operations, ranging from deleted sales records to the destruction of proprietary software, and nearly 30% experienced damage to their reputations.

That’s bad enough. Beyond that, organizations expose themselves to penalties if they fail to ensure the integrity of their financial systems and statements and protect customer data, as required by regulatory mandates, including PCI DSS, Sarbox and HIPAA, and states’ own privacy laws. The 2006 CSI-FBI Security Study reveals that respondents consider data protection, regulatory compliance, and identity theft as their most critical computer security issues over the next two years. But failure to follow security best practices  as provided in COBIT and ISO 17799,  including limiting system access by privileged users, compromises corporate compliance efforts. Failing to do so may even personally affect the organizations’ key executives, who must vouch for management’s having adequate internal controls over financial reporting.

There’s certainly reason to worry about compliance measures being compromised on Unix and Linux systems, where the root user account gives system administrators access to all the power of the root. Since most native Unix operating systems  provide no safe way to assign only some root privileges to each person, many organizations assign each administrator full root privileges. Businesses that don’t want to be exposed to potential damage by these privileged users must put in place technology that allows the root’s abilities to be delegated—and system administration tasks to be distributed among users—without  disclosing the root password. Otherwise, the door is open for rogue users and outright saboteurs to not only highjack and potentially alter systems, but also exploit customer and mission-critical data that will jeopardize compliance efforts.  

Action Must Follow Awareness

The good news is that there is a growing awareness of the threat posed by privileged users, particularly at financial institutions, which have seen some of the more high-profile breaches.

Indeed, nearly 70% of respondents to the CSI-FBI Security Study attribute some percentage of corporate losses to insider threats. Seven percent believe that insiders account for more than 80% of their organization’s losses.

Further proof of awareness comes from the 2006 E-Crime Watch survey, conducted by CSO Magazine, the U.S. Secret Service, the CERT Coordination Center, and Microsoft. Respondents to the survey who have experienced e-crime say that, to the best of their knowledge, 63% of intellectual property thefts involved insiders, as did 56% of other proprietary information thefts, 49% of sabotage cases, and 71% of incidents having to do with the intentional exposure of private or sensitive information. Fifty-five percent of organizations that have experienced security events now report at least one insider event, up from 39% in 2005.

Indeed, vendors that provide identity and access management products for Unix and Linux security and administration, have seen sales rise in direct response to companies’ needs to be compliant with privacy laws and federal regulations.

Now for the proverbial bad news: Even as companies are becoming more aware of the problem, many are still not taking some of the most basic steps to lock down their environments. On Linux and Unix systems, big strides can be made by the simple process of putting in place technology for delegating the root’s abilities to system administrators without providing the root password, logging activity, and by providing indelible audit trails of user actions.

What’s holding companies back from taking such a step? Misreads of the potential costs of the risks they’re taking, for one thing. For instance, some health-care organizations may consider that the $250,000 fine for a HIPAA privacy violation doesn’t justify the expense of purchasing and deploying another security solution. They’re missing the bigger picture costs here, by not considering all the other expenses they’ll incur should they suffer a client data breach. That includes the expense of notifying their customers that their data files have been breached, at about $15 a pop. Those fees can quickly add up. Not to mention the ethics issue of not respecting the privacy of your clients.

Organizations may face some internal pushback on these efforts, as they do disrupt the IT status quo. Many IT professionals may view plans to place limitations on their root user accounts as an affront to their personal ethics, as well as an obstacle to being able to do their jobs effectively. The situation may be complicated by politics—that is, the fact that the demand for implementing these kinds of security and administration tools may be driven by security officers or internal auditing teams, rather than IT operations leaders.

The situation can be prickly, given the tensions that sometimes exist among these groups, and the accompanying trend towards downsizing IT staff. You can hardly blame system administrators for fearing that their authority is being curtailed, or that their productivity is being monitored. Yet, at the same time, IT employees understand better than most the temptations to explore unauthorized data. According to a recent survey by the analysts at Dark Reading, approximately 10% of IT/security pros say they abuse security privileges to access unauthorized data on a regular basis. Nearly 30% are not regular offenders, but they admit to having accessed unauthorized data during their careers. 

The Fix Is In

Segregating duties at a process level is a key step organizations must take to limit risks from insider threats that may compromise compliance requirements or otherwise damage the business. Technology gives businesses the teeth they need to ensure that the process is respected. Removing access to the root password and allowing root powers to be shared in a selective way, specifying exactly which program each user can execute as root, is critical. That will make it impossible for the system administrator who is charged with mounting disks and modifying tapes to take over duties assigned to other administrators, such as modifying corporate databases or adding users. And, since the root password is never given out, the risk of it becoming freely available, even to non-IT users, or hackers is eliminated.

Equally important is to be able to trace administrative actions by maintaining an indelible audit trail on a separate machine than the one to which the system administrator has access to. This is essential for knowing who took what administrative actions, when, and on which machines.

Some organizations may think they’re protected against damage with an open-source product that provides some root delegation capabilities. But these tools still enable anyone with any system administrator responsibilities to have access to the root password, and they lack indelible audit trails and keystroke logging. Those capabilities are critical requirements for really addressing the threat that may be posed by disgruntled insiders, particularly in the world of Unix, in which there has historically been a lack of emphasis on secure system administration. Open source products like sudo are often cited by firms like Gartner as not-scalable because you can’t easily deploy them across a large data center since you need to go to each and every server and install it on each one. Good for small companies but not practical for large agencies/orgs.

Be On the Lookout

The bottom line: It’s ok to trust your employees—as long as that trust can be verified. Organizations that put in place solid technology and policies that limit privileged users’ access to the systems and data for which they are responsible, and record indelible audit trails of their actions, make it extremely difficult for internal staff to run amok.

No technology, of course, will ever substitute for people’s ability to pick up signs that there may be a problem with an employee—one that could lead him to commit sabotage, steal data, or otherwise harm the organization. The Insider Threat Study, in fact, found that 80% of the insiders exhibited unusual behavior in the workplace prior to carrying out their malicious activities.

At that now-defunct manufacturing company, one of the IT employees involved in the sabotage had long been expressing his unhappiness about the impending layoffs and making veiled comments about his intentions. But they were ignored. The lesson to learn is this: As important as it is to deploy technology to stop threats in their tracks, it’s equally important for managers to seriously consider subtle (or not so subtle) threats an employee may be making, and for HR departments to provide support services for employees who are in financial trouble or are facing a job loss.

It’s better to forestall trouble than to ask for it. Taking such steps, and deploying technology solutions that pre-empt malicious activity, will help businesses ensure that no rogue actions will cause harm to their operations.

About the Author

Ellen Libenson, is a vice president of product management at Symark ,a maker of identity management and access control solutions. Email Ms. Libenson at elibenson@symark.com

More by Ellen Libenson

About Symark Software

Symark Software is a global identity and access management security software company that protects heterogeneous data centers.

Symark focuses on solving the inherent security gaps in native UNIX, Linux and Windows operating systems. In business for over 20 years, Symark has hundreds of thousands of licenses in use throughout the Global 2000 with a customer retention rate of over 90%.

All Symark PowerSeries products offer fast deployment, central administration and detailed audit logs. They provide the perfect balance of protection and productivity. The company delivers continuous, platinum-level technical support throughout the customer relationship.

Our products reduce the growing security risk from insider threats, facilitate accountability and regulatory compliance, and deliver rapid ROI.

Symark is ranked among the 500 largest software providers in the world.