An IT administrator scorned is not to be trusted, according to a study recently conducted by Cyber-Ark. The security firm claims a survey conducted on 300 security professionals found a whopping 88 per cent of IT admins would steal valuable and sensitive company information if they were fired tomorrow. Only 12 per cent said they …
If they're not just bullshitting I just don't see the point. What are you going to do with it that doesn't involve risking a prison sentence?
Thing is the only data worth having pretty much guarantees this outcome. Sad really given it was just a question, not an actuality. Perhaps if they're that certain of being that pissed off, and bit of anger management wouldn't go amiss. Might save them a few uncomfortable nights as someone's bitch.
How to secure the trust of your PHB
I've never believed in job security by obscurity. I document everything, explain everything, because I want my bosses to know I'm doing the job they're paying me for.
To this end, if your boss thinks you'd steal data if you were fired, take the 'root' or 'domain admin' or 'enterprise admin' or whatever account -- you know, the account that can't get locked out from too many bad passwords -- make a nice long password for it, and put the username and password in a sealed envelope. Hand it to the PHB, and explain that if something bad happened, they could hand it to the next admin.
If they don't open the envelope right away, they trust you to do your job. You can check your server security logs for this. You might reconsider your employment there if they open and use it.
I generally don't use the built-in admin account for any actual administration. I just use it to create admin accounts that are subject to lockout rules, and I don't even use that for day to day use. Instead I use an account that's part of some kind of account operators or server operators group, so I don't need admin on my desktop to administer the network. But that's going off on a tangent.
Mine's the one with the envelope to hand to my boss.
According to that survey, 88% of admins SAY they would steal data if fired.
The amount that actually WOULD steal data would need to be based upon the amount of those who have been fired and did.
That's because if the password policy demands you have a 48 character password like:
and change it every eight hours, how are you going to remember the bloody thing other than in a spreadsheet or post-it.
Couple that having to get an account application signed off by all the board directors and their grandparents, so everyone uses the account of Fred who left in 1998.
12% of IT Admins are liars!!
Actually, there can be good reasons for taking sly backups of the situation when you leave....
If you feel you are likely to be held accountable by management for later disasters caused by your replacement its nice to be able to chapter and verse them in court..
For that reason alone I would recommend the offsite backup location to be your glovebox!!
Taking data and releasing it inappropriately are different things...
That's why you have firing policies
The possibility of disgruntled employees wreaking havoc after being terminated is precisely the reason why multinationals like e.g. Shell Oil have the following policy when an employee will has his or her contract terminated.
The former employee in question is escorted from the premisses immediately after being informed of the decision and is allowed only to stop at his desk (under close supervision of a security guard) to collect his/her physical personal belongings (briefcase, photographs of family, mug, favourite pen etc.) and nothing else. At the same time his account is suspended, and every single password he had access to is changed. Under no circumstances will said employee be allowed to interact with a computer or use company machinery before leaving. After collecting his personal belongings the former employee is escorted through security, his ID card is destroyed, and his permission to enter company premisses is revoked.
This is harsh, but is the only certain way to protect company assets from disgruntled former employees and was arrived at from harsh experience.
What an unprincipled lot
you can trust developers, but admins never!
At one place we found them installing remote admin without telling anyone. That was an amusing security alert, as people assumed it was malware, and subsequently many projects were put at risk.
Never take your eyes of them, and frankly all development departments should never allow admin anywhere near their systems, I would go so far as hiring attack dogs, trained on the putrid odour that most admins emit :)
If you are an IT company you don't need them, or shouldn't need them.
But of course they are in other places, lurking about looking to swipe your half drunk can of coke, screwing up the network, or turning off your remote server.
Sodding liability most of them. Still there are a few good ones around, but they tend to offer, development and administration that's they key thing to look for.
All systems should be managed by programs, it is ridiculous using a human who is basically just learning all the time, their activity of course can be reduced to a computer program. Code and go is the motto. Admins just leach of the main business, ooohhh look at how they can click a checkbox, admin want a cracker.
So, really they are just a pair of legs and hands, but again I don't really want them anywhere near the guts of a machine to replace a part, bloody barbarians.
The sooner most places go back to unix the better, administration there is an art, involves a lot of coding, actually streamlining and returning to the bottom line. Gates you have a lot to answer for.
password, what password
Ha Ha, If my experience is anything to go by, you could solve this by merely asking the IT Admins to give you all the post-it notes (stickies) with passwords written on them that they keep in their wallets. Then fire them :-p
I wouldnt .. its down to being professional ...
Developers trustworthy? yeah right, you can trust them to never write a bloated, insecure resource hogging piece of Sh%t eh?
Developers can embed backdoor stuff much deeper than admin's can.
I sense someone didn't get their own way on a network issue, or the purchase of a company iphone, so is stamping their little feet. Obviously Ac as he is scared of what his BOFH would do if he new what this luser wrote. What sort of MAC do you use anyway?
Talk about overblown sense of self importance!
Hope your admin turns off your remote server for good, and electrifies the door handles!
@How to secure the trust of your PHB
This was pretty much standard policy when I worked in finance for all top level passwords. Put in 2 sealed envolopes, sign over the seal, one to offsite backup, one to safe/vault. Each month have envolopes returned, check seal, change password and repeat. It also serves as disaster recover backup in case I am hit by a bus.
Unfrtunately I could never get myself fired with the accompaning 1 month to 1 years compensation, I always quit out of political frustration when the sane management who hired me moved on.
When I left my last net, that I built from the ground up, I was disgruntled as hell. So, I insisted the owners join me in the "closet" and I instructed them on how to change all admin account passwords in the AD... following secure criterion I drilled into them from Day 1. I made it very clear that I didn't want to know the new p/w's and I stood away where I couldn't see the screen nor keyboard.
Sure I could crack it, but then who would hire me to build/admin another net? Plus, if I need them for a reference, I know I can still list them.
@What an unprincipled lot
Good joke... I mean really... What's your next act...
A proper sysadmin isn't just a trained parrot/monkey. They actually have a completely
different skill set than developers. And while it's true that most admins tend to be a
lazy bunch most will step up and do their job when there is need.
I had to do sysadmin at one company full of devs... What was the result... Each dev
had their own setup with their own apps etc... Now move on to the next company... Nothing
I had to help a dev reinstall his box after he got some malware on the box. The guy wasn't
able to start the install simply because the install cd lacked a driver for the sata controler...
I had to find for him an usb floppy disk and the driver that was needed for windows to load the
driver. Similar with most others...
A proper sysadmin tends to be a skilled troubleshooter with a wide area of knowledge and
very little specialisation. He/She should be capable of quickly picking up new things and
being able to explain those things to the (l)users...
Anonymous to keep the trend going ;)
Really? I always thought 90% of the devs I met were morons, especially the ones that thought they actually understood IT beyond their blinkered view through their IDE of choice - I had a brief stint working dev but I got out of it - there are only so many times you can mindlessly bang out a variation on the same code. I'll qualify that by saying I do do a little coding occassionally but not professionally.
I done the support -> admin -> design/consultancy thing instead and frankly I wouldn't touch a role doing dev again.
++ to unix (linux, solaris, whatever), but I wouldn't call unix administration coding.
@ AC "what an unprincipled lot
Without admins you would not have a environment to develop on.
Get back into your cube and eat some more skittles. Sandle wearing freak.
Mines the one with mouse balls in the pocket.
Oh I have just discovered that any data I have access to is worthless and the passwords on hundreds of post-it notes.. so if they sack me I cant even get warm place to stay free. if you have 800 passwords on 800 boxes,all of them like "LetmeinOhyesPlease1234567" only all different, how are you supposed to remember them, unless they are written down somewhere.
Leaving holes with permission
I've worked somewhere that had problems with ex-employees ringing current ones to destroy files they had created at work/had access to.
Even more fun was the admin account created exclusively for Sophos (Spits on ground) to update on over 100 machines. It can't be revoked as it's too much hassle to go round and change it. I've been gone 3 years and stil haven't used it (I forgot the remote IP). Backup tapes are far easier to get info from without traces anyway.
Mines the one with the DAT tapes in the pocket
What were the survey questions?
Without seeing the survey questions, we have no idea how they came up with that result. Here's a lighthearted example of questions squewing poll results from 'Yes Minister'.
Sir Humphrey: "You know what happens: nice young lady comes up to you. Obviously you want to create a good impression, you don't want to look a fool, do you? So she starts asking you some questions: Mr. Woolley, are you worried about the number of young people without jobs?"
Bernard Woolley: "Yes"
Sir Humphrey: "Are you worried about the rise in crime among teenagers?"
Bernard Woolley: "Yes"
Sir Humphrey: "Do you think there is a lack of discipline in our Comprehensive schools?"
Bernard Woolley: "Yes"
Sir Humphrey: "Do you think young people welcome some authority and leadership in their lives?"
Bernard Woolley: "Yes"
Sir Humphrey: "Do you think they respond to a challenge?"
Bernard Woolley: "Yes"
Sir Humphrey: "Would you be in favour of reintroducing National Service?"
Bernard Woolley: "Oh...well, I suppose I might be."
Sir Humphrey: "Yes or no?"
Bernard Woolley: "Yes"
Sir Humphrey: "Of course you would, Bernard. After all you told you can't say no to that. So they don't mention the first five questions and they publish the last one."
Bernard Woolley: "Is that really what they do?"
Sir Humphrey: "Well, not the reputable ones no, but there aren't many of those. So alternatively the young lady can get the opposite result."
Bernard Woolley: "How?"
Sir Humphrey: "Mr. Woolley, are you worried about the danger of war?"
Bernard Woolley: "Yes"
Sir Humphrey: "Are you worried about the growth of armaments?"
Bernard Woolley: "Yes"
Sir Humphrey: "Do you think there is a danger in giving young people guns and teaching them how to kill?"
Bernard Woolley: "Yes"
Sir Humphrey: "Do you think it is wrong to force people to take up arms against their will?"
Bernard Woolley: "Yes"
Sir Humphrey: "Would you oppose the reintroduction of National Service?"
Bernard Woolley: "Yes"
Sir Humphrey: "There you are, you see Bernard. The perfect balanced sample."
@What an unprincipled lot
You are absolutely right! All good sysadmins are REQUIRED to know at least some development. Scripting is a must, in a number of languages, and object oriented scripting is a requirement of any good admin who doesn't want to keep repeating unnessesary work.
If a sysadmin is doing his job, then he has nothing to do, except wait for the phone to ring with a change request, or swap out the odd dead part. (Or backup drive.)
I guess that's why good sysadmins are required to be project leaders, developpers, analysts, and a host of other things.
I guess that's also why they nobody wants to hire developpers anymore. Why hire a developper for twice the salary when you can hire a Sysadmin for less, and get someone who bothered to learn how a system works before trying to code on one. Don't worry though, there will always be plenty of developper jobs in India for you, so you are safe.
For now though, I just finished pushing an OS to a few dozen pieces of metal, and while the scripts install the apps and run the patch sets, I'm gonig to go patch the SSI on the Intranet one more time, since those useless devs forgot to cross-test thier JS in multiple browsers. maybe I should throw a few more snikers bars over the roof at them; might get some better results.
Mine the one with the card that's one stamp shy of a free pint at the pub...
You're just sore because the admins get all the babes.
Paris 'cos she's hanging out with us at Mission Control as I write this.
Through no fault of their own, when a sys admin leaves a company he is going to retain some sensitive passwords just through his/her memory (not RAM!). If the company wants real peace of mind then they should change all access passwords when they leave.
Sys admins have priviledged access to information and areas of the network during their time with a company - it is part of the job and a certain amount of trust goes with the industry. If they want to stay in IT (and out of prison) the vast majority (more than 88%) respect that priviledge. I'm biased, but I think they're a pretty trustworthy bunch.
Re: What an unprincipled lot
I take it they won't let you have admin rights then?
Not just IT Admins
Anyone in a senior position in a company (1 above the receptionist) can and will do this.
A consultant working for a firm decides to leave or is fired.
The firm has 150 clients and a database of 2500 possible clients.
Consultant leaves with both the database of current clients and the 2500 to market his consultancy services too.
This is widespread and was happening long before we had the joys of computers... So why would it be any different for IT people?
@What an unprincipled lot
You've obviously never seen a real Windows admin. With larger accounts, "Code and go" is exactly how it's done - By the admin. All major tasks are (or should be!) scripted. Checking checkboxes is for chumps.
Thanks to vbscript & friends, a lot of the UI is exposed to script - Cradle to grave user managment is possible, for example.
But on the original topic, I find this claim disturbing. The most valuable thing I'll take with me when I leave will be my skills and experience - 8 years of Active Directory in a large environment. I don't need my employers data to be able to sell that.
I don't trust any of those crazy computer geeks. They're all borderline suicidal anyway.
@ What an unprincipled lot
Hey, if it wasn't for developers and their hooky coding, the world wouldnt need systems admins!
@AC - What an unprincipled lot
As opposed to most developers I've met, who don't know what a fucking subnet is, and think that "routing" is something done by that thing stuck to their windscreen; that's before the snide, supercilious little fucks decide that they don't need to worry about software licenses and end up getting the company raided by FAST, or decide to change the IP addressing on their machine (because the thick bastards decided to hard-code IP addresses into the fucked-up abortion of an application that they're trying to pass off as working software to the clients that they've conned into thinking that they're anything like competent) and then complain because "the network's broken".
I don't suppose it occurred to you, numb-nuts, that they might have installed remote admin software to provide better and more timely support after you and others of your misbegotten ilk fuck your machines up again and then decide to complain about how the "IT doesn't work..."? And if that put "many projects" at "risk", then you probably weren't competent to be running them anyway.
As to this survey, gosh, company that depends on persuading people that there's a problem conducts a survey that "proves" there's a problem. Pardon me while I regain consciousness after fainting from fucking shock. I've been an administrator for a good many years, and I have been made redundant once after the company downsized drastically. I didn't consider stealing anything from the company in question, and I know quite a few other people who've been in similar situations and they never have either. The survey is bollocks, and to Austin Modine? How much did they pay you to shill for them?
Dude. I hope that's a joke because that's insane - and absolutely incorrect. That's exactly the kind of thinking that see's huge databases put on CD and left on the train and stuff.
I hope your boss doesn't read el reg and you work at some tiny little non-audited firm.
depends how you define "DATA"
after all - i still have a fantastic "boot disk" and the internal email addresses of a couple of friends.
re: firing policies
"Under no circumstances will said employee be allowed to interact with a computer or use company machinery before leaving"
That's why my logic bombs are designed to detonate if I don't renew their password every 3 months!
Separate data from process.
This is why Oracle is now adding features such that DBA's can administer the database but they can't use the data. Doesn't stop said DBA from destroying the data.
Well that's one issue out of the way.
What utter bollocks
I absolutely refuse to believe that 88% of employees would say they'd steal data if fired, much less actually do it. Of course some people would, but not 9 out of 10.
88% of IT employees now think that Cyber-Ark is a crock of shite after reading this article.
Re: "That's why you have firing policies"
It's not harsh, it's plain common sense. As long as the employee is paid for outstanding notice / holiday, are you seriously telling me that they would *prefer* to work their notice period?
A friend of mine got an interview for a rival IT company, and when offered the job, immediately informed his PHB. An hour later he walked out of the building with three months pay and was able to start his next job a month early. He called it his, "disloyalty bonus" :-)
Er, "stable door"?
Presumably you change the passwords whilst the victim is in the boss' office getting the bad news. OK, but this person previously had full access and probably has an off-site backup at home. Oh, they didn't ask *that* question.
Absurd survey pushing useless product. Film at 11.
Call me Mr Cynical
As I was told many years ago, there are only 3 types of people in the world - the "Sad", the "Mad", and the "Bad". All of them will steal - and that includes you and I. It's just a case of if you are prepared to admit it.
Everyone has their price - and anyone who thinks that they don't is only fooling themselves. I've seen magistrates, lawyers and police caught stealing. Doctors and nurses pinch drugs from the hospital (for their own use or to push on others). Civil servants access confidential data and then pass it on to others. Priests fiddle with kiddies, or load guilt onto people whose only crime is naivety. Managers make promises that they have no intention of keeping. Bankers push loans onto people that they know have no chance of repaying. Sadly, there is no end to the depths that humans will descend.
@AC - trust a developer? Never; I've seen too many hidden items within code that would ever allow me to do that.
Gordon Feyck has the right idea; document everything and make sure that you let people know that you are doing it and why. It's not the whole answer - but the reality is that there are very few people that you can really trust.
RE:What an unprincipled lot
How dare you! How many computors can get so upset at being thought of as jumped up hell desk geeks, or say 300 times in a row "have you tried switching it on and off?".
Yes, I have been on the reciving end of a few to many hell desks and admins.
As for wipeing peoples accounts, we have someone leaving today in accounts. We have been trying to get his bank access closed for weeks but non of the admins will do it properly. Very worrying as this is real money, not just data.
@ What an unprincipled lot By Anonymous Coward
What an interesting world you live in...
As one of those Admins you so obviously despise, I find the major danger to systems are the users... Especially the users who think they 'know it all'.
Still, you run your system how you like, I'll do the same.
Incidentally, just what IS your position?
Trust Developers? <ROTFLMAO>
>you can trust developers, but admins never!<
Yeah, we can trust developers to cut corners and write poor code and generally f*ck up the company product, when they're not writing backdoors and security loopholes in to it.
Besides, how would you know what an admin does?
When he's freezing his arse off in an 18C server room, fixing the machine that your crappy code has crashed, you are in the games room being "creative" with your newest i-extension.
Given the recent progress made in "self-programming code" I think your job might be under threat WAY before they start to fire the bofh's of this world. To be honest, most developers I have met qualify under the "Get an infinate number of monkeys" scheme promulgated by most companies.
Finally, you really should be cowering under your desk by now (like the wimpy gray geek you are) as once your bofh discovers it was you that posted that comment MR ANONYMOUS COWARD, I wouldn't give a <clickety> for your continued employment or freedom <BWAH-HAH-HAH>
For what exactly ?
There's data and there's data.
Would I take handy scripts, procedures and stuff I have created there for my work .. probably, if I don't have those privately backed up already.
Would I create a backup of the CRM/ERP DB ? (how the #$%@^& would you fit that on a USB drive anyway)
Why ? And besides the obvious ethical objections, what would I do with it ?
Go the the competitors ? Who would I approach ? Why would they take it and pay for it ? (it's usually more the sales dept. that would have such contacts and insights). Would I ever get a job in this line of work ? (the world is smaller then you think)
Then again, if it would be a direct dismissal due to BOFH behaviour, a good IDM system would prevent the taking of such important corporate data anyway. (single click account blocking on over 15 systems is a fun thing to do :) )
(Pris, 'cause she also seems to be missing something, when 'stepping out' )
Abuse or betrayal of trust, treason by another name, is a very, very serious matter. They have a word for folk like this, traitor.
Hey, isn't treason still punishable by Hanging in the UK?
Admins hold a very great deal of trust and if the guys answering this survey aren't just having a laugh then they should firstly be utterly ashamed of themselves and secondly named, shamed, bagged on the spot, ID'ed, RFID'ed and never, ever allowed to work in any position of trust again.
re: that's why you have firing policies:
it's not just multinationals, at the first company I worked at I'd generally know that people were getting fired or being let go before they did. they would start a meeting, half way through that meeting one of the directors would come and tell me to disable their account.
that way they literally left the meeting room said their goodbyes and went, no computer based fun for them, and that was in a company of 12, you don't have to be a massive multinational company to have a decent policy -not even policy, just way of doing it, to stop data theft.
re: what an unprincipled lot.
the company that I worked for mentioned above was a development company.
and it was a harsh policy of locking them out before they were even actually fired for the simple reason that developers don't seem to be able to grasp the fact that the code they wrote for the company was the property of the company, not theirs, before that policy was in place quite a few people tried to take their work, and clever sections of co-workers work with them.
also, just as a quick point, you're right, admin jobs should be replaced with automated systems, wouldn't that be nice, system that actually could take care of themselves...
just get yourself and your developers to start writing reasonable code that doesn't need nannying through it's days, and that doesn't break, and that can be easily used by help desk users and I think you'll have a plan.
My ex-boss changed external IT support suppliers one day and a few days later the one-man-support-company IT guy visited and got the grand tour from me. I was the IT Projects Manager and resident IT guru, but as I officially was NOT support staff, we still had external support suppliers.
2 days later I noticed the Admin password had changed, and the new IT guy was refusing to give it to me. (over the phone, mind you, he was freelance, and not to stay in the office. Lucky him.)
The next day bossman called me "for a chat" and announced I was being made redundant, as the projects I was working on had wrapped up.
Had I cared about what they did, I'd be regretting not having a chance to... make my departure memorable in various interesting ways.
Alas I was too busy seething at being made to work my 1 month notice period, and while idly reading job board across the net, finding out I'd have worked there 3 weeks short of a year, the legal UK minimum after which you are allowed to claim for unfair dismissal.
Keys are all the rage nowadays, fairly easy to deal with and you can update them if you like. Local key release by passphrase (normally a decent password) and then use the key remotely.
"It's not harsh, it's plain common sense. As long as the employee is paid for outstanding notice / holiday, are you seriously telling me that they would *prefer* to work their notice period?"
I always have done - it's a "pride in work well done" thing. I at least want the opportunity to tie up loose ends and hand over existing work to colleagues.
I'm sure the comments were tongue-in-cheek, but I have lost count the number battles telling developers that they are not having admin privs because their app isn't written correctly!
No way I would steal even so much a paper clip from the office, way too risky and as an average "smo" with a mortgage and family to look after, every thing I touch gets thought about twice. I too always document everything, then I get a good reputation for being open and honest. No price would be high enough, ever heard of proceeds of crim act? No matter what you get for nicking something, they can fleece the lot out of you, so don't give me that do the time and then live in the Bahamas BS!
Steal? Why bother?
Seriously, if you get sacked today, forget the old place, take your notice period payment, get another job and take a wee holiday.
Stealing data? Too obvious. You're the obvious first name on any investigation. You're better off closing that chapter of your life and moving on. It's not like a decent admin can't pretty much pick and choose a new job.
Who did they ask?
It's not clear. Did they ask the IT admin, or did they ask the Info Security Officer? If the latter, then it is the ISO's lack of trust / perception of their IT staff.
Doesn't matter. 88% of all stats are made up on the spot anyway.
Also remember that what goes around, comes around. If you steal someone else's data today - and promote such data theft - you should expect to have your's stolen tomorrow.
Is this the same crew that thought it bought passwords for chocolate some months back?
"lurking about looking to swipe your half drunk can of coke"? The way you write, buster, nobody in his right mind wants to get anywhere near your bodily fluids.
Who has seen the survey questions?
Given the biased nature of the survey originator, it's no surprise if the survey questions are misleadingly engineered to draw a conclusion that more would steal data than actually would.
My name is Mark Fullbrook, I'm the Director for the UK and Ireland for Cyber-ark and it was me that commissioned this survey.
Let me give you some feedback on how this survey was run.
We asked 300 people with Administrative privileges a series of questions at the Infosecurity Europe Show which took place in April in London. How did we know they had administrative privileges? Well we asked them of course!
Once we had established their suitability we asked them a series of questions. Things like:
"Have you ever used your administrative privileges to access information that was NOT relevant to your role?" (That was had over a 30% positive response rate)
"If you left your company tomorrow which of the following would you consider taking with you" - followed by a list of things like Company records, HR records of course, highlighting one which said NOTHING. (we had 88% of people choose somethign OTHER than NOTHING)
There were a few other questions of course, and we intend to publish this as a white paper, but I just want to address some of the responses on this site.
First of all, I find it amazing how many times admins respond to these types of survey with the view that it is the users fault that they have to set up back doors or that they do not need to be monitored because of some God given right to anonymity.
Cyber-ark produce software that provides companies with the ability to automate password changes on privileged accounts, whilst ensuring that Administrators and Privileged users get the full access they have always had. The alternative is to just trust your user base and (from our survey) whilst that is fine for 12 of your 100 Admins, it might be a little foolish for the other 88 (I'm being slighty sarcastic here - but I'm trying to keep in line with the tone of most of the responses!!)
We dont supply companies with software to monitor privileged access because most IT Admins and Privileged Users are good, we do it because every now and again, you are going to have a bad one....... and why give them the opportunity if you dont have to.
Feel free to get in contact with me if you want to here any more about the survey and please, feel free to visit us at Infosecurity 2009 and take the survey yourself, and then you can see if things turn out differently. Personally, I dont think they will.
Incidentally, to those that say "it was fixed" ZDNET responded to an earlier release centered around the "would you use your administrative privileges to access information NOT relevant to your role" question by running their own survey... Guess what? The results were exactly the same.
BIG SMILEY FACE because generally, Im a pretty happy guy..
(I just get a little excited when people say my company is lying)
Water is wet, fire burns, the Pope's a Catholic, bears shit in woods.