back to article 88% of IT admins would steal data if fired

An IT administrator scorned is not to be trusted, according to a study recently conducted by Cyber-Ark. The security firm claims a survey conducted on 300 security professionals found a whopping 88 per cent of IT admins would steal valuable and sensitive company information if they were fired tomorrow. Only 12 per cent said …

COMMENTS

This topic is closed for new posts.
  1. Andy Bright

    Why?

    If they're not just bullshitting I just don't see the point. What are you going to do with it that doesn't involve risking a prison sentence?

    Thing is the only data worth having pretty much guarantees this outcome. Sad really given it was just a question, not an actuality. Perhaps if they're that certain of being that pissed off, and bit of anger management wouldn't go amiss. Might save them a few uncomfortable nights as someone's bitch.

  2. Gordon Fecyk
    Coat

    How to secure the trust of your PHB

    I've never believed in job security by obscurity. I document everything, explain everything, because I want my bosses to know I'm doing the job they're paying me for.

    To this end, if your boss thinks you'd steal data if you were fired, take the 'root' or 'domain admin' or 'enterprise admin' or whatever account -- you know, the account that can't get locked out from too many bad passwords -- make a nice long password for it, and put the username and password in a sealed envelope. Hand it to the PHB, and explain that if something bad happened, they could hand it to the next admin.

    If they don't open the envelope right away, they trust you to do your job. You can check your server security logs for this. You might reconsider your employment there if they open and use it.

    I generally don't use the built-in admin account for any actual administration. I just use it to create admin accounts that are subject to lockout rules, and I don't even use that for day to day use. Instead I use an account that's part of some kind of account operators or server operators group, so I don't need admin on my desktop to administer the network. But that's going off on a tangent.

    Mine's the one with the envelope to hand to my boss.

  3. Michael
    Stop

    No,

    According to that survey, 88% of admins SAY they would steal data if fired.

    The amount that actually WOULD steal data would need to be based upon the amount of those who have been fired and did.

  4. Rich

    Post-it notes

    That's because if the password policy demands you have a 48 character password like:

    b7gh7bg7v&BG&G&ghy78990JHJ())#$$%^&BAH

    and change it every eight hours, how are you going to remember the bloody thing other than in a spreadsheet or post-it.

    Couple that having to get an account application signed off by all the board directors and their grandparents, so everyone uses the account of Fred who left in 1998.

  5. Brett Weaver
    Black Helicopters

    12% of IT Admins are liars!!

    Actually, there can be good reasons for taking sly backups of the situation when you leave....

    If you feel you are likely to be held accountable by management for later disasters caused by your replacement its nice to be able to chapter and verse them in court..

    For that reason alone I would recommend the offsite backup location to be your glovebox!!

    Taking data and releasing it inappropriately are different things...

  6. Anonymous Coward
    Anonymous Coward

    That's why you have firing policies

    The possibility of disgruntled employees wreaking havoc after being terminated is precisely the reason why multinationals like e.g. Shell Oil have the following policy when an employee will has his or her contract terminated.

    The former employee in question is escorted from the premisses immediately after being informed of the decision and is allowed only to stop at his desk (under close supervision of a security guard) to collect his/her physical personal belongings (briefcase, photographs of family, mug, favourite pen etc.) and nothing else. At the same time his account is suspended, and every single password he had access to is changed. Under no circumstances will said employee be allowed to interact with a computer or use company machinery before leaving. After collecting his personal belongings the former employee is escorted through security, his ID card is destroyed, and his permission to enter company premisses is revoked.

    This is harsh, but is the only certain way to protect company assets from disgruntled former employees and was arrived at from harsh experience.

  7. Anonymous Coward
    Anonymous Coward

    What an unprincipled lot

    you can trust developers, but admins never!

    At one place we found them installing remote admin without telling anyone. That was an amusing security alert, as people assumed it was malware, and subsequently many projects were put at risk.

    Never take your eyes of them, and frankly all development departments should never allow admin anywhere near their systems, I would go so far as hiring attack dogs, trained on the putrid odour that most admins emit :)

    If you are an IT company you don't need them, or shouldn't need them.

    But of course they are in other places, lurking about looking to swipe your half drunk can of coke, screwing up the network, or turning off your remote server.

    Sodding liability most of them. Still there are a few good ones around, but they tend to offer, development and administration that's they key thing to look for.

    All systems should be managed by programs, it is ridiculous using a human who is basically just learning all the time, their activity of course can be reduced to a computer program. Code and go is the motto. Admins just leach of the main business, ooohhh look at how they can click a checkbox, admin want a cracker.

    So, really they are just a pair of legs and hands, but again I don't really want them anywhere near the guts of a machine to replace a part, bloody barbarians.

    The sooner most places go back to unix the better, administration there is an art, involves a lot of coding, actually streamlining and returning to the bottom line. Gates you have a lot to answer for.

  8. Michael Xion
    Joke

    password, what password

    Ha Ha, If my experience is anything to go by, you could solve this by merely asking the IT Admins to give you all the post-it notes (stickies) with passwords written on them that they keep in their wallets. Then fire them :-p

  9. Kurt Lundqvist

    Professional Integrity

    I wouldnt .. its down to being professional ...

  10. Anonymous Coward
    Thumb Down

    @AC DEVLEOPER

    Developers trustworthy? yeah right, you can trust them to never write a bloated, insecure resource hogging piece of Sh%t eh?

    Developers can embed backdoor stuff much deeper than admin's can.

    I sense someone didn't get their own way on a network issue, or the purchase of a company iphone, so is stamping their little feet. Obviously Ac as he is scared of what his BOFH would do if he new what this luser wrote. What sort of MAC do you use anyway?

    Talk about overblown sense of self importance!

    Hope your admin turns off your remote server for good, and electrifies the door handles!

  11. Grant
    Go

    @How to secure the trust of your PHB

    This was pretty much standard policy when I worked in finance for all top level passwords. Put in 2 sealed envolopes, sign over the seal, one to offsite backup, one to safe/vault. Each month have envolopes returned, check seal, change password and repeat. It also serves as disaster recover backup in case I am hit by a bus.

    Unfrtunately I could never get myself fired with the accompaning 1 month to 1 years compensation, I always quit out of political frustration when the sane management who hired me moved on.

  12. tuna

    Remove Culpability

    When I left my last net, that I built from the ground up, I was disgruntled as hell. So, I insisted the owners join me in the "closet" and I instructed them on how to change all admin account passwords in the AD... following secure criterion I drilled into them from Day 1. I made it very clear that I didn't want to know the new p/w's and I stood away where I couldn't see the screen nor keyboard.

    Sure I could crack it, but then who would hire me to build/admin another net? Plus, if I need them for a reference, I know I can still list them.

  13. Anonymous Coward
    Anonymous Coward

    @What an unprincipled lot

    ROFL...

    Good joke... I mean really... What's your next act...

    A proper sysadmin isn't just a trained parrot/monkey. They actually have a completely

    different skill set than developers. And while it's true that most admins tend to be a

    lazy bunch most will step up and do their job when there is need.

    I had to do sysadmin at one company full of devs... What was the result... Each dev

    had their own setup with their own apps etc... Now move on to the next company... Nothing

    much changed.

    I had to help a dev reinstall his box after he got some malware on the box. The guy wasn't

    able to start the install simply because the install cd lacked a driver for the sata controler...

    I had to find for him an usb floppy disk and the driver that was needed for windows to load the

    driver. Similar with most others...

    A proper sysadmin tends to be a skilled troubleshooter with a wide area of knowledge and

    very little specialisation. He/She should be capable of quickly picking up new things and

    being able to explain those things to the (l)users...

    Anonymous to keep the trend going ;)

  14. Peter

    @Anonymous Coward

    Really? I always thought 90% of the devs I met were morons, especially the ones that thought they actually understood IT beyond their blinkered view through their IDE of choice - I had a brief stint working dev but I got out of it - there are only so many times you can mindlessly bang out a variation on the same code. I'll qualify that by saying I do do a little coding occassionally but not professionally.

    I done the support -> admin -> design/consultancy thing instead and frankly I wouldn't touch a role doing dev again.

    ++ to unix (linux, solaris, whatever), but I wouldn't call unix administration coding.

  15. Anonymous Coward
    Coat

    @ AC "what an unprincipled lot

    Without admins you would not have a environment to develop on.

    Get back into your cube and eat some more skittles. Sandle wearing freak.

    Mines the one with mouse balls in the pocket.

  16. John
    Go

    LetmeinOhyesPlease1234567

    Oh I have just discovered that any data I have access to is worthless and the passwords on hundreds of post-it notes.. so if they sack me I cant even get warm place to stay free. if you have 800 passwords on 800 boxes,all of them like "LetmeinOhyesPlease1234567" only all different, how are you supposed to remember them, unless they are written down somewhere.

  17. Anonymous Coward
    Anonymous Coward

    Leaving holes with permission

    I've worked somewhere that had problems with ex-employees ringing current ones to destroy files they had created at work/had access to.

    Even more fun was the admin account created exclusively for Sophos (Spits on ground) to update on over 100 machines. It can't be revoked as it's too much hassle to go round and change it. I've been gone 3 years and stil haven't used it (I forgot the remote IP). Backup tapes are far easier to get info from without traces anyway.

    Mines the one with the DAT tapes in the pocket

  18. Brian Milner

    What were the survey questions?

    Without seeing the survey questions, we have no idea how they came up with that result. Here's a lighthearted example of questions squewing poll results from 'Yes Minister'.

    ___________________________

    Sir Humphrey: "You know what happens: nice young lady comes up to you. Obviously you want to create a good impression, you don't want to look a fool, do you? So she starts asking you some questions: Mr. Woolley, are you worried about the number of young people without jobs?"

    Bernard Woolley: "Yes"

    Sir Humphrey: "Are you worried about the rise in crime among teenagers?"

    Bernard Woolley: "Yes"

    Sir Humphrey: "Do you think there is a lack of discipline in our Comprehensive schools?"

    Bernard Woolley: "Yes"

    Sir Humphrey: "Do you think young people welcome some authority and leadership in their lives?"

    Bernard Woolley: "Yes"

    Sir Humphrey: "Do you think they respond to a challenge?"

    Bernard Woolley: "Yes"

    Sir Humphrey: "Would you be in favour of reintroducing National Service?"

    Bernard Woolley: "Oh...well, I suppose I might be."

    Sir Humphrey: "Yes or no?"

    Bernard Woolley: "Yes"

    Sir Humphrey: "Of course you would, Bernard. After all you told you can't say no to that. So they don't mention the first five questions and they publish the last one."

    Bernard Woolley: "Is that really what they do?"

    Sir Humphrey: "Well, not the reputable ones no, but there aren't many of those. So alternatively the young lady can get the opposite result."

    Bernard Woolley: "How?"

    Sir Humphrey: "Mr. Woolley, are you worried about the danger of war?"

    Bernard Woolley: "Yes"

    Sir Humphrey: "Are you worried about the growth of armaments?"

    Bernard Woolley: "Yes"

    Sir Humphrey: "Do you think there is a danger in giving young people guns and teaching them how to kill?"

    Bernard Woolley: "Yes"

    Sir Humphrey: "Do you think it is wrong to force people to take up arms against their will?"

    Bernard Woolley: "Yes"

    Sir Humphrey: "Would you oppose the reintroduction of National Service?"

    Bernard Woolley: "Yes"

    Sir Humphrey: "There you are, you see Bernard. The perfect balanced sample."

  19. Anonymous Coward
    Coat

    @What an unprincipled lot

    You are absolutely right! All good sysadmins are REQUIRED to know at least some development. Scripting is a must, in a number of languages, and object oriented scripting is a requirement of any good admin who doesn't want to keep repeating unnessesary work.

    If a sysadmin is doing his job, then he has nothing to do, except wait for the phone to ring with a change request, or swap out the odd dead part. (Or backup drive.)

    I guess that's why good sysadmins are required to be project leaders, developpers, analysts, and a host of other things.

    I guess that's also why they nobody wants to hire developpers anymore. Why hire a developper for twice the salary when you can hire a Sysadmin for less, and get someone who bothered to learn how a system works before trying to code on one. Don't worry though, there will always be plenty of developper jobs in India for you, so you are safe.

    For now though, I just finished pushing an OS to a few dozen pieces of metal, and while the scripts install the apps and run the patch sets, I'm gonig to go patch the SSI on the Intranet one more time, since those useless devs forgot to cross-test thier JS in multiple browsers. maybe I should throw a few more snikers bars over the roof at them; might get some better results.

    :)

    Mine the one with the card that's one stamp shy of a free pint at the pub...

  20. Anonymous Coward
    Paris Hilton

    @AC

    You're just sore because the admins get all the babes.

    Paris 'cos she's hanging out with us at Mission Control as I write this.

  21. Anonymous Coward
    Anonymous Coward

    Be reasonable

    Through no fault of their own, when a sys admin leaves a company he is going to retain some sensitive passwords just through his/her memory (not RAM!). If the company wants real peace of mind then they should change all access passwords when they leave.

    Sys admins have priviledged access to information and areas of the network during their time with a company - it is part of the job and a certain amount of trust goes with the industry. If they want to stay in IT (and out of prison) the vast majority (more than 88%) respect that priviledge. I'm biased, but I think they're a pretty trustworthy bunch.

  22. Archie Woodnuts
    Happy

    Re: What an unprincipled lot

    I take it they won't let you have admin rights then?

  23. Anonymous Coward
    Anonymous Coward

    Not just IT Admins

    Anyone in a senior position in a company (1 above the receptionist) can and will do this.

    Example:

    A consultant working for a firm decides to leave or is fired.

    The firm has 150 clients and a database of 2500 possible clients.

    Consultant leaves with both the database of current clients and the 2500 to market his consultancy services too.

    This is widespread and was happening long before we had the joys of computers... So why would it be any different for IT people?

  24. GottaBeKidding

    @What an unprincipled lot

    You've obviously never seen a real Windows admin. With larger accounts, "Code and go" is exactly how it's done - By the admin. All major tasks are (or should be!) scripted. Checking checkboxes is for chumps.

    Thanks to vbscript & friends, a lot of the UI is exposed to script - Cradle to grave user managment is possible, for example.

    But on the original topic, I find this claim disturbing. The most valuable thing I'll take with me when I leave will be my skills and experience - 8 years of Active Directory in a large environment. I don't need my employers data to be able to sell that.

  25. Solomon Grundy

    Trust

    I don't trust any of those crazy computer geeks. They're all borderline suicidal anyway.

  26. Anonymous Coward
    Gates Halo

    @ What an unprincipled lot

    Hey, if it wasn't for developers and their hooky coding, the world wouldnt need systems admins!

  27. Nick Palmer
    Flame

    @AC - What an unprincipled lot

    As opposed to most developers I've met, who don't know what a fucking subnet is, and think that "routing" is something done by that thing stuck to their windscreen; that's before the snide, supercilious little fucks decide that they don't need to worry about software licenses and end up getting the company raided by FAST, or decide to change the IP addressing on their machine (because the thick bastards decided to hard-code IP addresses into the fucked-up abortion of an application that they're trying to pass off as working software to the clients that they've conned into thinking that they're anything like competent) and then complain because "the network's broken".

    I don't suppose it occurred to you, numb-nuts, that they might have installed remote admin software to provide better and more timely support after you and others of your misbegotten ilk fuck your machines up again and then decide to complain about how the "IT doesn't work..."? And if that put "many projects" at "risk", then you probably weren't competent to be running them anyway.

    As to this survey, gosh, company that depends on persuading people that there's a problem conducts a survey that "proves" there's a problem. Pardon me while I regain consciousness after fainting from fucking shock. I've been an administrator for a good many years, and I have been made redundant once after the company downsized drastically. I didn't consider stealing anything from the company in question, and I know quite a few other people who've been in similar situations and they never have either. The survey is bollocks, and to Austin Modine? How much did they pay you to shill for them?

  28. Solomon Grundy
    Unhappy

    @Brett Weaver

    Dude. I hope that's a joke because that's insane - and absolutely incorrect. That's exactly the kind of thinking that see's huge databases put on CD and left on the train and stuff.

    I hope your boss doesn't read el reg and you work at some tiny little non-audited firm.

  29. Anonymous Coward
    Thumb Up

    depends how you define "DATA"

    after all - i still have a fantastic "boot disk" and the internal email addresses of a couple of friends.

  30. Anonymous Coward
    Joke

    re: firing policies

    "Under no circumstances will said employee be allowed to interact with a computer or use company machinery before leaving"

    That's why my logic bombs are designed to detonate if I don't renew their password every 3 months!

  31. Anonymous Coward
    Anonymous Coward

    Separate data from process.

    This is why Oracle is now adding features such that DBA's can administer the database but they can't use the data. Doesn't stop said DBA from destroying the data.

    Well that's one issue out of the way.

  32. Neil

    What utter bollocks

    I absolutely refuse to believe that 88% of employees would say they'd steal data if fired, much less actually do it. Of course some people would, but not 9 out of 10.

    88% of IT employees now think that Cyber-Ark is a crock of shite after reading this article.

  33. Dan White
    Thumb Up

    Re: "That's why you have firing policies"

    It's not harsh, it's plain common sense. As long as the employee is paid for outstanding notice / holiday, are you seriously telling me that they would *prefer* to work their notice period?

    A friend of mine got an interview for a rival IT company, and when offered the job, immediately informed his PHB. An hour later he walked out of the building with three months pay and was able to start his next job a month early. He called it his, "disloyalty bonus" :-)

  34. Ken Hagan Gold badge

    Er, "stable door"?

    Presumably you change the passwords whilst the victim is in the boss' office getting the bad news. OK, but this person previously had full access and probably has an off-site backup at home. Oh, they didn't ask *that* question.

    Absurd survey pushing useless product. Film at 11.

  35. Tony

    Call me Mr Cynical

    As I was told many years ago, there are only 3 types of people in the world - the "Sad", the "Mad", and the "Bad". All of them will steal - and that includes you and I. It's just a case of if you are prepared to admit it.

    Everyone has their price - and anyone who thinks that they don't is only fooling themselves. I've seen magistrates, lawyers and police caught stealing. Doctors and nurses pinch drugs from the hospital (for their own use or to push on others). Civil servants access confidential data and then pass it on to others. Priests fiddle with kiddies, or load guilt onto people whose only crime is naivety. Managers make promises that they have no intention of keeping. Bankers push loans onto people that they know have no chance of repaying. Sadly, there is no end to the depths that humans will descend.

    @AC - trust a developer? Never; I've seen too many hidden items within code that would ever allow me to do that.

    Gordon Feyck has the right idea; document everything and make sure that you let people know that you are doing it and why. It's not the whole answer - but the reality is that there are very few people that you can really trust.

  36. Anonymous Coward
    Anonymous Coward

    RE:What an unprincipled lot

    How dare you! How many computors can get so upset at being thought of as jumped up hell desk geeks, or say 300 times in a row "have you tried switching it on and off?".

    Yes, I have been on the reciving end of a few to many hell desks and admins.

    As for wipeing peoples accounts, we have someone leaving today in accounts. We have been trying to get his bank access closed for weeks but non of the admins will do it properly. Very worrying as this is real money, not just data.

  37. Anonymous Coward
    Anonymous Coward

    @ What an unprincipled lot By Anonymous Coward

    What an interesting world you live in...

    As one of those Admins you so obviously despise, I find the major danger to systems are the users... Especially the users who think they 'know it all'.

    Still, you run your system how you like, I'll do the same.

    Incidentally, just what IS your position?

  38. Big_Boomer Silver badge
    Flame

    Trust Developers? <ROTFLMAO>

    >you can trust developers, but admins never!<

    Yeah, we can trust developers to cut corners and write poor code and generally f*ck up the company product, when they're not writing backdoors and security loopholes in to it.

    Besides, how would you know what an admin does?

    When he's freezing his arse off in an 18C server room, fixing the machine that your crappy code has crashed, you are in the games room being "creative" with your newest i-extension.

    Given the recent progress made in "self-programming code" I think your job might be under threat WAY before they start to fire the bofh's of this world. To be honest, most developers I have met qualify under the "Get an infinate number of monkeys" scheme promulgated by most companies.

    Finally, you really should be cowering under your desk by now (like the wimpy gray geek you are) as once your bofh discovers it was you that posted that comment MR ANONYMOUS COWARD, I wouldn't give a <clickety> for your continued employment or freedom <BWAH-HAH-HAH>

  39. Anonymous Coward
    Paris Hilton

    For what exactly ?

    There's data and there's data.

    Would I take handy scripts, procedures and stuff I have created there for my work .. probably, if I don't have those privately backed up already.

    Would I create a backup of the CRM/ERP DB ? (how the #$%@^& would you fit that on a USB drive anyway)

    Why ? And besides the obvious ethical objections, what would I do with it ?

    Go the the competitors ? Who would I approach ? Why would they take it and pay for it ? (it's usually more the sales dept. that would have such contacts and insights). Would I ever get a job in this line of work ? (the world is smaller then you think)

    Then again, if it would be a direct dismissal due to BOFH behaviour, a good IDM system would prevent the taking of such important corporate data anyway. (single click account blocking on over 15 systems is a fun thing to do :) )

    (Pris, 'cause she also seems to be missing something, when 'stepping out' )

  40. Campbell
    Stop

    No

    Abuse or betrayal of trust, treason by another name, is a very, very serious matter. They have a word for folk like this, traitor.

    Hey, isn't treason still punishable by Hanging in the UK?

    Admins hold a very great deal of trust and if the guys answering this survey aren't just having a laugh then they should firstly be utterly ashamed of themselves and secondly named, shamed, bagged on the spot, ID'ed, RFID'ed and never, ever allowed to work in any position of trust again.

  41. Anonymous Coward
    Anonymous Coward

    re: re:

    re: that's why you have firing policies:

    it's not just multinationals, at the first company I worked at I'd generally know that people were getting fired or being let go before they did. they would start a meeting, half way through that meeting one of the directors would come and tell me to disable their account.

    that way they literally left the meeting room said their goodbyes and went, no computer based fun for them, and that was in a company of 12, you don't have to be a massive multinational company to have a decent policy -not even policy, just way of doing it, to stop data theft.

    re: what an unprincipled lot.

    the company that I worked for mentioned above was a development company.

    and it was a harsh policy of locking them out before they were even actually fired for the simple reason that developers don't seem to be able to grasp the fact that the code they wrote for the company was the property of the company, not theirs, before that policy was in place quite a few people tried to take their work, and clever sections of co-workers work with them.

    also, just as a quick point, you're right, admin jobs should be replaced with automated systems, wouldn't that be nice, system that actually could take care of themselves...

    just get yourself and your developers to start writing reasonable code that doesn't need nannying through it's days, and that doesn't break, and that can be easily used by help desk users and I think you'll have a plan.

  42. Eurydice Sophie Exintaris
    IT Angle

    Bitter ending...

    My ex-boss changed external IT support suppliers one day and a few days later the one-man-support-company IT guy visited and got the grand tour from me. I was the IT Projects Manager and resident IT guru, but as I officially was NOT support staff, we still had external support suppliers.

    2 days later I noticed the Admin password had changed, and the new IT guy was refusing to give it to me. (over the phone, mind you, he was freelance, and not to stay in the office. Lucky him.)

    The next day bossman called me "for a chat" and announced I was being made redundant, as the projects I was working on had wrapped up.

    Had I cared about what they did, I'd be regretting not having a chance to... make my departure memorable in various interesting ways.

    Alas I was too busy seething at being made to work my 1 month notice period, and while idly reading job board across the net, finding out I'd have worked there 3 weeks short of a year, the legal UK minimum after which you are allowed to claim for unfair dismissal.

  43. Anonymous Coward
    Anonymous Coward

    Passwords?

    Keys are all the rage nowadays, fairly easy to deal with and you can update them if you like. Local key release by passphrase (normally a decent password) and then use the key remotely.

    "It's not harsh, it's plain common sense. As long as the employee is paid for outstanding notice / holiday, are you seriously telling me that they would *prefer* to work their notice period?"

    I always have done - it's a "pride in work well done" thing. I at least want the opportunity to tie up loose ends and hand over existing work to colleagues.

  44. Anonymous Coward
    Stop

    Developers? Secure?

    I'm sure the comments were tongue-in-cheek, but I have lost count the number battles telling developers that they are not having admin privs because their app isn't written correctly!

    No way I would steal even so much a paper clip from the office, way too risky and as an average "smo" with a mortgage and family to look after, every thing I touch gets thought about twice. I too always document everything, then I get a good reputation for being open and honest. No price would be high enough, ever heard of proceeds of crim act? No matter what you get for nicking something, they can fleece the lot out of you, so don't give me that do the time and then live in the Bahamas BS!

  45. Jared Earle
    Happy

    Steal? Why bother?

    Seriously, if you get sacked today, forget the old place, take your notice period payment, get another job and take a wee holiday.

    Stealing data? Too obvious. You're the obvious first name on any investigation. You're better off closing that chapter of your life and moving on. It's not like a decent admin can't pretty much pick and choose a new job.

  46. Anonymous Coward
    Unhappy

    Who did they ask?

    It's not clear. Did they ask the IT admin, or did they ask the Info Security Officer? If the latter, then it is the ISO's lack of trust / perception of their IT staff.

    Doesn't matter. 88% of all stats are made up on the spot anyway.

    Also remember that what goes around, comes around. If you steal someone else's data today - and promote such data theft - you should expect to have your's stolen tomorrow.

  47. Anonymous Coward
    Anonymous Coward

    nonsense

    Is this the same crew that thought it bought passwords for chocolate some months back?

    @unprincipled:

    "lurking about looking to swipe your half drunk can of coke"? The way you write, buster, nobody in his right mind wants to get anywhere near your bodily fluids.

  48. JC

    Who has seen the survey questions?

    Given the biased nature of the survey originator, it's no surprise if the survey questions are misleadingly engineered to draw a conclusion that more would steal data than actually would.

  49. Mark Fullbrook
    Happy

    Cyber-ark respond......

    My name is Mark Fullbrook, I'm the Director for the UK and Ireland for Cyber-ark and it was me that commissioned this survey.

    Let me give you some feedback on how this survey was run.

    We asked 300 people with Administrative privileges a series of questions at the Infosecurity Europe Show which took place in April in London. How did we know they had administrative privileges? Well we asked them of course!

    Once we had established their suitability we asked them a series of questions. Things like:

    "Have you ever used your administrative privileges to access information that was NOT relevant to your role?" (That was had over a 30% positive response rate)

    or

    "If you left your company tomorrow which of the following would you consider taking with you" - followed by a list of things like Company records, HR records of course, highlighting one which said NOTHING. (we had 88% of people choose somethign OTHER than NOTHING)

    There were a few other questions of course, and we intend to publish this as a white paper, but I just want to address some of the responses on this site.

    First of all, I find it amazing how many times admins respond to these types of survey with the view that it is the users fault that they have to set up back doors or that they do not need to be monitored because of some God given right to anonymity.

    Cyber-ark produce software that provides companies with the ability to automate password changes on privileged accounts, whilst ensuring that Administrators and Privileged users get the full access they have always had. The alternative is to just trust your user base and (from our survey) whilst that is fine for 12 of your 100 Admins, it might be a little foolish for the other 88 (I'm being slighty sarcastic here - but I'm trying to keep in line with the tone of most of the responses!!)

    We dont supply companies with software to monitor privileged access because most IT Admins and Privileged Users are good, we do it because every now and again, you are going to have a bad one....... and why give them the opportunity if you dont have to.

    Feel free to get in contact with me if you want to here any more about the survey and please, feel free to visit us at Infosecurity 2009 and take the survey yourself, and then you can see if things turn out differently. Personally, I dont think they will.

    Incidentally, to those that say "it was fixed" ZDNET responded to an earlier release centered around the "would you use your administrative privileges to access information NOT relevant to your role" question by running their own survey... Guess what? The results were exactly the same.

    BIG SMILEY FACE because generally, Im a pretty happy guy..

    (I just get a little excited when people say my company is lying)

  50. Anonymous Coward
    Coat

    Shock-Horror ...

    Water is wet, fire burns, the Pope's a Catholic, bears shit in woods.

  51. Mike
    Flame

    @mark

    Greets Mark,

    We may have met a few years ago at a SANS conference. You have an interesting suite of products. And I would like to say to you and all the other posters that you stats are probably correct. I have never left a company empty handed, whether that be a key for a spendy piece of software, or some clever bit of scripting I wrote, and don't want to have to re-invent elsewhere. That in of itself would put me on your list. However, I am a skilled unix admin and security professional, it is my job to see that the things I can do to your company can't be done by others. I consider all of an employers systems to be MY systems for the duration of my employment, and I treat them as such [properly operating and secured, etc]. All of my employers consider me to be trustworthy, and I have never given them cause to think otherwise, but I am a sysadmin and not to be trifled with, for thou art crunch and taste good with catsup ;)

    I would have no problems with crushing those who deserve it. Not AC. I have nothing to fear.

  52. Anonymous Coward
    Anonymous Coward

    @nonsense and beyond

    Buster, gosh look who has crawled out of a bad 1950's movie :)

    I am guessing it was the bad odour comment that got you - perhaps that is why you are not seeing much skirt; Eau de Admin - population control in a bottle.

    Seriously, most winows admin work is the one eyed man with a squint, who is serf to the numpties, in the land of the blind and deaf.

    There is no reason for admins to have the password to secure encrypted data.

    There exist many methods where data can be made secure, none of which involves IT administration - though of course a developer would have to write the application :)

    Well, let me take some gems:

    'They actually have a completely different skill set than developers. '

    You jest, skillset hmmm stretching the English language somewhat there.

    '.. who don't know what a fucking subnet is, and think that "routing" is something done by that thing stuck to their windscreen'

    I like this one, fighting talk. Quite right, some developers are not really developers either, in fact those are the vb and .net weenies.

    Though let's play - subnetting is the act of taking a range of sequential ip addresses and assigning a network to it with an optional broadcast, hence a description of a CIDR of 172.22.5.9/29 would indicate a network range of 172.22.5.8 - 172.22.5.15. Hardly rocket science now is it.

    Routing is even simpler. How hard is it to type:

    route add 172.22.55.8 netmask 255.255.255.248 gw 172.22.55.10 eth6:2

    Now the question is, have I put in a deliberate mistake or not?

    You would have more marks awarded had you mentioned BGP.

    'Hope your admin turns off your remote server for good, and electrifies the door handles!'

    See now that is what I am talking about - unprincipled to the nines; oh admin push button, admin make thing not work, idiots, oh Developer takes red hot iron and pushes it up where the sun doesn't get a look in.

    'You've obviously never seen a real Windows admin'

    You're quite right - and neither have I seen pixies or santa claus :) A Real Windows admin, ohhh what a terrifying sight that must be to behold. Though I like that distinction it is not all admins, just the pretend Windows ones.

    'I find the major danger to systems are the users... Especially the users who think they 'know it all'.'

    Yes you have hit the nail on the proverbial head, Windows Admins are those l'users, quite incompetent, and yes they think they know it all. But, really they know such a tiny minute fraction that is probably not even worth attributing the term knowledge to it.

    Perhaps we could call window admins, guessers, they take their finger out of their butts wave it in the wind, see which way it sitnks and then press a button.

    'I take it they won't let you have admin rights then?'

    No, actually quite the opposite, they are more annoyed I nerf their admin privileges, so they are stuck with no omnipotence on the systems or network; just how it should be. Little roles for little people is what I tell 'em.

    This one really does take the biscuit (and the half drunk can of coke).

    'Without admins you would not have a environment to develop on.'

    Phwooar, who the hell do you think wrote those environments, deluded microweenie. Window admins have to make do with the scraps that developers throw them. Like a pack of famished scrawny little dogs; window admins, leap to digest the little trinkets of code dangled in front of them. You do realise that is done for sport.

    Well that was quite good fun, but you know what IT is a power game, at times it has to be said who wears the big boy trousers in the relationship, and who is the bitch. Bend over window admin boys, you work for developers, and stop stealing the data :)

  53. Anonymous Coward
    Anonymous Coward

    Dear Mark Fullbrook - welcome to the wonderful world of statistics

    "How did we know they had administrative privileges? Well we asked them of course!" - and THAT was your FIRST mistake... because EVERYONE considers themselves to be more important than they really are and it is often tempting to give answers from a previous job if you think the end result is going to be more rewarding.

    I, for example, have absolutely no admin privileges at my current place of work although I know a damned sight more IT, security, networking, software use and installation etc etc than the guy who, thanks to a rudimentary MicroShaft Certificate, does. To be honest, I know a damned sight more bloody English Grammer than that fool too but that's another story.

    A previous job saw me as a highly respected member of a small team (a team of 2 - me and my boss - who could not even muster the title of 'computer illiterate') within a massive multi-location network - and my admin access was rediculous - primarily by the nature of the network but also because I proved time and again to the central support group that I was not going to accidentally install service pack 2 without checking first, or delete someone's homedrive before they left. I couldn't say I ever went "somewhere I shouldn't" however, because there was NOWHERE that I "shouldn't" go... albeit once I had proved that I wasn't going to fuck the network, the local system, the backups or the users in the process. I was, to the bulk of the users (minors) some sort of omnipotent Web-Pig... I saw it all... every homedrive, every webpage, every screenshot. The best bit, naturally... was deleting pictures of page3 girlies in bikinis from the homedrives of the 6th years and leaving a text file saying - "next time I'll show the HeadMaster". Mwah - All your nudies are belong to me.

    So now, when you ask - did I take anything away with me - indeed I did; memories mostly... wonderful warm memories. Lies are one thing, I do not suffer liars myself either and applaud your decision to respond... but, as was so eloquently added above, 88% of statistics are made up on the spot - or at least they might as well be because 100% of individuals know how to manipulate the truth, even if none of them resorts to lying. Now might be a good time to wipe that misplaced smile off your face.

  54. Mark Fullbrook
    Unhappy

    Im sorry but i dont understand?

    So Mr Anonymous Coward, you are saying that because you were given complete access to everything in a job you USED to have, and you didnt steal any data, the survey we ran was not accurate?

    And apparantly we SHOULDNT of asked the people if they had administrative privileges because THAT also makes our survey less accurate?

    I respect you for your honesty in revealing that you would never steal data (I think I mentioned my respect for all honest admins in an earlier post - apologies if I didnt) but I can only publish what I am given.

    Once again, I urge all of you, ONE AND ALL, come to our stand at infosecurity 2009 and take the survey!

    And once again, I refer you to the ZDnet survey that was completely independent that came up with the same results.

    Not so smiley face, because it seems I'm not longer the most popular person on the reply list......

This topic is closed for new posts.

Other stories you might like