IT Services Takeaway from NSA Scandal: Who Controls Your IT Admin Accounts?
Volumes have been written about “Snowdengate,” the NSA’s data-gathering and lessons that can be drawn for enterprise IT support. Some of it has even been useful advice: Use encryption, secure your WiFi network, update your password policy, get the latest security patches, and so on. We certainly agree.
But probably not enough has been written about the elephant in the room: Sometimes organizations’ chief threat comes from within. What do you know about your own system administrators, IT managers, contractors and app developers? What assets can they access? What privileges do they enjoy? How do you monitor their activity? And, importantly, how do you control access to their administrative privileges?
We don’t know all the details of what Edward Snowden did or how he pulled it off – or even if everything he says is true.
This much we know, however: He was a low-level consultant for the National Security Agency who went undetected while accessing information he wasn’t supposed to see – let alone leak. Snowden told The Guardian what he did was easy. “I don’t have special skills,” he said.
What he did have was privileged network access, and that can be a dangerous thing. Listen to Snowden:
"When you're in positions of privileged access, like a systems administrator, for these sort of intelligence community agencies, you're exposed to a lot more information on a broader scale than the average employee ... Anybody in the positions of access with the technical capabilities that I had could, you know, suck out secrets."
The Problem with System Admin Accounts
Last year the Lieberman Software Corporation released a survey of 450 IT professionals. Some of the results are startling:
- 39 percent of IT staff can get authorized access to their company’s most sensitive data – and 20 percent already had accessed documents they shouldn’t have.
- 68 percent of respondents said they had access to more sensitive information than anyone at the company, including executives.
- 11 percent said that, if their jobs were in jeopardy, they would abuse their administrative rights to snoop around the network to find sensitive information, including a list of people to be fired.
- 11 percent said they’d be in position to take sensitive information if they were fired tomorrow.
- Nearly a third said their bosses didn’t know enough to stop them.
It’s important to note that an overwhelming majority of those surveyed had not – and would not – abuse their access. However, it takes only one.
System Admin Accounts are Hackers’ Prime Target
Another problem is that administrative accounts – so-called “privileged accounts” – are increasingly a targeted gateway for hackers, simply because they offer universal network access and are often unprotected.
The IT security firm Cyber-Ark last month issued a study that determined two of every three privileged accounts in organizations surveyed are either unknown or unmanaged. The same study found that most organizations fail to change passwords on privileged accounts at the recommended interval of no longer than 90 days. As Cyber-Ark points out, that process ought to be automated.
Clearly, many organizations have no better handle on system administrator accounts than the NSA did when Snowden was busy stealing secrets.
Solutions Are Available to Mitigate Threats
The good news is solutions are now available that can substantially mitigate the threats. Your IT consultant or managed IT services partner has the tools to perform a full security assessment and mitigate ongoing threats.
The first step is to identify all privileged accounts and who has access. Administrative account security solutions can automate the process of tracking account access and enforce protocols – on passwords, for example – that will keep accounts secure.
Organizations also should employ software that creates an audit trail on user accounts. You can set the software to flag users if certain data is accessed, or if usage patterns are irregular or suspicious. Alerts can be set up to document the requestor, purpose and duration of privileged access requests.
Increasingly, the value in your business lies in your data, raising the stakes for IT security dramatically. You should ensure that your IT security protocols are up to date, and that automated processes are in place to monitor your network and provide an audit trail.