wallix.com

Home > News & Events > IS News > IS News > The company's Achilles heel

Friday, 15 January 2010 17:01 administrator
E-mail Print PDF


The company's Achilles heel
remains the IT administrator


According to a survey of 200 IT professionals, IT administrators use their privileged access rights and passwords to seek information outside the strict scope of their responsibility (the contents of employee e-mails, human resources files, payroll information, personal data of third parties, information strategic to the company etc.).

Even if the infrastructure is now relatively secure, few companies have solutions that allow them to control access to the information system effectively at a low cost, and even less to record all the actions taken by IT administrators. This lack of appropriate solutions makes it very difficult if not impossible to maintain control over the IT infrastructure.

System administrators are often required to handle large numbers of passwords on a daily basis, and this information is either stored in their heads, scrawled on Post-It notes, or printed out on a sheet on the desk. The survey also revealed that a third of respondents are confident they would have no problem keeping their access rights if they left the company. Worse still, 28% know of former colleagues in this situation, some of whom even have access to customer files.

"The results of this study clearly show the very uncomfortable situation for IT administrators, who, as employees, are subject to the instructions of their superiors and yet must carry out their duties in compliance with existing legal rules or risk being held personally liable,"  says Jean-Noël Galzain, CEO of Wallix. We mustn't forget that the administrator's role lies at the point where these two obligations meet. There is a document on the AFCDP website entitled "Technical Administrators, Rights & Obligations", which describes a case that led to the conviction of a network manager and his superior, in which the court found that these professionals had abused their position and the technical possibilities available to them." In fact, the AFCDP (the French association of personal data protection correspondents) recommends drafting a charter specific to this professional category and raising their awareness of the legal context. IT professionals are hardly setting an example when it comes to confidentiality. We also learn that most of them still write down the most critical passwords on Post-It notes, and 8% even admit leaving the passwords set by default by software publishers...which are well known to all hackers. Jean-Noël de Galzain confirms that  "The easiest way to infiltrate a company's network is to look for administrator passwords that have been left blank or with the default set by the publisher, such as "admin" or "password"... Once you have found these passwords, you are inside the company's IT system with the highest level of privilege and authorisation. You control the company's entire IT system."  These risks are confirmed in a study published by CERT at Carnegie Mellon University's Software Engineering Institute and the US Secret Service entitled "Comparing Insider IT Sabotage and Espionage": in 86% of cases, the attacker is a man with a technical role. Revenge is the primary motivation for 92% of them. The report confirms that "in insider IT sabotage cases, the saboteurs were typically system administrators or privileged users [who] have total access to at least some portion of the organization's system or network". One of the thirty cases studied involved an administrator who accessed the NOC (network operations centre) on a Friday evening: "The insider deleted the entire database and all software, [...] shut down every system, and stole every backup tape... " The report states that "In 28 of the 30 IT sabotage and all of the espionage cases [...] lack of physical or electronic access controls – or both – facilitated the illicit acts." Closer to home, the CNIL has recently pointed to security flaws in the Personal Medical Record (DMP), including passwords that are too easy to deduce. In the same vein, the study also states that 20% of administrators admit they do not change the most critical passwords often enough; the most common answers were: "No idea! ", "Not often", "When management tells us to", "Every year", "Never". This is all the more surprising when we discover that 68% of these same IT professionals consider they could pass an unscheduled security audit!

Last Updated ( Tuesday, 23 February 2010 14:20 )  
IT & Security Portal» IT-Observer
Network Security and Technology - IT-Observer
  • Websense Wireless Security Expert to Present on Emerging Security & Web Content Threats in 3G at QuEST Forum EMEA
    Websense, Inc. (Nasdaq: WBSN), a global leader in web security and web filtering productivity software, today announced that Mark Fogel, vice president for Websense(R) Wireless, a Division of Websense, Inc., will be giving a presentation on Emerging Security & Web Content Threats in 3G at the third annual QuEST Forum (Quality Excellence for Suppliers of [...]
  • AI-based Security Appliance Stops MySpace Email Scam
    Espion has announced the discovery of the first email-based MySpace Spam Scam. At 5:35pm EST an email was trapped in our unprotected honey pot. At the same time an identical email was stopped by Espion´s Interceptor anti-spam and security appliance. The trapped email looks like a legitimate message from MySpace with the subject reading [New message [...]
CNET News.com
Tech news and business reports by CNET News. Focused oninformation technology, core topics include computers, hardware, software,networking, and Internet media..
CNET News.com