With great privilege comes great responsibility
While additional IT privileges are part of IT management, recent incidents and a number of surveys show many organizations don't do what's necessary to ensure such access isn't abused
December 19, 2011 — CSO —
While insider threats -- especially from someone on the IT team -- are not the most common attacks enterprises must be on guard against, they certainly have the potential to be among the most devastating.
Consider the recent case of Jason Cornish, in which the former IT staffer at the U.S. subsidiary of Japanese drug-maker Shionogi pleaded guilty to charges relating to a Feb. 3, 2011 attack that wiped out a considerable part of the company's business-technology systems including its email, order tracking and financial systems According to government court filings, the cost of the attack to the company reached $800,000.
Another example is that of City of San Francisco IT administrator Terry Childs, who refused to turn over administrative passwords to the city's FiberWAN network and was sentenced to four years behind bars.
More recently, a programmer at the Chicago Mercantile Exchange was arrested by federal agents for allegedly stealing proprietary code from the exchange.
One would assume, following such high-profile incidents, that more organizations would express interest in getting a better grip on their privileged insiders.
Nevertheless, a pair of just-released surveys shows how lax enterprise controls are when it comes to governing privileged IT access.
Enterprise key and certificate management vendor Venafi surveyed more than 500 IT professionals and found that a third of survey respondents believe that with their knowledge of and access to encryption keys -- and the lack of oversight by their organization over those keys -- they could bring their company to a stop if they so chose.
A separate survey conducted by the Ponemon Institute for HP found increased risks to sensitive workplace data because of a general lack of privileged user oversight. Fifty-two percent of respondents said they are likely to get access to confidential information beyond what is necessary for their job. More than 60 percent said privileged users access sensitive data out of sheer curiosity. While many respondents claimed to have defined policies for privileged access rights to specific IT systems, nearly 40 percent said they are not sure about their ability to see specific user access rights across their organization.
"While the issue of better monitoring privileged users has been brought up here several times, we've not yet adopted an adequate way to monitor and enforce our privileged access policies," says the CTO at an international textiles company based in the Southeastern U.S. "Business and IT demands are moving so fast that there's always something higher on the priorities list."
That's probably the case at many organizations. In our next story we'll take a look what steps experts say enterprises need to take to make certain the additional access privileged users are given doesn't end up being abused.George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter at @georgevhulme.
Read more about access control in CSOonline's Access Control section.
Other stories by George V. Hulme