Who can you trust?
Network Admin Arrest Puts Spotlight on Insider Threats
44 percent of the 500 respondents identified internal breaches as a key security challenge over the 12 months preceding the survey—up from 42 percent in 2006 and just 15 percent in 2003.
OK, so this is a scary, but not new, thing. The irony is that we work hard to secure our networks and data from outside attackers and sometimes it's the people inside the organization that end up getting us. How often have you struggled with permissions vs. risk? At the end of the day, your network administrators must be trustworthy. I do like the final statement of the article:
"The best practice is to trust but verify," said Yama Habibzai, senior director at Netcordia, a provider of network management tools. "There needs to be some level of trust within the organization, but the organization needs to have the tools in place to verify that employees touching the network are making accurate and approved changes."
I agree that we need to have a level of trust in our network administrators, but I also agree with the verify phase. We all have good and bad days. Let's say you have a very trustworthy and excellent network administrator. The trustworthy people are the standard, the untrustworthy person is the exception, but even your best network administrators can have bad days. What if your best network administrator gets a good review, but not much of a raise? Raises are slowing down, and in the end, network administrators will not be paid as much as upper management. Companies do have to put ceilings on job roles. While every position is valuable, some do have more value than others. Back to your best network administrator; What if they have a very good review, but then get told that they are paid at the top of their job and they cannot receive another raise? Every person has thoughts like; "Hey if they don't value me, just wait till I'm not here", or "Look at the havoc I can create". Most people know better than to take action, but unfortunately, some do know know where to draw that line.
Have you ever felt like you knew of a problem that needed to be solved but no one else listened? Check this one out:
Article (InfoWar): Student arrested for breaking into school computer network
A High School senior was arrested for breaking into the School Districts computers. His whole motive was just to prove that their computers were not as secure as the School District felt they were. While I agree that computers need to be secured, and even tested to ensure they remain secure, I think this is one of the ways to NOT prove your point. This guy broke in, collected "secured" information, and then brought it back to school and presented it to his teacher. This is not the right way... The article goes on to suggest a more appropriate way to handle something like this:
"What he should have done is offer to sit down with the teacher and the administrator and demonstrate the hole with their permission,"
I agree with this suggestion. No one likes to be blown off, but even if you offer to demonstrate your concerns and they say "No thank you", you need to walk away. The struggle is "where do you draw the line?". When is it right to point out an exposure and when does it go too far?
Microsoft has a corporate policy that requires everyone to lock their computers when they are not using them. The good old <CTRL+ALT+DEL> and "Lock this Computer" before you walk away from it. It's a very good practice. If anyone has access to your computer and is logged on with your credentials, they have access to everything you have access to as well. I agree with the rule to keep your workstations locked, but what do you do when a co-worker, or even customer, walks away from their computer without locking it first. Should you lock their workstation for them, or keep your mitts off the keyboard.
I believe that these are some of the ethical dilemmas that we face working in the IT industry, but these types of dilemmas are not unique to our industry. Where do we draw the line? Where is the line between "doing the right thing" and "Crossing that line?"
At the end of the day, we must trust our people, but we also need to verify that people can be trusted. I do not feel a generic administrator account that multiple people have access to is an acceptable security measure. I feel that every network administrator should have two sets of credentials. One set that has no more access than any other typical user, and one that has your domain access. This normal account should be their only email enabled account and they should spend the majority of their day logged in with this set of credentials.
If a network administrator needs to do "administrator" work, they should then log into the server they are going to manage with their personal administrator credentials. Each administrator should have their own administrator account that is assigned only to them. Of course this account should not be e-mail enabled and all actions taken by this account should be audited. If you audit all of the transactions, it should be pretty straight forward to review the audit log if there is any question. Wouldn't it be nice if Windows made it that easy? Server 2003 made it really hard to effectively audit for things like this and this caused a lot of customer frustration. Windows Server 2008 has tons of new improvements and one of them is a revamped audit solution. Now you truly can get granular on the events and people you audit.
We need to keep trusting our people, but the separation of duties is also a very good thing. We need to do a better job of making the separation of roles possible, but we are making progress. Our Group Policy tool does a good job at separating roles, you can allow one person to create a policy, but then require another person actually deploy it. This is a nice check and balance, but trust is still a core requirement.
I hope this helps, if you have any comments or questions, I'd love to hear them.
Until next time!
Rob