News

Results of New Survey Should Worry Security Administrators

A new survey of 17,000 IT security professionals by Cloakware should be cause for alarm for security administrators.

• By James E. Powell
• 06/12/2009

The just-released report from the firm, whose software helps organizations meet governance, risk management, and compliance (GRC) objectives, highlights that 40 percent of employees feel that relative to their role they have more access privileges to their company's network and data than they should. This could explain why 60 percent of respondents have found information they shouldn't have while browsing through the network. (Cloakware reports that 77 percent reported this problem to the appropriate person or requested their access privileges be reduced.)

Business managers should also note that two-thirds of employees reported that they would "take action against a co-worker or manager if they felt they were being undermined in the workplace." Such worries may explain why 55 percent of respondents report being anxious about keeping important projects or documents on an office-wide server or easily accessible computer, fearing the files would be tampered with by an envious coworker.

According to the company, some workers who feel threatened could be particularly malicious: Although some respondents said they would take credit for, spread rumors about, or modify, delete or move colleagues’ work if they felt threatened, 78 percent reported they would take "other action," some of which Cloakware categorized as "aggressive, even violent, actions."

Rob Grapes, chief technologist at Cloakware, points out that this is just part of a trend that security administrators must pay attention to -- focusing on internal threats, not just external vulnerabilities.

”We were surprised and a bit shocked by the candour of the responses we received to our survey questions but believe that there is truth behind the responses especially in the light of recently reported insider attacks such as those in the City of San Francisco, Fannie-Mae, Heartland, and many more,” said Grapes. “With the recent downturn of the economy, other studies also suggest that this issue will become more prevalent in the media because of disgruntled employees.”

To protect an enterprise from this increase in insider threats, Grapes suggests security administrators follow several best practices.

First, admins need to seek out approaches to apply the “lowest level of privilege” needed to complete only daily tasks. Excessive access rights are often granted to avoid administration effort. Rarely are access rights reviewed or revoked. Re-provisioning and de-provisioning must become part of our normal maintenance efforts.

Second, although “separation of duties” is also a well understood concept, it is rarely put into practice. Grapes suggests avoiding situations where one administrator is able to take complete control of a network or a system on a network. Although sophisticated workflow approaches exist to help solve this issue, even the simple process of breaking a critical password into two sections and entered by two individuals would help.

Third, security administrators should stop using and thinking in terms of the “trusted insider.” Networks have changed and the definition of a user has changed. With networks exposed to the Internet, customers, partners, administrators, developers, contractors, outsourcers, and managed services providers, the definition of privileged access has changed, and admins need to put into place the appropriate controls to manage all identities, not just user identities.

Finally, administrators should work with auditors to understand how their system security will be measured. Admins should establish a baseline upon which improvements can be recognized, to ascertain areas of regulatory overlaps to help reduce the costs for audits, and to incorporate best practices that may have been learned from other audit efforts.