This article is more than 1 year old

YOU are the threat: True confessions of real-life sysadmins

Who will save the systems from the men and women who save the systems from you?

Victim turned hacker

Being a security specialist, employed by one of the big names, he knew how to sniff out vulnerabilities. He decided on his plan of attack. The first thing Joe decided to do was to take out the phone infrastructure. The provider in question was using IP-based phones and was unfortunate enough to have a very badly configured infrastructure that was exposing a lot more than it should be.

Within a couple of hours the phone system had been compromised. Joe, now an unwanted intruder, misconfigured the system to cause them annoyance but not so much that the provider would be crippled beyond repair. The last thing he did before he logged out was to remove his phone number, along with several others from the system, as plausible denial. To cover his tracks, Joe had used several proxies in a chain where the penultimate jump was from China. China was chosen for the specific reason of making it more difficult to trace him.

This seems to be a common type of scenario within the world of the clued-up IT people. One of the most interesting books I have read – called Stealing the Network: How to own a Continent – covers just this type of scenario in the first chapter, where someone sought to compromise the web vendor that had wronged them by getting all the customer credit cards.

Perhaps the reason this form of retribution happens more with IT-related people is there is a ready avenue for reprisals against a company, without having to be physically near the company.

Inside the office, a normal user can create problems, but those problems can easily be overcome: deleted files can be restored from backup, for example. You have backups, right? Once an employee is out of the company, they should have no access to the system. VPN access should be terminated before they are!

Frequently, though, it’s sysadmins who have been able to slip back into the system and delete critical components of the infrastructure.

How can businesses defend against such threats? Securing the human is truly not that easy. Some bigger companies now implement more stringent background checks including financial screening and crime screening. The general view on these checks is that they have limited use.

When removing a sysadmin from their position, there are a few things that should be done.

How do you avoid this becoming a problem in the future?

Another administrator should disable the leaving administrator accounts, before or during any dismissal meeting. Don't forget the mobile phones and physical access, passes and such and any access to infrastructure. As anyone would understand, when this happens, both parties want the incident to be over. It would be prudent however to shadow them, just in case.

"Some bigger companies now implement more stringent background checks including financial screening and crime screening. The general view on these checks is that they have limited use."

Another tip I have learnt from speaking to a few forward-thinking administrators is to sit with the new administrator who is taking over from them and make sure that the root passwords are changed and that the former administrator's account is disabled. It helps ensure that an above-board administrator does not have the finger pointed at them should anything untoward happen.

This should go hand in hand with a formal HR process that is tested and followed to the letter. Not infrequently this would have stopped these data deletion issues and also saved the aggrieved administrator from becoming unemployable and from a possible penalties. It removes the temptation of 10 minutes of getting even resulting in a much longer jail term.

Writing this article, a few things came to light that I really didn't expect to see. We all know that accidents happen, and they can, to a degree, be dealt with as I outlined above. I also assumed, rightly or wrongly, that administrators usually wouldn't compromise or divulge information, other than for whistle-blowing as in the Snowden case. That assumption proved to be incorrect.

As for management dealing with the threat of a rogue administrator? There are limits to what can be done, despite what purveyors of data loss prevention software and other security providers might say. ®

More about

TIP US OFF

Send us news


Other stories you might like