A year after Terry Childs case, privileged user problem grows
Managing those who manage the keys is hard
Computerworld - One year after former network administrator Terry Childs made national headlines for locking up access to a crucial San Francisco city network, the issue of how to protect corporate systems against the very people who manage and administer them remains as thorny as ever.
Just yesterday, Lesmany Nunez, a former computer support technician at Quantum Technology Partners (QTP) in Miami, was sentenced to a year in jail for illegally using his administrator account and password to shut down the company's servers from his home computer. Nunez also changed the passwords of all the IT systems administrators at the company and deleted certain files that would have made data restoration from backup tapes easier. His actions resulted in more than $30,000 in damages to QTP.
Numerous similar cases, including ones involving Fannie Mae and Pacific Energy Resources Ltd. have been reported over the past few months, each one causing considerable damage and disruption to the companies involved.
Childs is awaiting trial after being jailed last July on a $5 million bond for resetting administrative passwords to switches and routers on San Francisco's FibreWAN network, and later refusing to divulge the new passwords thereby locking up the network.
Such sabotage can be extremely difficult to stop because it involves users with legitimate administrative access to critical systems. But contributing to the problem is the continuing failure by many companies to adequately manage the numerous user accounts and passwords that control privileged access to critical corporate networks and systems.
Although the issue is well recognized by security experts, far too many companies continue to overlook it, said Sarah Cortes, an analyst with Inman TechnologyIT. The threat is "highly underestimated," Cortes said.
"It's not a sexy issue but it's a fundamental security issue," said Cortes, a former tech executive at several financial services companies.
Large companies can have thousands of account names and passwords that provide root access to applications, databases, networks and operating systems. While not all of them are critical to the enterprise, there are numerous accounts that if abused can cause serious disruptions enterprise wide.
Some companies can have anywhere between 10 and 70 people with root-level access to such critical systems, Cortes said. These could be staff who require access for system or database maintenance purposes, for patching or upgrading applications, and other valid reasons. The number of people with such access is usually far greater than managers might know about or track, Cortes said.
The situation is worse in environments with older legacy systems that are no longer being actively supported but need to be maintained all the same. There can be numerous individuals in such situations who have been provided emergency, or temporary, root-access to a system in response to a specific need, but whose access is then never later revoked, she said.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts