Security Advisor

Can You Be Trusted?

Protect your network against attacks from rogue IT administrators.

• By Joern Wettern
• 09/01/2008

Your Network Belongs to Me
Dishonest network administrators are not a new problem. However, several recent, high-profile cases where IT professionals were stealing from their employers or trying to take over the entire network and hold it hostage have brought attention to these types of threats.

Some of this publicity involves insider data theft. One noteworthy case involves a longtime Boeing employee who's accused of pilfering aircraft design documents. The ex-worker now claims he took the documents, valued at several billion dollars, as protection against being fired unfairly.

Whatever a person's real intentions may be, someone taking business-critical information home on a flash drive is a serious threat.

Criminal Intent
Dishonest IT professionals may turn their employer into a virtual hostage. They may maneuver into a position to disable critical infrastructure components or the entire network if their demands are not met.

One recent case involves a former network administrator who was jailed after essentially disabling San Francisco's municipal network. According to the charges brought against him, this administrator configured the switches and routers handling the majority of the city government's network traffic with passwords he refused to share with anyone. He also allegedly configured these devices to erase configuration data if anyone else tried to get administrative access.

Police found that this administrator set up unauthorized modems so he or others could connect into the data center and control the network infrastructure -- even if he no longer had any access to the premises.

After spending two weeks in jail, the accused administrator finally revealed the critical passwords to the mayor, so things appear to be back to normal in San Francisco.

Unfortunately cases like this are not entirely unusual, even though they generally don't get the same amount of publicity as a major theft. I personally know a large company where one member of the IT team holds on to all critical passwords and never shares them with anyone. He can threaten the company with leaving if things don't go his way. This is more common for smaller companies that depend on a single person to run their entire network.

Smell the Rotten Apple
The good news is, there are often warning signs. Rotten IT professionals build up their power over time, and it takes a while to gain complete control over the network. While controlling passwords and access may seem like the actions of an honest but self-important administrator, refusing to share information needed to administer and control infrastructure is a sign of something fishy.

Here's a question to test whether or not you're at risk: Could you could reconfigure everything in your network and get to all your data if any one person was unavailable? If the answer is no, you're at risk. If an administrator is honest, you should expect cooperation in documenting what's required to ensure business continuity during an absence.

This doesn't mean that administrators should agree to all requests for administrative access. For example, don't add your boss's account to the Domain Admins group when asked, as often happens in small companies. You don't want someone to run everyday programs with a privileged account or to try to "fix" network problems without being properly trained.

A better approach to such requests is to provide the critical information in a way that allows access in an emergency, but prevents or discourages casual use. One solution is to write the passwords for all administrative accounts on a piece of paper, seal it in an envelope and put it in the company's safe. This allows emergency access and recovery without introducing new risks to security and network stability.

Too Much Access
It's not just password and configuration information you need to worry about. You're also at risk when people have unchecked access to business-critical data. A person with access to this data could easily create a private business venture on the side, giving data to competitors or selling customer lists to junk mailers. Unfortunately, there are many instances where an administrator of a critical system needs access to all the data on it. However, there should always be at least one other person with the same level of access who can review audit logs and detect suspicious behavior.

Be careful that other IT pros don't think you're trying to institute a company culture of distrust and suspicion. But as long as control measures are reasonable, any serious objections should make you suspicious.

Divide and Protect
Some information required to run your network is so critical that you don't want any single person to have it, even if it's shared with a second person or backed up somewhere. For example, Hardware Storage Modules (HSMs) hold critical private key information that's part of public key infrastructure. These HSMs include mechanisms that can require multiple people to authenticate using unique hardware tokens before business-critical root certificates can be issued or renewed.

Another method for dividing control is to split a password in two and give each half to a separate person. This may be appropriate for high-value passwords, such as the built-in administrator password of your forest root domain or a superuser password that grants unrestricted access to all of your routers.

If you use smart cards, you can store sensitive credentials on one of them. Hand the smart card to one person and give the PIN to someone else. Of course, requiring that multiple people are present for authentication only works for tasks that don't need to be performed often, such as renewing root certificates. A network infrastructure admin who needs a second person for every small change to a routing table will be looking for another job very soon. If you adopt this strategy, make sure you have a secure backup plan in case one of the required individuals isn't around.

Distributed Responsibility
Finally, think of backups as part of your protection against rogue administrators. These backups can help you regain access to your data and infrastructure if someone has locked you out. Restoring last month's router configuration or last week's version of Active Directory is not the ideal way to regain control of your network, but at least it gives you a recently known good state. Starting from this state you will only need to rebuild things that were recently changed, keeping service interruptions to a minimum. Just make sure you don't put the same person in charge of creating or storing your backups who's also in charge of managing the data or infrastructure components you're trying to protect.

Power Sharing
One last word to all my readers whose job would allow them to perform any of these evil deeds, but would never even think of doing something dishonest: Don't be insulted if your employer institutes any of the controls I've described. Instead, work with management to create effective controls.

While you may have to share some power, at least you won't have to end your next vacation early because of an IT emergency that only you can fix because no one else has access rights.