Slashdot Mirror
Sys-Admins Reading the Bosses Mail?
PetManimal writes "Computerworld has an article about IT staff who have access to corner-office email. Systems administrators, database administrators, storage administrators and higher level IT super users are the types who may access sensitive executive information; one source quoted in the article says that in a company with 1,500 employees, there might typically be five to 10 administrators who have this access. As for how many abuse these priviledges, it's hard to tell, but rogue admins out for workplace revenge or personal gain can wreak havoc: '... Experts agree that the severity of these occurrences generally makes them more harmful than external attacks. One of the biggest obstacles to eliminating unauthorized access is determining how many people have it. Access lists are particularly difficult to formulate in both mature companies, where the number and power of administrators have expanded over periods of years, and small companies, where rapid growth leads to undocumented tangles of administrators who are able to maintain their access because nobody has time to assess their status.'"
A friend in the Government once told me that after the Pollard spy scandal the Government rethought the way it handled clearances. So now there is a discreet pool of clearances. There's no reason why a company, new, mature, huge, or small shouldn't be able to institute a similar policy in terms of access.
If brevity is the soul of wit, then how does one explain Twitter?
The article mentions the lack of encryption and I suspect if it ever starts being used the same IT folks who have admin access will end up with the encryption keys, so the added admin and overhead won't buy you more security from prying eyes.
Knows how to break IT security, but no longer needs to.
init 11 - for when you need that edge.
Would you be upset if your alergist (doctor) had access to your blood work? No. It is his job. Trust is a huge component of system administration, and any company, or corporation, who doesn't understand that the administrator has the keys to the system, needs to take a better look at their corporate layout.
Admins have access to everything. Or at least they should have access to virtually everything. Because who would you call if it was broken? certainly not the corner office.
Trust is necessary. You have to trust your admins. And if you have an admin that leaves under suspicious or grievious circumstances, you protect your corporations ass with a dismissal agreement.
If you don't have a chain of trust in your IT department you're fucked... even if you do spend bank on "secure internal IT infrastructure."
The rest of the article is all over the place. There's some mention of rogue admins reading executive e-mail rolled into boilerplate security talk about how X% of security risks are insider threats, and then it finishes up with a vaguely related sales pitch for RSA products, owned by... yep, EMC. The guys providing ComputerWorld with ad revenue on that sidebar.
Hopefully those scared VPs will hire consultants and purchase EMC products to "secure" their infrastructure from "rogue admins" who are probably reading their e-mail RIGHT NOW.
There are, after all, fairly straightforward ways to secure data against the admins (assuming they don't actually install spyware, which is a separate subject.) There are also ways to arrange secure key recovery so that the records can be recovered if Something Happens to the exec, but no one person can do it (say, three board members and an outside law firm.)
Lacking <sarcasm> tags,
If you do not trust your staff, you have other problems.
In my consulting work I have worked with systems containing sensitive information. Outside the workplace and outside the context of my particular role the information was of no interest to me.
The problem is: how will PGP stop an admin? Clickity-click, I just logged keystrokes and got Mr. Fancy Pants' private key password. You have to trust your admins to some degree.
Also, maybe access but _logged_ access. And then a process where someone views the logs to look for unauthorized browsing.
The DMV does it (every once in a while some bozo is fired from the state DMV for looking up minor celebrities information), I am sure many other less involved database systems can too.
Maybe if companies paid their workers fairly and instilled loyalty things like this wouldn't be such a worry. Instead we're asked to do the jobs of several people for fraction of payroll - and not complain about it. What do CEO's think is going to happen?
I've got read access to the entire financial database. I can find out how much they spent for dinner on their last trip and their salary as well. Luckily for them, I just don't care.
...Then the battle is already lost. You may as well close up shop and go home.
Which is not to say there aren't unscrupulous people out there who will abuse positions of trust, but this is a HR issue, not a technical/security one (and is most certainly not one limited to the IT department).
I work for a relatively small company with approximately 100 employees, and being one of the two sysadmins, I could easily go in and look at anyone's email. One of the many reasons I have for not doing so is because I have dignity and want to respect peoples privacy, no matter who they are. Also I could probably find some "dirt" about someone, but in the end it does no good, and in some cases would probably piss me off. If there really is dirt going around the office, I would rather hear about it by traditional means, just like everyone else. I also think that knowing about certain situations that might be going on, which have no effect on my day-to-day duties, affects my ability to treat all employees with the same respect that they deserve.
At least in small business, and probably in all business, it is completely necessary for upper IT staff to have complete access to everything. I've lost count of how many times upper level management has come to me with the 'I forgot my password, can you get my stuff back?' request. This is a normal occurrence. If we take away the privileges of IT to access upper management data, then upper management is very likely to lose that data.
As an anecdote, one of my customers (I am an IT consultant) lost the password to the video surveillance system. They immediately came to me, and were shocked and annoyed when I said 'Sorry, I wasn't involved in the installation of that system and was never informed of the passwords.' In the end, we found that a user had written down the password at one point and were able to get back in that way!
The point really should be that companies better find upper IT staff that they can TRUST! If they can't trust their IT staff, they have big problems.
with information being so hot these days don't you think organized crime cartels
would do anything to have one or two admins in any network so they can glean
information for their benefits? hmm?
The solution is regularly teaching business ethics to students. Perhaps even make it mandatory to earn a degree. Certainly mandatory for a graduate degree.
The suggestion that a mandatory degree and ethics classes will solve the problem is laughable. Many examples of why this is so exist: Citigroup, Enron, Worldcom... to name a few. Do they teach business ethics in MBA or CPA programs? Of course they do. Did it help? No.
There are ways to run a business that limit the amount of information that has to be classified so that it can be relayed verbally or by sneakernet. Like not defrauding your workers or business associates is a good start, followed by not raking in huge undeserved stock options and bonuses, not downsizing and outsourcing just because it is the latest fad, and in general being competent to the point that the only people who care what's in your email are the rarer criminal element and not every damn single employee.
Ahh, driftnet on the switch monitor port. Never has there been such an artistically odd juxtaposition of shoes, porn, corporate logos, and vacation photos.
Someone had to do it.
Public key encryption, duh. Then, even if your admins had this access, which they must in some cases, they couldn't read the message anyway. The sooner CEOs catch on, the sooner everyone else will also.
Imagine if you weren't allowed to use roads because a bus company complained about your driving 3 times. --skunkpussy
I am a Sysadmin. I built the network, I built the mail server, I built the VOIP system, and I built the DVR security system. I have control over all of these things. I know what happens here before anyone else does. I see your every move, can listen to your every phone call, and yes, I can read your email.
We are not regular employees. We aren't the boss. We occupy a grey area, because we control everything.
My system has millions of dollars flowing through it. You trust me with that, but have a problem with reading an email?
I am a Sysadmin. Trust me or not. Me reading your email is the least of your problems should you choose not to trust me.
By law, anyone who has been drinking is "sober" until he or she "cannot hold onto the ground." Actual lexington, KY law
And what do you do about the IT personnel who have rights sufficient to circumvent logging or alter the logs? The difference from you DMV situation is that you're talking about logging random DMV workers, and not the person who set up the system and maintains it, therefore having read/write access to everything.
but the title is still insightful. This is old news. At work, I'm a domain admin. I have unrestricted access to all the files on tends of thousands of workstations. And to countless shares on hundreds of servers, with lots of infos and documents. And several Exchange servers. And many large databases. Webservers too. You name it, I can access it, totally unrestricted. I have access to tape backup libs. I can read the CEO's mail and documents no problem. I could install keyloggers or anywhere or do packet sniffing or such.
But, well paid employees in a job that doesn't suck aren't typically motivated to do immoral stuff. I get paid well, I'm respected, my hours are decent, etc. I have no reason to be disgruntled and do bad stuff. On the other hand, I can say I'm a fairly ethical person (saying otherwise would be false modesty). The idea is to have good employees, and keep them happy.
Now, if I was some guy paid below what I deserve, in a high stress job that sucks, risking to be outsourced and all, with management making every second of your life miserable and such, poor workplace politics and the old backstabbing between co-workers, then yeah, I wouldn't be surprised when something bad happens... It's old news, disgruntled ppl will sometimes do that kind of stuff.
Let me think, when all this email started getting popular in the mid 1990's wasn't the advice to treat it as postcard....
ie it could be read during transmission buy the post-office worker (sys-admin)....
just a gentle reminder.
There are three parts to IT security - confidentiality, integrity, and availability. An IT security policy must balance these. Your solution sacrifices availability. Maybe in some situations it is worth it, but in others it won't be. You say data should be secure - what do you mean? If data is on a public web server you know it isn't confidential, but you definitely want the webserver to be up, and you certainly don't want anyone unauthorised to change it.
In your example (which boils down to two man working, essentially) you have increased the cost of support - is it worth paying? That depends - what are you relying on to enforce it (procedural or technical measures, a combination of these)? What are you protecting?
There is also the rather tricky problem of defining who the owner is. If you have a data area with multiple people accessing it how do you put in sensible processes to manage this, and to recover the data when Fred fubars the spreadsheet. How do you audit use of the data (and do you even bother)?
There are ways to cope with all of this, but a blanket "you lose your password, you lose your information (unless you put into action this very expensive process)" isn't a panacea.
Finally - you say "all data in business can be reproduced, at the cost of time and effort". The first part, generally, isn't true. The "cost time and effort" also is misleading - sure, there will be problems where pouring money at them will get you better answers, but the business can't afford it (and it wouldn't be the first business that went down because they had an inappropriate security policy). It's a paradox, I suppose - important data is the only sort you can't afford to recover, because if it wasn't important you wouldn't need to.
I don't suppose you use voice-over-IP phones? I bet it would be trivial to set up auto-transcript on our CEO's phone IP...
Seriously why it is such an issue? Yes - admins have access to most everything. So what? - its one of the upsides of being a sysadmin. you have to run backups , configure systems and such- your CIO will not do that (and most probably does not have skills for this either) . Now there is logging tools /products for auditing all secure object level access, but who is gonna implement them and put it in place? -That right exact same people .
,or auto mechanic driving your car in repair bay , so don't bitch about people carrying weight of systems support of having necessary privileges.
/data - in no way I would want them have that if I could) -but corporate culture justifies that .At least with sysadmins its a pretty good technical justification.
You don't bitch about plumber having access your basement
I can bitch about HR too - they have the most private information about employees (I saw HR files
I too have seen many knee-jerk reactions by management to any number of real or perceived problems.
Think about it. A group of highly paid MBAs sit in a room and come up with an IT solution you are supposed to implement.
It really doesn't matter whether or not their solution is workable. You MUST embrace it.
If you do not embrace it, you will always be remembered as the "difficult one".
And really, the stupider the idea is, the faster it will go away and be forgotten. It is kind of like evolution, good ideas live and bad ideas die.
In the end, the managers will not remember the solution, or the problem. All they will remember is whether or not you were a "team player" or the "difficult one". Just always agree and do your best to implement. When it dies, let it die quietly. No funeral. No wake. Just let it go.
... followed by not raking in huge undeserved stock options and bonuses ...
While I agree that there have been terrible abuses here, I also recognize that sometimes these options and bonuses are appropriate but that is not always readily apparent. First there is the agent problem. The boss is sometimes merely an agent of the owner(s), how do you make sure he acts in a manner that improves the owners situation rather than his own? Options are one way. This also works up and down the ranks, for bosses and workers. The other area where a big seemingly undeserved bonus is appropriate is for the founder(s) who lost interest/investment income by spending his/her saving to start a business, lost salary income as he/she worked for no salary or a partial salary in the early days of the business, who risked their financially security and reputation to pursing a dream, etc. If they get a couple of big bonuses to repay and compensate for the preceding once the company becomes established, IMHO that is fair. I've seen small companies get bought out, and I've seen employees complain that they got a far smaller bonus than the founder they worked side by side with. What these employees failed to realize is that they took little risk, and that their boss made personal sacrifices so that their payroll checks were there on schedule.
Is the above a typical scenario? I have no idea, but I have seen it a couple of times. I believe it happens often enough to warrant mentioning among the stream of expected "bosses are evil and all profit should go to those doing the work" follow ups. Like many topics, things are far more complicated than they seem.
http://www.lacba.org/Files/Main%20Folder/Documents /%20Ethics%20%20%20Opinions/Files/Eth514.pdf
1 .html
Los Angeles Bar Association: "Lawyers are not required to encrypt e-mail containing confidential client communications because e-mail poses no greater risk of interception and disclosure than regular mail, phones or faxes."
http://www.netlawtools.com/security/emailsecurity
The American National Bar Association takes a similar stance, but the above link does warn that if an unencrypted email is intercepted, the lawyer may be held legally liable.
While it certainly should be necessary for important legal, medical, and other confidential information to be encrypted, it doesn't appear that the Bar association is quite as far ahead of the game as one would hope.
That's a perfect strategy for security if you completely disregard human behavior. If you set the stakes so high for forgetting your password, you end up with people either using ridiculously simple passwords (so they remember) or writing their passwords on post-it notes underneath their keyboard. Congratulations, now your system is less secure.
In Repressive Burma, it's not just your connection that dies. slashdot.org/comments.pl?sid=314547&cid=20819199
If it's that important sign it and encrypt it. If you're a manager and you are sending out financial or personal information plain text you shouldn't have your job. You should work for the VA.