The IT Department as Corporate Snoop?

coondoggie writes with a link to a NetworkWorld article about the dangers of IT department snoops. A study released today is likely to exacerbate the trend of failing trust in employees; it shows that one in three IT employees poke through systems and prod at confidential information while on the job. The survey was done by a firm specializing in password security, so some salt might be required for this particular article. "The survey found that more than one-third of IT professionals admit they could still access their company's network once they'd left their current job, with no one to stop them. More than 200 IT professionals participated in the survey with many revealing that although it wasn't corporate policy to allow IT workers to access systems after termination, still almost 25% of respondents knew of another IT staff member who still had access to sensitive networks even though they'd left the company long ago."

Hmmm

[Anon-Admin]

"The survey found that more than one-third of IT professionals admit they could still access their company's network once they'd left their current job,"

This is kind of funny, When the layoffs hit back in 2001 I know of lots of instances where this happened. They lay off the IT staff and expect the systems to magically run them selfs, or expect the janitor to be able to run it all.

But to see that today is a little of a surprise. Maybe they have not hired new IT staff and the equipment is just running on autopilot.

Bad security, even without snooping

[L.+VeGas]

In the mid 90's, I switched employers. My former employer was a fairly large medical / toxicology (drug testing) laboratory, and the records were fully searchable by name, SS#, and so on. Around this time, I got a new PC, and left the old one pretty much untouched for several years. About five years later, I fired it up out of curiosity. The terminal emulator shortcut was still there, so I plugged in the modem and was on the laboratory's network within minutes. Full access.

The company has since been bought out and shut down, but that incident has always bugged me.

old work still accessable

[timmarhy]

the private files thing is total bullshit - we don't CARE abotu your dirty emails to your wife.

accessing old work system is true i think... i know i still have access to places i setup 7 years ago, i login once a year to look at the up time on the system. it's nothing more then me checking on how my creation is going, if i saw a problem i'd probably report it to my old boss with a suggested fix.

by the way, it's linux 2.4... 7 years up time on old salvaged hardware.

Re:old work still accessable

[Compholio]

it's nothing more then me checking on how my creation is going, if i saw a problem i'd probably report it to my old boss with a suggested fix.

I would imagine that a lot of employers have actually made the conscious choice to keep people like you online after "termination". After all, who knows when they may need you to fix your creation?

Can't be called professional without ethics

[erroneus]

It's just my opinion but I'm sure many will agree with me on that. In every case where a person has privileged access to information as part of their job, there is usually some sort of ethical standard of non-disclosure in place. As an IT manager, I thrust my ethics upon people on a regular basis citing that I do not EVER want to know anything I don't need to know. Usually, it's passwords, but wouldn't that just be the start?

I can't imagine how anyone could consider themselves "professional" without professional standards of behavior to go along with it. Do professionals in all fields get tempted "by the dark side?" Oh yeah... we see it on the news every day.

But at a rate of 33% of IT professionals breeching company trust? That's pretty frightening... it's probably untrue.

Wot no exit procedures?

[Colin+Smith]

It's almost impossible not to occasionally catch sight of something sensitive when you work in IT; Employee databases, email folders/logs, web browser histories, chat logs etc etc.

More than any other reason, this is why your IT team should be well paid and why duties should be segregated.

Course there should be documented exit procedures for HR and IT when people leave.

IT people could go to jail

The Air Canada vs. Westjet case involved computer espionage and a former employee who kept access to Air Canada's computer system. The result cost Westjet millions. The settlement left no doubt that what Westjet and its employees did was illegal. Illegal, as in someone could end up in jail, that kind of illegal. http://www.lockergnome.com/nexus/news/2006/05/29/w estjet-accepts-blame-settles-with-air-canada-in-es pionage-case/

Re:IT people could go to jail

The Air Canada vs. Westjet case involved computer espionage and a former employee who kept access to Air Canada's computer system.

Not quite. The former employee was an executive at Air Canada and one of his perks (despite the fact he was leaving Air Canada - quite a golden parachute) was a very large number of free flights on Air Canada for a very long time.

To book his free flights, he was authorized and given access to an internal booking system at Air Canada.

To book his free flights, obviously the system would have to show which flights had seats available.

However, knowing which Air Canada flights had seats available was very useful information to Westjet.

The result cost Westjet millions. The settlement left no doubt that what Westjet and its employees did was illegal. Illegal, as in someone could end up in jail, that kind of illegal.

I think that is a bad decision. Air Canada deliberately gave access to the former employee, knowing that he was a former employee, and knowing that he was working at a competing airline. This wasn't a break-in, this wasn't a hack, this wasn't a case of forgetting to terminate access. HE WAS AN AUTHORIZED USER!

Further, knowing which Air Canada flights had seats available isn't even that private or secret. Thousands of travel agents have access to that information, as do many travel booking websites.

Passwords

[Otter]

The study also showed that over 50% of workers still keep their passwords on a Post-It note, in spite of all the education the IT security industry to do it differently. And in the don't do-as-I do-dept., more than 50% of respondents admitted to using Post-It notes to store passwords to administrator accounts. One-fifth of all organizations admitted that they rarely changed their administrative passwords with seven percent saying they never change administrative passwords.

I'm skeptical about the snooping (much as I bitch about admins, they're actually remarkably ethical about privacy given the access they have, IME) but that password thing sounds dead on. Whenever they give us the lecture about how keeping track of the login/password combos for 25 different accounts, each rotated every 60-90 days, with mandatory mixed case, numbers and punctuation is easy -- why all you do is make up a little story -- "Mary went to the store to buy milk" becomes h7^Y8U0bs# -- I always ask them for the story to their previous password to the office furniture request page. They splutter about how no, that's a security risk to part with one of their expired stories but I can see the Post-It with the root password in their minds, like I'm Professor Snape.

Re:Passwords

[drinkypoo]

They splutter about how no, that's a security risk to part with one of their expired stories but I can see the Post-It with the root password in their minds, like I'm Professor Snape.

I've always written down my new passwords until I memorize them. Then I burn the paper.

If you lose it while you're still memorizing it, you change it quickly :)

But you don't write down what it's for, either...

It's a problem

[Phil+Wherry]

In the security business, a lot of the danger from IT employees comes from a class of attack known as "abuse of authority." It's near-impossible to prevent through technical measures, since the people in question need the elevated privileges in order to do their jobs. A careful program of auditing can often detect these abuses after they've occurred, however.

I had a situation occur a few years ago in which I had to fire a trusted and valuable staff member for snooping through a senior manager's email. Another staff member actually detected this when he printed a copy of the email, and it came out of the printer in his home office even though he was on travel. This came to my attention very quickly, and we reviewed audit logs that we'd put in place earlier and found plenty of evidence of his snooping. It pained me to fire the guy--he was smart, ambitious, and held up really well under pressure. But in the end, I concluded that a slap on the wrist would just send the message to other team members that it was OK to cheat until caught for the first time. I suspect that it was the right move for him, too; our sudden, decisive response to his lapse in judgment doubtless made an impression.

So, some advice to IT managers: ensure that there's an audit trail for all privileged activity. You'll detect and stop abuse if it's going in, and will deter staffers from being tempted to misuse their rights.

Phil

Re:Who writes this stuff?

[jombeewoof]

easy enough to set that token to "lost" with a passcode that doesn't expire.
If you're an admin you would certainly have access to the RSA ACE server that allows this.