Slashdot Mirror
The IT Department as Corporate Snoop?
coondoggie writes with a link to a NetworkWorld article about the dangers of IT department snoops. A study released today is likely to exacerbate the trend of failing trust in employees; it shows that one in three IT employees poke through systems and prod at confidential information while on the job. The survey was done by a firm specializing in password security, so some salt might be required for this particular article. "The survey found that more than one-third of IT professionals admit they could still access their company's network once they'd left their current job, with no one to stop them. More than 200 IT professionals participated in the survey with many revealing that although it wasn't corporate policy to allow IT workers to access systems after termination, still almost 25% of respondents knew of another IT staff member who still had access to sensitive networks even though they'd left the company long ago."
1/3rd of IT professionals poke through other employee's files? What are the other 2/3rds up to all day long?
Never hire an IT guy who couldn't pass the BOFH test.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
"The survey found that more than one-third of IT professionals admit they could still access their company's network once they'd left their current job,"
This is kind of funny, When the layoffs hit back in 2001 I know of lots of instances where this happened. They lay off the IT staff and expect the systems to magically run them selfs, or expect the janitor to be able to run it all.
But to see that today is a little of a surprise. Maybe they have not hired new IT staff and the equipment is just running on autopilot.
All the more reason to put make sure nobody else is snooping on you before you install your backdoor program!
Convert FLACs to a portable format with FlacSquisher
The company I work for has a firewall is your site is blocked. It tells me "This site belongs to the XXXXXXXXXXXX defined Internet category "Tasteless" which has restrictions."
:)
I guess Ill have to look at it when I get home.
Like in government (cough cough cough), powers should be divided amongst a number of people i.e. hardware admins, web server admins, database admins, 'maintenance admins', et cetera. But for the majority of places this could easily be too many people. Of course, this is pretty impractical too, and I for one know most admins don't like having obstacles; but after all that's the root of the problem at hand.
Some people are blockheads.
News at 11.
A Human Right
The last thing I want to do after spending 8 hours on my company's network is spend my personal time trying to get back onto my company's network.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
They even sell the T-shirt.
Weaselmancer
rediculous.
In the mid 90's, I switched employers. My former employer was a fairly large medical / toxicology (drug testing) laboratory, and the records were fully searchable by name, SS#, and so on. Around this time, I got a new PC, and left the old one pretty much untouched for several years. About five years later, I fired it up out of curiosity. The terminal emulator shortcut was still there, so I plugged in the modem and was on the laboratory's network within minutes. Full access.
The company has since been bought out and shut down, but that incident has always bugged me.
Best Windows Freeware
accessing old work system is true i think... i know i still have access to places i setup 7 years ago, i login once a year to look at the up time on the system. it's nothing more then me checking on how my creation is going, if i saw a problem i'd probably report it to my old boss with a suggested fix.
by the way, it's linux 2.4... 7 years up time on old salvaged hardware.
If you mod me down, I will become more powerful than you can imagine....
"The survey found that more than one-third of IT professionals admit..."
I find that hard to believe.
"Beware of he who would deny you access to information, for in his heart he dreams himself your master."
It's just my opinion but I'm sure many will agree with me on that. In every case where a person has privileged access to information as part of their job, there is usually some sort of ethical standard of non-disclosure in place. As an IT manager, I thrust my ethics upon people on a regular basis citing that I do not EVER want to know anything I don't need to know. Usually, it's passwords, but wouldn't that just be the start?
I can't imagine how anyone could consider themselves "professional" without professional standards of behavior to go along with it. Do professionals in all fields get tempted "by the dark side?" Oh yeah... we see it on the news every day.
But at a rate of 33% of IT professionals breeching company trust? That's pretty frightening... it's probably untrue.
Your company should have a published policy regarding user privacy and IT, and all members of IT should abide by that policy at all times. (In our case, for files or email, we require the approval of the user themselves or of a department manager and human resources before we go off reading your stuff. We do reserve the right to monitor network traffic at any time, for any reason, but we also make sure your email access runs encrypted over the network...)
In any case, please encourage your local IT Professionals to behave like Professionals. How should they behave, you ask?
Like THIS.
Anyone who doesn't lock the accounts of ex-root-access employees and change the shared passwords that they had access to is lazy and negligent, bordering on criminally negligent. That's just inexcuseable...
From my perspective, this is true enough. There are places that I still have access to that, by all rights, I shouldn't. I log in about once a year to see if I still have access, and if I do, I email the owner/manager of the place to that effect. Last thing I want is for something to go legal and me have a finger in the pie.
Of course, for a few places around here, me still having access is a good thing. Seeing how they call me about once a week because they couldn't follow well laid out documentation on managing the system...but I digress.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
It's almost impossible not to occasionally catch sight of something sensitive when you work in IT; Employee databases, email folders/logs, web browser histories, chat logs etc etc.
More than any other reason, this is why your IT team should be well paid and why duties should be segregated.
Course there should be documented exit procedures for HR and IT when people leave.
Deleted
The Air Canada vs. Westjet case involved computer espionage and a former employee who kept access to Air Canada's computer system. The result cost Westjet millions. The settlement left no doubt that what Westjet and its employees did was illegal. Illegal, as in someone could end up in jail, that kind of illegal. http://www.lockergnome.com/nexus/news/2006/05/29/w estjet-accepts-blame-settles-with-air-canada-in-es pionage-case/
I'm skeptical about the snooping (much as I bitch about admins, they're actually remarkably ethical about privacy given the access they have, IME) but that password thing sounds dead on. Whenever they give us the lecture about how keeping track of the login/password combos for 25 different accounts, each rotated every 60-90 days, with mandatory mixed case, numbers and punctuation is easy -- why all you do is make up a little story -- "Mary went to the store to buy milk" becomes h7^Y8U0bs# -- I always ask them for the story to their previous password to the office furniture request page. They splutter about how no, that's a security risk to part with one of their expired stories but I can see the Post-It with the root password in their minds, like I'm Professor Snape.
What I'm listening to now on Pandora...
I like to think of myself as a Telegraph Operator. Sure I know peoples secrets, but it would be unprofessional for me to tell them to anyone.
In the security business, a lot of the danger from IT employees comes from a class of attack known as "abuse of authority." It's near-impossible to prevent through technical measures, since the people in question need the elevated privileges in order to do their jobs. A careful program of auditing can often detect these abuses after they've occurred, however.
I had a situation occur a few years ago in which I had to fire a trusted and valuable staff member for snooping through a senior manager's email. Another staff member actually detected this when he printed a copy of the email, and it came out of the printer in his home office even though he was on travel. This came to my attention very quickly, and we reviewed audit logs that we'd put in place earlier and found plenty of evidence of his snooping. It pained me to fire the guy--he was smart, ambitious, and held up really well under pressure. But in the end, I concluded that a slap on the wrist would just send the message to other team members that it was OK to cheat until caught for the first time. I suspect that it was the right move for him, too; our sudden, decisive response to his lapse in judgment doubtless made an impression.
So, some advice to IT managers: ensure that there's an audit trail for all privileged activity. You'll detect and stop abuse if it's going in, and will deter staffers from being tempted to misuse their rights.
Phil
Not only should the article written by the firm specializing in password security be taken with some salt, but it is also a good idea to add salt to passwords.
Okay, that was a stretch.
An unjust law is no law at all. - St. Augustine
I do not deploy Linux. Ever.
I do not deploy Linux. Ever.
> The survey found that more than one-third of IT professionals
> admit they could still access their company's network once
> they'd left their current job, with no one to stop them.
Does it seem that people are villainizing the IT guys that left?
Shouldn't the criticism be levied upon the IT guys who REMAIN?
And as for snooping, it's not the snooping that bugs me, but the disclosures that sometimes follow. I was really pissed off when my boss started publicly ripping on me for the quality of some code scraps he found in my documents folder.
I didn't mind that he looked -- I don't expect privacy on a corporate computer. But he used what he found in an attempt to humiliate me (which failed since the rest of the department knew that the code was something that I was reviewing from a new intern).
Curiously, Microsoft AD has no such ability. Password policies are set domain wide and there are no exceptions for anyone even with a GPO, a well known limitation of AD.
Let me correct your statement. You have "never seen an AD deployment where a GPO's were making exceptions..."
I agree with many of the people before me. I do not accept keys to client locations unless I am onsite more than a month. I do not accept domain administrator passwords, I ask for a unique admin account with delegated rights. And I do not snoop into files.
Just recently I went to my boss and told him that our ex-HR person's home directory was wide open. I pointed out to him his hire letter and more from my other collegues. I almost did not approach him about it for fear of repricussions. However, I did not have any more than domain user rights and found it using Vista's new desktop search.
easy enough to set that token to "lost" with a passcode that doesn't expire.
If you're an admin you would certainly have access to the RSA ACE server that allows this.
Linux Zealots: Smarter than Mac Zealots, but still zealots.
fo shizzle