Jun 04 2007

Insider threats in the IT department

Published by at 7:18 am under General

I’m not sure why it surprises anyone that a study indicates one in three IT employees would abuse their access.  To me, this just illustrates basic human nature; a certain number of people are going to abuse their power, no matter what.  It’s true in politics, it’s true in the board room, why would the server room be any different?

There’s been a lot of talk about the insider threat versus the threat of someone coming from the outside.  Both are important issues to deal with, but this study highlights two reasons I think the insider threat should be a bigger concern than it is.  First, the fact that this study surprises anyone is an indicator that we’re not taking the issue seriously enough.  Second, IT professionals have the opportunity and ability to access more internal resources than most users, all that needs to be added is a motive and you’ve got a breach.

This study was concerned with the abuse of passwords, but I wonder what a overall ethics survey of the IT field would turn up.  I’m willing to bet that to the more cynical amongst us, it wouldn’t be a big surprise.  I’d also like to see the same sort of survey given to a sample group of CISSP’s.  Now that survey might turn up a few surprises, since we signed a code of ethics to become certified.  Would we do all that much better than the rest of the IT field?

People are people, good, bad and ugly.  IT professionals are no better or worse than anyone else.  This is one of the reasons we have checks and counterbalances in our systems, so that the abuse of one person is hopefully caught by another professional. 

Cyber-Ark wanted to prove that passwords suck, the stuff about IT staffers was just what the blogosphere latched onto.  Guess what, everyone knows password’s suck, but we haven’t come up with a better alternative yet.  And even when we do, people are going to abuse their privileges. 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

3 Responses to “Insider threats in the IT department”

  1. Kayza Kleinmanon 05 Jun 2007 at 1:29 pm

    It seems to me that linking the insider threat to passwords totally misses the point. If, for instance, I have access to our fiscal systems, then I can abuse that access regardless of whether we use passwords only, a two factor authentication system, tokens, or even biometrics. The same is true for any system or area of information.

    The only things that can really have an impact on these threats are a combination of education, an emphasis on ethical behavior, a system of checks and balances and monitoring / logging systems that people are aware of. People who understand the rules, and know that a record is being kept of what is going on are far less likely to cross the lines.

  2. Kayza Kleinmanon 05 Jun 2007 at 1:45 pm

    It seems to me that linking the insider threat to passwords totally misses the point. If, for instance, I have access to our fiscal systems, then I can abuse that access regardless of whether we use passwords only, a two factor authentication system, tokens, or even biometrics. The same is true for any system or area of information.

    The only things that can really have an impact on these threats are a combination of education, an emphasis on ethical behavior, a system of checks and balances and monitoring / logging systems that people are aware of. People who understand the rules, and know that a record is being kept of what is going on are far less likely to cross the lines.

  3. grant czerepakon 14 Jun 2007 at 9:02 pm

    Yes, insider threats are a major concern. It should be also pointed out that the security risk can be due to intentional and unintentional violations.

Trackback URI | Comments RSS

Leave a Reply

%d bloggers like this: