Bad weather warning

With system attacks by IT staff more likely than a rainy day, Calum McLeod offers his forecast

Calum McLeod: The problem is a lack of control and proper process within the organisation

I would never make disparaging comments about my wife, especially since she is smarter than me and has a lot more letters after her name, but she is driving me crazy with the weather.

Ever since she discovered weather forecast web sites, she browses about 10 and tells me what they predict.

And then usually, when they predicted sun and it is pouring with rain, she asks me what it means when there is a 70 per cent chance of something happening.
So here is a statistic that I guarantee will not be disputed. Right now there is a 100 per cent chance that some organisation is the victim of either malicious activity or stupidity by a member of its own IT staff.

Just look at the news. Over the past few months we have had instances in San Francisco, San Diego and Lichtenstein of
IT staff abusing their privileges.

In these and many other cases the problem is a lack of control and proper process within the organisation. IT research organisation the Burton Group says that unauthorised users can use privileged accounts to bypass internal controls, access confidential information and destroy audit data to cover their tracks.

In San Diego, one IT specialist deleted patient and allied data on purpose from his former employer’s computer systems. In San Francisco a network administrator for the Department of Technology tampered with the network that contains the city’s sensitive data, and created an administrative password that gave him exclusive access.

The challenge is to ensure proper use of these accounts. Gartner has noted that shared superuser accounts ­ which are
generally system-defined in operating systems, databases and network devices ­ pose significant risks when the passwords are routinely shared by multiple users.

So too, do shared firecall accounts, which are used to deal with critical problems outside normal working hours.

Forrester advocates managing shared account passwords in an accountable way and states in a recent report that old-
fashioned ways of managing them, such as spreadsheets, sealed envelopes, printouts and sticky notes, are just not secure enough.

Internal IT practices are also increasingly coming under the scrutiny of auditors. Whatever sector you find yourself in, it is likely you will have to submit to a compliancy and regulatory audit.

Sooner rather than later yet another organisation will make the headlines because they did not take the necessary
precautions to protect themselves. It is always raining somewhere.