Getting a clear view of network activity
IT administrators police the IT network, but who polices them and everyone else with access privileges, asks Ross Brewer
Brewer: Log data and event management can provide real-time data analysis
Security breaches can be big news and IT departments work hard to protect organisations from external attacks and internal threats.
But who is actually policing key staff such as IT administrators or, for that matter, checking to ensure that employees with access rights to sensitive information are not abusing those privileges for personal gain or vendetta?
While most employees are completely professional and do not abuse their privileges, there is always the odd bad apple in the barrel.
For example, a former IT administrator was indicted on charges of planting a malicious script to destroy data on all servers of a major US bank.
Rajendrasinh Babubhai Makwana, who used to work for Fannie Mae at its Urbana Technology Centre in Maryland, allegedly set a computer time bomb that was designed to go off on 31 January 2009 at 9am.
Makwana worked for the bank for three years as a computer engineer until his contract was terminated. He had administrator access to all the main systems, which the company failed to revoke until the evening of the day he left.
While these sorts of incidents seem more prevalent in the US, the UK is not exempt.
In January, British IT administrator Julius Oladiran was ordered to pay more than £3,000 and given three months at Her Majesty’s Pleasure after being accused of hacking into his former employer’s computer system to install spyware and delete emails.
Unfortunately, with the number of layoffs happening in the UK at present, the risk of disgruntled staff taking advantage is set to increase.
Organisations need to consider who is policing the people running the business and the IT network. The reality is that, in most cases, no one is.
Millions of logs and audit trails are generated daily by every IT-related action – legitimate or not. Trawling through such vast amounts of data to identify potential security threats is a daunting task that can take weeks.
If staff know their activities cannot be traced or that, as is the case for IT administrators, they can delete records of their actions, there is little deterrent.
Log data and event management solutions can provide real-time data analysis, letting organisations see who is accessing what and when. Users can be alerted of specific types of violations before any real damage is done.
Centralised logging and security event management platforms take on the function of automatically monitoring and securing all activity logs while reporting on and alerting activities that warrant attention.
Companies also need to have clear policies and procedures that are followed whenever staff tenure ends, for whatever reason.
For instance, at what point are their access rights reduced or removed? Should there be increased levels of monitoring of their activity in the run-up to their final day at the company?
And it is not just rogue staff who pose a risk. Malware such as the Conficker virus can use administrator accounts to compromise IT networks.
Recently, a LogRhythm customer became infected with Conficker but had no idea how or through which computer. By analysing log data reports, the organisation identified a PC which had attempted to log in to the administrator account 310,000 times in seven days.
Key staff across the company have IT privileges for a reason. While problem incidents are rare, it is organisations with a clear view of who is doing what to their network and information assets – and when – that may cope best with risk scenarios.
Ross Brewer is EMEA vice president and managing director at LogRhythm