Unfortunately, one of the many concerns keeping IT and Security management up at night is wondering how a disgruntled system administrator (either current or former) may act maliciously. For Administrators to be able to perform their jobs, they need the proverbial "keys" to the kingdom; however, the required administrative permissions also give them the power to perform incredibly destructive actions upon an organization's servers and sensitive data.
As an Application Security Practitioner and Trainer, protecting sensitive data and functionality from a malicious administrator is a common concern for myself and the software developers and testers that attend my courses. In fact, I am frequently asked my thoughts about this topic. Given the recent headline about an administrator found guilty of planting malicious software on a former employer's servers, I took off my software security hat and stepped into the role of an Information/IT Security Manager to give a more thorough answer to that question.
What Can You Do to Discourage Malicious Activity?
Preventing an administrator from performing malicious actions is probably not possible if they have "enough" motivation. However, there are many techniques organizations can use to implement a checks and balances system that makes it harder for the system administrator to cause widespread damage and ideally think twice before they risk the potential wrath of law enforcement. These include:
1. Logging of Events
One of the most important, yet often under utilized security controls, is the logging of events. To mitigate the risk of a malicious administrator performing a destructive action, it's imperative to log all administrative actions that occur within an application, database, or operating system. These log events should contain the time and location details of the administrative event for forensics purposes. However, if the log files are accessible to the malicious administrator, it will be easy for them to hide their actions. So log files also need to be stored securely on a server where that administrator does not have access.
2. Auditing Log Files
Logging all of the actions of system administrators is paramount, but if the log files are not audited on a regular schedule, malicious activities could remain unnoticed for a considerable amount of time. While auditing logs "by hand" could take an enormous amount of time and effort, there are tools such as Splunk that will monitor and analyze log information for malicious external and internal activities.
Log files contain incredibly useful information, but they need to be audited so that an organization can proactively defend its sensitive data instead of being reactive once a malicious action occurs.
3. Separation of Duties
To ensure that administrators do not have access to log files, another layer of defense is the separation of duties. If one engineer has admin level access to every server, the potential for abuse is high. By separating the admin duties amon multiple administrators, it is more difficult for one administrator to be destructive and be able to hide their activity.
4. Detailed Termination Policy
A defensive termination policy would include language such as "before an administrator leaves the organization, their access to all servers must be removed." This requires a password change on all administrative accounts the individual had the permission to access. Removing access to servers and sensitive data needs to be a policy before any technical users leave an organization, but it is an absolute must for administrators.
5. Thorough Background Checks
While highly qualified system administrators are desired by organizations, the Human Resources department needs to perform a thorough background check on any employee that will be given high level of access to an organization's sensitive data and proprietary information. Requiring a candidate for an open system administrative role to provide references and then checking those references is recommended. This step may not always be possible if a candidate’s previous employers have a policy of not commenting on past job performance. But a criminal background check is a must for any candidate of a system administrator position!
Thankfully, most system administrators don't abuse their powers, but when they do, it's headline making material. Following these and other best practices might just be enough to deter a disgruntled administrator from performing malicious activities.