System administrators possess the "keys to the kingdom" -- your company's IT infrastructure. As trusted insiders go, sysadmins are among the most trusted -- and the most inside. They have comprehensive knowledge of your network layout, applications and -- perhaps most worrisome -- your logging and auditing structure.
Consider the case of Roger Duronio, a former sysadmin at UBS Paine Webber, who was unhappy with his salary. In February 2002, prosecutors charge, he planted logic bombs on more than 1,000 of the financial institution's computers in 370 branch offices, then quit. Ten days later, the payloads deleted vital corporate files.
Not every incident involves an outright attack. Invasion of privacy, whether at random or in a concerted campaign, can open your organization up to legal liability that could cost just as much as an actual attack.
You can take several steps to reduce the risk:
- Limit administrative access. Your e-mail admin shouldn't have root access to the database servers. Don't grant domain administrator access when local or departmental administrative privileges are sufficient.
- Audit admins' actions. Auditing allows you to investigate any cases of abuse of administrative privilege. It's not automatic -- if your admins log in as root, for example, you'll be hard-pressed to determine who logged in at any given time, or what they did. So, don't give the superuser password to all of your admins. Instead, use a Unix tool like "Sudo" or Symark's PowerBroker to allow them to run individual commands with system privileges. To guard against tampering with the audit trail, make sure the logs are immediately stored on a different system, preferably one to which few administrators have access.
- Get chummy with your admins. As you get to know them, you'll have a better idea when they're nervous, upset or generally acting strangely. You may also pick up important clues about outside pressures on their lives, such as divorces, addictions or financial concerns, which could lead them to take malicious action. As a positive benefit, they'll be more likely to come to you with those annoying little inconsistencies that may indicate impending incidents.
- Periodically rotate jobs. Not only will it keep your admins fresh with new challenges, it prevents a single admin from perpetrating a continuing pattern of abuse. And the next administrator in the rotation is more likely to notice something amiss. If this isn't practical, vacation replacements should have plenty of time to notice if things don't look quite right.
- Use role-based access control (RBAC). With this type of system, you don't need to assign superuser privileges at all. Instead, you define individual functions to carve out several roles. You can assign privileges to specific roles, and then map specific individuals into them. This is similar, for example, to adding an employee to the Windows "backup operator" group. Users with the backup operator role are accorded special permissions, such as the ability to use a backup tool to read any file on the system. However, it doesn't give them the ability to read any file in, say, a text editor. And it certainly doesn't allow them to copy or modify the files. RBAC systems are the ultimate expression of the principle of least privilege. Though they can be tricky to design and implement, they really pay off.