Password Protection: Who Holds the Keys?

By Kim Boatman

A recent standoff in San Francisco between a suspended systems administrator and the city sent a tremor through the ranks of public and private CIOs. The administrator -- who faces several criminal charges -- refused to turn over the passwords to the city’s network. He had set up so-called “God” passwords that only he knew.

“We all kind of said, ‘Whoa, that would be a concern,’” says Tom Jarrett, CIO for the state of Delaware.

The standoff highlighted the increasing vulnerability of organizations to malicious insider activity, says Larry Ponemon, a researcher whose nonprofit Ponemon Institute studies security threats and privacy management practices.

“Over time, we’re starting to see more security and privacy incidents that occur because of a disgruntled or malicious employee,” says Ponemon. “It’s not about negligence. It’s about people who are angry at their employers and, because of their privilege in the system, can do a tremendous amount of damage.”

If checks involving key IT employees aren’t in place, organizations can be vulnerable to “parting volley” vandalism, the financial misappropriation of funds, the loss of proprietary information or embarrassing data breaches. In extreme instances, key employees, who know the ins and outs of databases and networks better than anyone else, may have the capability of bringing an entity the size of the city of San Francisco to its knees. However, there are critical steps CIOs and other IT executives can take to mitigate the vulnerability of their organizations, say experts.

Here’s a checklist:

• Conduct criminal background checks While it isn’t always easy to predict malicious insider activity, it makes sense to have a good understanding of an employee’s background. If an employee has a criminal history, it might predispose him or her to engage in compromising activity again, says Ponemon. “People who are vetted for these jobs may not be vetted for integrity issues,” he said. It turned out that the former San Francisco IT administrator had a criminal past.
  
  “We do background checks and criminal checks,” says Delaware’s Jarrett. “We have people sign nondisclosure statements. We are now working with our Office of Management and Budget to require anybody who works in IT in the state to have a background check and criminal check.”
  
  It’s also a good idea to set up a notification system that offers alerts when an employee has been arrested, says Jarrett.
• Conduct credit checks While money isn’t the primary motivating factor in many cases involving misuse or abuse of IT systems, it plays a role in enough situations to merit a consideration of employees’ financial status.
  
  “A number of states conduct criminal background checks. We’ve suggested they also do credit checks,” says Doug Robinson, executive director of the National Association of State Chief Information Officers (NASCIO). “People with credit problems are more likely to be predisposed to commit criminal acts. This is not supposition. We’ve seen this.”
  
  Robinson cites the case of a state IT employee who redirected funds to her own account after her daughter’s wedding costs skyrocketed beyond her budget. Of course, fully vetting employees also raises issues about whether they feel their privacy is being invaded.
  
• Recognize red-flag events IT management involves far more than just technology. Managing security threats means having a handle on what’s going on in employees’ outside lives as well, say experts.
  
  “Is it driving those of us who are IT managers to become psychologists?” asks Jarrett. “It’s to have a sense of what is impacting your employees.”
  
  Red-flag events such as divorces, breakups, bankruptcies, poor performance reviews or even disappointment over an inadequate pay raise could cause an employee to snap.
  
  “For me personally, it comes down to being engaged with your department and your people, having a very good place to work, and creating a good work environment,” says Jarrett.
• Segregate responsibilities After years spent creating a culture that values IT security, it may go against the grain for some organizations to make sure that the “keys to the kingdom” aren’t held by just one or two people, says Ponemon.
  
  “In some organizations, the idea of ‘the fewer the people, the better’ is a great security feature,” he says. “But you want to be able to balance limited access with being able to have some checks and balances, so you’re monitoring these people.” 
  
  Not consolidating access -- and power -- in just one position makes sense, says Robinson.
  
  “No. 1 is to enforce separation of duties,” he says. “You don’t have one employee who has the keys to the kingdom. There are a lot of organizations that have stated policies. The problem is they don’t enforce them.”
• Monitor IT activity Using tools that monitor an employee’s IT activities is critical, say experts. Government entities need to make sure someone is monitoring event logs, says Robinson. Tools also can alert senior management when someone has entered an unusual space or accessed an unauthorized area, says Ponemon. It’s important to stay current since IT-savvy employees can mask their activity.
• Terminate with toughness The image of a burly security guard standing watch as a terminated employee clears his or her desk has become a symbol for cold, uncaring employers. But IT professionals simply can’t risk sentimentality when it comes to letting employees go.
  
  “Plenty of employees put ‘Easter eggs’ in programs on their way out the door,” says Robinson.  “If you’re going to terminate, disable all privileges beforehand.” 
  
  In Delaware, says Jarrett, employees are taken off the system, with their access removed immediately, when they are fired.

Mitigating the risks involved in handing the “keys to the kingdom” to a few employees is critical, says Jarrett. But in the end, there is a certain amount of trust involved.

“You’ve put trust and faith into key employees who are doing this work, and there’s almost no real way to negate it,” he says. “In our case, there are certain steps we try to take to keep the possibility down to an absolute minimum.”

 

Kim Boatman is a freelance business journalist in Silicon Valley, Calif. She spent more than 15 years reporting for the San Jose Mercury News.