One year after former network administrator Terry Childs made national headlines for locking up access to a crucial San Francisco city network, the issue of how to protect corporate systems against the very people who manage and administer them remains as thorny as ever.
Just yesterday, Lesmany Nunez, a former computer support technician at Quantum Technology Partners (QTP) in Miami, was sentenced to a year in jail for illegally using his administrator account and password to shut down the company's servers from his home computer. Nunez also changed the passwords of all the IT systems administrators at the company and deleted certain files that would have made data restoration from backup tapes easier. His actions resulted in more than $30,000 in damages to QTP.
Numerous similar cases, including ones involving Fannie Mae and Pacific Energy Resources Ltd. have been reported over the past few months, each one causing considerable damage and disruption to the companies involved.
Childs is awaiting trial after being jailed last July on a $5 million bond for resetting administrative passwords to switches and routers on San Francisco's FibreWAN network, and later refusing to divulge the new passwords thereby locking up the network.
Such sabotage can be extremely difficult to stop because it involves users with legitimate administrative access to critical systems. But contributing to the problem is the continuing failure by many companies to adequately manage the numerous user accounts and passwords that control privileged access to critical corporate networks and systems.
Although the issue is well recognized by security experts, far too many companies continue to overlook it, said Sarah Cortes, an analyst with Inman TechnologyIT. The threat is "highly underestimated," Cortes said.
"It's not a sexy issue, but it's a fundamental security issue," said Cortes, a former tech executive at several financial services companies.
Large companies can have thousands of account names and passwords that provide root access to applications, databases, networks and operating systems. While not all of them are critical to the enterprise, there are numerous accounts that if abused can cause serious disruptions enterprise wide.
Some companies can have anywhere between 10 and 70 people with root-level access to such critical systems, Cortes said. These could be staff who require access for system or database maintenance purposes, for patching or upgrading applications, and other valid reasons. The number of people with such access is usually far greater than managers might know about or track, Cortes said.
The situation is worse in environments with older legacy systems that are no longer being actively supported but need to be maintained all the same. There can be numerous individuals in such situations who have been provided emergency, or temporary, root-access to a system in response to a specific need, but whose access is then never later revoked, she said.
Many companies today do not have adequate termination controls for quickly removing access rights when a person leaves a company.