Administrators Access Control - Coursework Example

Do Administrators Need Access Control? Introduction Organizations consider the people as the most important asset because of their flexibility and ability to spearhead development within the organization. However, this asset can impact negatively on the organization when there is an overstep of the expectations. The administrators are an important facet of the organization; they enjoy a number of privileges including access to organization’s information. This access can bring forth a number of beneficial effects or can compromise the systems within the organization. Considering these propositions the issue of access control by administrators has been contentious in the recent past (CXOToday, 2010). Weighing both sides of the coin, the question arises, ‘should access control by administrators be limited?’ Access to Information It is the right of every member of the organization to freely access information that is in the public domain or that which is specifically released for the consumption of the employees. This is not always the case, at times administrators are exposed to all manner of information about the organization. This puts the organizational information at the risk of being shared by unethical administrators. Besides, such an administrator can opt to conspire with other parties hence exposing the company or its information. Lack of proper information management emanates from poor controlling of the administrative privileges, which results to increased vulnerability of an organization to malware exploits as well as unauthorized software access. According to a survey by Infosecurity Europe (2013), many organizations give a leeway for employees to have access to information without restrictions. In this regard, they overlook the fact that some malicious employees can opt misuse their administrative privileges. On the flipside, accidental misuse of the privileges has an equal chance. As reported by Avecto CEO Mark Austin, administrators do not have to be necessarily malicious to expose the information of the organizations, accidents do occur, additionally, employees places a threat to the organizational information through installing software that are potentially risky to the company information (Hurley, 2013). The concern over hacking and other outside invasions of the organization’s information underrates the power of intrinsic attacks. Increased cybercrime has been at the center of attention over years since the development of modernized computer technologies. Organizations have put huge amounts of money in combating data infringement from outside forces. However, going per a survey by Cyber-Ark, the enemy of organizational information lies within. One third of the IT professionals interviewed during the survey confessed that they have overstepped their mandate on several occasions to access information that is not necessarily relevant to their roles (Weinschenk, 2008). Every organization covets its information because it provides a basis for its existence. A profit making organization would endeavor to keep its information secretive in order to strategize and develop mechanisms to have a competitive advantage. Giving much power to the administrators brings forth the temptation of using the information accessed for self-gain (Bosnian, 2009). It is observed that administrators fall under the most powerful and privileged individuals in many organizations based on their ability to check on the organizational systems. In essence, they are able to access the data thereof. In most of these organizations, the management has relied on trust to have the administrators monitor and manage the organizational information. However, since trust is not a lasting and binding policy, infringement is likely. Therefore, organizations are moving away from trust and developing systems where administrator’s rights are controlled. Security Concerns Security is a vital facet of the healthy running of an organization. Information technologies have been developed to streamline the operations in an organization to ensure that individuals outside the organizations do not find their access to the organizational information. Most of the interventions developed by organizations promote efforts to keep their systems secure from outsiders. However, the reality of malicious insiders has been emphasized according to latest developments. According to a 2010 Cybersecurity watch Survey by Chief security Officer Magazine, individuals within an organization contribute up to 23% of criminal activities, which emanates from the unauthorized use of information, systems, and networks. Out of the several cases reported for insider crimes, administrators ranked highly among the perpetrators (Computer Vulnerabilities, 2010). Security breach of through the information technology systems is the most rampant. IT administrators manage and control the information of the organization. Since they have the prowess to manipulate the systems, they can easily alter the information to their benefit. According to Shaw and Fisher (2005), administrative duties accorded to the IT staff predisposes the organization to aspects such as malicious attacks by viruses and worms, generation of spam email, financial fraud, and unauthorized access to information, networks, and systems. By so doing, the security of the organizational data is compromised greatly. Other notable criminal issues include the theft of personal information, defacement of the website, sabotage, and theft of intellectual property. Computer security can be infringed knowingly and sometimes unknowingly. Any access to a system that has restricted access is compromises the security of the protected information. In some cases, administrators can overstep their mandate and use their privilege to alter information so that it benefits them. In other cases, administrators can destroy, modify, or manipulate information in a manner that the organization is kept at stake. There are cases of the administrators colluding with the outsiders to compromise the systems so that the organization stands to lose. The Need for Access Control Power is arguably corrupting especially when it is not checked through stringent mechanisms. The same is the case for administrators that get the privilege of accessing any organizational information (Bosnian, 2009). Administrators are strategically positioned in an organization to access all the information that relates to the organization. Access control is necessitated by the perception that not all the administrators are capable of working within the confines of what is expected of them. Some go ahead to access information that they are not allowed to. While this is a breach of good work ethics, it is difficult to identify whether the administrator accessed the data or not. When organizational data gets into the wrong hand, the organization’s reputation is put at the crossroads. Some organizations have raised concerns over the rights and privileges of the administrators while others view it as unattainable to limit the access of information to administrators. According to Chief Security Officer Magazine in a 2010 Cybersecurity Watch Survey, the misuse of the power bestowed upon the administrators contributed 22% of the criminal activities. On the other hand, unauthorized access to information contributed 25% of the total crimes committed (Carnegie Mellon University, 2010). In many organizations, there are no proper guidelines on access control. This makes the administrators to interact with information at their disposal despite some being of no use to them. A research survey by Infosecurity Europe on 500 highly ranked IT professionals that was released by Avecto in 2013 indicated that up to 30% of the organizations lack clear policies that guide on the extent to which an administrator is required to access the available company information. In the same study, 31% of the respondents confirmed that introduction of unauthorized content and applications was evident in their organizations (Hurley, 2013). According to Eubanks (2011), the solution lies in the creation of elevated accounts that have limited access. The conditions for the access to the account should be set in order to reduce the vulnerability of critical information in the organization. Among the cases of breach to access of information, the administrators were found to be the highly involved especially those with the administrative rights and privileges to access any database (Howarth, 2014). Lack of control of information in an organization can ruin its reputation or cause its collapse. Aggrieved, disappointed, or malicious administrators can cause network infections, which can contribute immensely to loss of data or corruption. This can be achieved using programs that are not allowed in the system. The resultant is that new data may be introduced; there could be leakage of data to other networks and other issues that may present a crisis to the organization both internally and from the outsiders (Info Security Magazine, 2013). Therefore, the organizational systems should beware of the potential risks of exposure that administrators have over sensitive information. Cases of Abuse of Administrative Rights and Privileges Some organizations across the world have experienced the detrimental effects of the privileges and rights bestowed to the administrators. This problem has necessitated the development of IT technologies that check on the right of access by the administrator. One notable, award-winning technology is the Avecto’s Privilege Guard technology, which has been applauded for its ability to manage information such there is a limitation in access. This intervention is made possible through the realization of the underlying problem of administrators going overboard in accessing information. In 2009, an IT contractor was indicted on charges that he sabotaged a computer system maliciously because the company did not consider giving him a permanent job. The computer system belonging to Pacific Energy Resources was developed by the 28-year old Mario Azar who later decided to interfere with the functioning of the system upon the realization that his contract was elapsing (Vijayan, 2009). This scenario presents issues that organizations confront in dealings with rogue administrators. In another related incidence, engineers at Fannie Mae in 2008 intercepted a system ‘logic bomb’ implant that had been planted by the contractor. The contractor, Rajendrasinh Babubhai Makwana allegedly planted the logic bomb while developing the systems at the government-sponsored mortgage lender in 2008. The logic bomb would cause a complete shutdown of all the 4,000 servers at Fannie Mae. This would have resulted to a huge damage worth millions of dollars besides shutting down operations for not less than a week. However, the early realization made it possible to avoid the looming crisis. A case was opened against the 35-year old Mukwana in Maryland District Court for an unauthorized access to the system and the malicious intent (Hodgin, 2009). Another incidence related to the privilege of access was that of the Washington D.C’s Chief Security Officer. Mr. Yusuf Acar who is currently jailed for devising a bribery scheme through his ability to conveniently access information. He had privileges to administer all the accounts and he ended up developing backdoor dealings for his personal benefits. This case presents the view that the issue of misuse of administrative privileges has affected both public and private sector. FBI officials who confirmed the alleged involvement busted Mr. Yusuf who also served as the information systems security officer; this resulted to his arrest and subsequent prosecution (Reese, 2009). In 2008, Terry Childs, an IT worker was charged with interfering with San Francisco IT system. Terry who served as the administrator used his administrative privileges to alter the entire system resulting to a halt in the operations in the entire San Francisco. The malicious deed caused a huge loss and inconveniences, which made the entire IT system to stop functioning. The system was locked out of the main computer system for nearly 12 days in the 2008 incidence. Recognizing the magnitude of the deed, the judge ordered Terry to pay $ 1.5 million in restitution (Government Technology, 2010). Significance of Change Based on the issues faced by organizations in managing administrator’s access, change seems inevitable. A system of monitoring and evaluating the administrator’s access is a necessity. The case of Microsoft is a success story of the implementation of control systems for administrators. Microsoft developed a system that provided a limitation to the administrative access as well as providing monitoring and evaluation systems. In their 2008 report, the company applauded the installation of the Least Privilege, which lessened the rights and privileges of the administrators. According to Higgins (2014), the company was able to reduce incidences of Microsoft security vulnerabilities by up to 92% while that of the internet explorer vulnerabilities reduced by 89%. On the other hand, there was a significant reduction in Windows vulnerabilities by 53%. This indicates that the administrative beach that has been associated with access can be tamed through access control. However, despite the development of the interventions, it is important to consider that the administrators have the capacity and prowess to manipulate the systems and therefore the technical controls should be regularly evaluated to ensure they are effective (Howarth, 2014). On the other hand, the administrators can be empowered by the organization to perform monitoring duties but guided by an access policy. Developing Access Control Interventions Concerning the problems experienced through the breach of administrative access, organizations have become cautious. In this regard, interventions are being put in place to ensure administrative control mechanisms are developed. The development of privileged identities is one of the interventions. In this case, the information is protected not only against the end user but also against other users within the chain of information. When developing a given project, it is important that the privilege of access should be addressed in order to ensure privileges are not violated. It is also important that all the privileged accounts are known and the individuals responsible should be known. Potential infringement should also be addressed before the powers to access an account are given. In this regard, the applications, key systems and the databases as well as the privileged accounts, which occurs in each of the information sources. The individual being given the administrative rights should be well known by the management and should be a person that has demonstrated integrity and honesty (Bosnian, 2009). Otherwise, privileges and rights of access should be limited to every other person in the organization. A regular auditing of the accounts is an intervention that would ensure that all the individuals that have access to privileged accounts are tracked. It has also been recommended that policies should be developed to ensure that there is a systematic approach to access of information from privileged accounts. Some of the policies can touch on regular adjustments of the system such as changes in password, time-based access, and having a dual-control. It is also paramount to automate some of the processes that are associated with privileged accounts; such should also be done continuously. Finally, monitoring and evaluation is key to combating any compromises in the implementation of the policies developed to limit access (Bosnian, 2009). This ensures that the accounts are followed up to ensure that the user confine themselves to the stipulated business needs. Conclusion Technological changes continue to provide new challenges to organizations from time to time. The privileges and rights bestowed upon the administrators raise concerns based on their ability to access any information within the organization’s network system. This access can be detrimental in some instances where the privileges are used for malicious intents and personal gain. This results to a threat to the organization’s mandate, a ruin to its reputation or a complete shutdown. Organizations are realizing the implications of the access control and some have gone ahead to develop systems to limit the rights while others continue to rely on the trust with the administrators. Learning from the success case of Microsoft, it is paramount that access control systems should be developed by organizations. References Bosnian, A. (April 6, 2009). Inside threat: The power of privilege. SC Magazine. Retrieved from http://www.scmagazine.com/inside-threat-the –power-of-privilege/article/130204/ Carnegie Mellon University. (2010). 2010 Cybersecurity Watch Survey: Cybercrime Increasing Faster Than Some Company Defenses. Retrieved from http://www.sei.cmu.edu/news/article.cfm?assetid=53452&article=025&year=2010# CXOtoday Staff. (2010). Top Threats ’09 – Abuse of system access/privileges. Retrieved from http://www.cxotoday.com/story/top-threars09-abuse-of-system-accessprivileges/ Eubanks, R. (2011). Control 8: Controlled Use of Administrative Privileges. Retrieved from: http://www.securityeverafter.com/2011/08/control-8-controlled-use-of.html Government Technology. (2010). Former San Francisco network admin Terry Childs gets prion time. retrieved from http://www.govtech.com/security/Former-San-Francisco-Network-Admin-Terry.html Higgins, K. (2009). Report: Yanking admin rights alleviates threats in 92% of critical Microsoft vulnerabilities. Retrieved from http://www.darkreading.com/vulnerabilities---threats/report-yanking-admin-rights-alleviates-threats-in-92--of-critical-microsoft-vulnerabilities/d/d-id/1130302? Hodgin, R. C. (2009). Insider plot to take down Fannie Mae’s servers thwarted. Retrieved from http://www.tgdaily.com/business/41262-insider-plot-to-take-down-fannie-maes-servers-thwarted Howarth, F. (2014). Controlling Administrative Privileges. Faulkner Information Services. Retrieved from www.faulkner.com.ezproxy2.apus.edu/products/securitymanagement Hurley. S. (2013). 80% of IT Security Professionals say their greatest threats are from Rogue Employees, Malware Exploits or Unauthorized Software. Avecto. Retrieved from http://www.avecto.com/news-events/press-releases/80-of-it-security-professionals-say-their-greatest-threats-are-from-rogue-employees,-malware-exploits-or-unauthorized-software/ Info Security Magazine. (2013). Unchecked Admin Rights a Top Threat to Enterprises. Retrieved from http://www.inforsecurity-magazine.com/view/32864/unchecked-admin-rights-a-top-threat-to-enterprises/ Reese, B. (2009). Cisco CCNA- Yusuf Acar busted by FBI as perp in Federal bribery sting. Retrieved from http://www.networkworld.com/article/2234856/cisco-subnet/cisco-ccna---yusuf-acar-busted-by-fbi-as-perp-in-federal-bribery-sting.html Shaw, E. D. & Fischer, L. F. (2005). "Ten Tales of Betrayal: The Threat to Corporate Infrastructures by Information Technology Insiders." Monterey, CA: Defense Personnel Security Research Center. Vijayan, J. (2009). IT contractor indicted for sabotaging offshore rig management system. Computerworld. http://www.computerworld.com/s/article/9129933/IT_contractor_indicted_for_sabotaging_offshore_rig_management_system_ Weinschenk, C. (2008). The dangers of unchecked administrative privileges. Retrieved from http://www.itbusinessedge.com/cm/community/features/interviews/blog/the-dangers-of-unchecked-administrative-privileges/?cs=23014 Read More