Feeds

350 DBAs stare blankly when reminded super-users can pinch data

A password is for life, not just for Christmas

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Enterprises are ripe picking grounds for would-be Ed Snowdens, according to a survey conducted by the Ponemon Institute for Raytheon that found hundreds of organisations did not have policies to limit the amount of sensitive data staff can access.

The survey of 700 techies found Snowdens-in-waiting were typically database administrators, network engineers, infosec bods and "cloud custodians", who were doled out access rights on an ad-hoc basis.

The real Ed Snowden abused his access rights as a system administrator or infrastructure analyst for the National Security Analyst to siphon off the now infamous slide decks that revealed extensive spy operations by Five Eyes agencies.

The report says staff can cause more damage to organisations than external attackers.

"Damage caused by privileged users is the most extensive, the hardest to mitigate and the hardest to detect as it is done by authorised users doing things they are authorised to do," the report read (pdf).

"They are often very technically savvy and have elevated access to systems making it easy for them to cover their tracks ... cases of fraud and theft by privileged users often go undetected and unsolved."

Raytheon said many felt empowered by their regal privilege rights and already abused their positions by tapping into "all the information they can view", including the most sensitive data held by their companies.

Most users claimed they needed sweeping access to do their jobs but the remaining 25 per cent said their companies either handed out privileged rights to everyone or failed to revoke access when it was no longer required.

Snowden clones would probably get away with stealing secrets. Raytheon said most respondents' organisations lacked the intel required to identify data stolen by insiders or were bamboozled by false positives that incorrectly flagged rampant data pillaging.

About a third of respondents said access right policies were well defined and controlled by IT.

In Australia, insider fraud cases were often a matter for civil courts which led to bills totalling in some cases hundreds of millions of dollars.

Organisations had been defrauded by staff stealing real estate client lists, patient health care records and corporate intellectual property. ®

Intelligent flash storage arrays

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.