Security Survey Reveals Exiting Employees Have The Power

IT Savvy Employees Likely to Steal Company Data Before They Leave

NEWTON, MA – August 27, 2008 - Exercise extreme caution when it comes to dismissing employees with knowledge of your IT systems – that’s the stark warning from privileged identity management specialist company Cyber-Ark Software. Its annual survey around “Trust, Security & Passwords” focused on 300 IT security professionals and revealed that 88 percent of IT administrators, if laid off tomorrow, would take valuable and sensitive company information with them. The target information includes the CEO’s passwords, the customer database, R & D plans, financial reports, M & A plans, and most importantly the company’s list of privileged passwords. Only 12 percent revealed that they would plan to leave empty handed.

The privileged password list, in particular, provides the keys to unlock access to every piece of information that’s on the network. Of the 88 percent that said they would take valuable information with them, one third of devious IT administrators would take the privilege password list which would give them access to all the other sensitive and valuable documents and information such as financial reports, accounts, and HR records.

“Most company directors are blissfully unaware of the administrative or privileged passwords that their IT staff has access to which allows them to see everything that is going on within the company. These privileged identities, which lie on hundreds of servers and applications, very rarely get changed as it’s often considered too much hassle. When people leave the organization, they can often still access the network using these passwords to acquire highly sensitive data” says Udi Mokady – president and CEO of Cyber-Ark. “Our advice is to secure these privileged passwords and identities, and routinely change and manage them so that if an employee’s contract is terminated, whether voluntary or not, they can’t maliciously wreak havoc inside the network or vindictively steal data for competitive or financial gain.”

Intellectual property and industrial espionage is a real problem
Interestingly, one third of companies revealed that they believe industrial espionage and data leakage is rife, with data being leaked out of their companies and going to their competitors or criminals, usually via powerful high gigabyte mobile devices such as USB sticks, iPods, Blackberry’s and laptops – or sent over email. A quarter of companies also admitted to suffering from internal sabotage and/or cases of IT security fraud happening in their workplace – which shows just how prevalent IT security breaches are within most companies.

Sloppy habits when exchanging Privileged and Sensitive Information
The survey shows that IT security is a very genuine problem for most companies, and additionally, those responsible for securing the systems are often very sloppy when it comes to basic “good housekeeping”. According to the survey IT administrators who are often responsible for security, don’t exchange or send information securely with 35 percent choosing to send sensitive or highly confidential information via email. Furthermore, 35 percent of those surveyed use couriers to transport sensitive data – a system only marginally safe when the information is backed up and encrypted. Astonishingly, four percent of the sample size actually uses the postal system to send sensitive information!

A third of the most powerful passwords are still being put on post-it notes!
In spite of the billions that are currently spent on security systems to make them safe and secure, it is very hard to instil good working practices even amongst the very people who are responsible for setting IT security standards in their own companies. One third of IT administrators surveyed admit to having written down privileged passwords on a post-it note.

A third of IT staff snoop at confidential data
The survey also found that one third of IT staff admitted to snooping around the network, looking at highly confidential information, such as salary details, M & A plans, people’s personal emails, board meeting minutes and other personal information that they were not privy to. They did this by using their privileged rights and administrative passwords to access information that is confidential or sensitive.

“You can install the best security systems in the world, but if your staff does not respect the information they are entrusted with, then the information will most definitely go astray – just as the findings of this survey have illustrated,” added Mokady. “That’s why we recommend companies secure their privileged identities and sensitive information in a digital vault -only giving individuals access to the information they actually need, when they need it while also keeping a log of who has accessed what and when.”

For more information about this survey or to interview Cyber-Ark on their findings contact Kim Baker at 978-474-1900 or email cyber-ark@pancomm.com

About Cyber-Ark
Cyber-Ark® Software is a leading provider of Privileged Identity Management (PIM) solutions for securing privileged user accounts and highly-sensitive information across the enterprise. Long recognized as an industry innovator for its patented Vaulting Technology®, Cyber-Ark’s digital vault products include: The Enterprise Password Vault® for the secure management of administrative, application and privileged user passwords; the Inter-Business Vault®, a secure infrastructure for cross-enterprise data exchange of highly-sensitive information, and the Sensitive Document Vault™ for secure storage and management of highly-sensitive documents. Cyber-Ark’s Vaulting platform has been tested by ICSA Labs, an independent division of Cybertrust and the security industry’s central authority for research, intelligence, and certification testing of security products. Cyber-Ark’s award-winning technology is deployed by more than 400 global customers, including 100 of the world’s largest banks and financial institutions. Headquartered in Newton, MA, Cyber-Ark has offices and authorized partners in North America, Europe and Asia Pacific. For more information, visit www.cyber-ark.com

Note: This survey was conducted at Infosecurity 2008- Europe’s largest IT security event

Source: Cyber Ark

Some college campuses are using an appliance to safeguard their networks

Every fall, Central Michigan University (CMU) faces the daunting challenge of hooking up over 7,000 new computers to its network in a matter of a few days. The main objective is to allow its incoming students, professors and staff to connect to the network quickly. However, the network administrators also must make sure that the laptops, desktops, iPods and gaming systems attempting to plug in to the university network meet security requirements first before being granted full access. With all these devices logging on, the risk of contamination to the network from viruses, spyware and non-compliant software present on the local devices is ever present.

Ryan Laus, associate network manager at CMU, says his team looked at solutions on and off for several years. “It was not a very big issue until Blaster and Nachi were released [August 2003] and networks everywhere were scrambling to try and get a handle on network security. Prior to this event, the quarantining of systems on campus was a manual process.”

As his team observed the networks of larger universities being crippled with these viruses, they quickly assembled a team of students armed with over 1,600 CDs containing all the latest Windows patches, a site licensed anti-virus application and spyware removal tools. That fall term they documented over 850 viruses infected systems. And, Laus says, these were just the really bad ones. “One associate network manager did nothing but enable and disable ports for over three months, and that didn’t count all the time spent by the other network managers and security administrators,” he says.

The team knew that this had to change and that started with system registration followed up with some form of system remediation. “We came across Bradford Network’s solution the following spring and it was just what we had been looking for,” says Laus.

Campus Manager requires each device to register before being allowed access to the network. This identity management function — which includes user owner information for each device, the ability to map the device and user to a physical location, and a log of the user’s and the device’s connection activity — provides the information necessary in isolating unwanted activity and adhering to regulations and policies. The solution allowed Laus’s team to very quickly associate a problem system with a specific user. What used to take them a few hours to do, they could now do in a matter of seconds.

“With the limited resources we have, it has allowed us to do a lot more with less. Because Campus Manager talks to all our residence hall switches, this gives us the ability to apply policies to users no matter where they connect.” For example, if he has to disable an infected machine and the user tries to move ports, Campus Manager will recognize this and take action on the client regardless of what port the user plugs into.

Joe Roth, network administrator, Binghamton University, agrees that it was the major outbreak of worms and exploits that really brought network security and end-user compliance to the forefront. It was time to begin to ensure that the machines brought into the network were clean and up to date before allowing them access to the network, he says.

“The basic thought process was that if we could bring them into the start of the semester clean and prepared to deal with a virus or worm outbreak, then maybe it would minimize the impact. Another benefit of the process was that our users were also receiving a certain amount of education in the endpoint security department. Having a user know what anti-virus software and patches are is crucial, and us checking for the presence of these types of things on their PC lets them know that it is important. It helps them take the initiative to keep their PC clean and up to date.”

Roth says that the Bradford Networks solution simplifies the idea of NAC on campus by providing a single point of interface for any web-based device, along with support for all three major operating systems and all major anti-virus vendors. In addition, he says the system remains vendor agnostic, so his team has no concerns about future support for any network equipment that they may deploy.

Granularity is the key
Jerry Skurla, vice president of marketing, Bradford Networks, Concord, N.H., says Campus Manager provides the granularity that a campus environment needs. The family of appliances was originally developed in 2002 and is now in its third generation of software.

“We help schools create a small website into which its users login via a VLAN. There’s a remediation process which verifies machine configuration. A dissolvable agent then does a check. Some schools require a permanent agent, which allows ongoing checks.”

The product’s distributed software architecture provides flexibility, he says. Bradford  Networks’ clients on college campuses can range anywhere from 100 students to 35,000.

“Campus Manager’s out-of-band capabilities protect existing infrastructure,” Skurla says. It is critical, he adds, that the solution works with equipment already on the network.

“One of the biggest reasons we chose Bradford was the fact that unlike Perfigo [now Cisco Clean Access], Bradford’s product was not an inline appliance,” says Laus. “Once a user was registered, the product essentially stepped out of the way and let the switches switch and the routers route. While we haven’t needed to do this, it is also something that can easily be turned off if problems start to occur without serious disruption to the users. I believe Cisco does make an out-of-band solution, but I don’t think it is as robust as Campus Manager or able to support as many vendors.”

Laus has high praise for Campus Manager’s Client Security Agent (CSA). “It has really cut down on the number of infected machines, and ensures that all machines that plug into the network meet a certain criteria.”

Campus Manager is also an integral part of many of the homegrown solutions that CMU has created, allowing, for example, the university to pull data directly from the Campus Manager database and tie it together with other data sources, such as SAP and SMS. “We present this data in our helpdesk portal, which is used by help desk operators, department techs and even end-users,” he says.

It is also an essential piece of the university’s network bandwidth quota system. “Our NBQS has allowed us to regulate internet bandwidth without shaping and application blocking. The end result of all of this is that we can offer the students 100 Mbps connections to their systems, not continually block peer-to-peer traffic, not have to worry about viruses spreading, and we have not received a copyright infringement complaint in well over three years. Without a system like Campus Manager as a core component, it would be difficult to do this.”

Josh Fedor (right), IT security project manager at Hofstra University, Hempstead, Long Island, adds that the student experience is enhanced through the use of the product as it gives them anti-virus and anti-spyware capabilities.

For the 13,000 students and over 1,200 faculty members spread out over its campus, the process of hooking up to the network is simple, says Fedor. When logging on, they must authenticate using their university ID. They then download a thin client that dissolves when it’s done scanning the registry for anti-virus, anti-spyware, firewalls, etc. The software then switches configurations on the machines, such as turning on the firewall and turning on Windows Updates.

“Student machines are very unpredictable. They’re using various operating systems and different devices. Campus Manager allows us to get to those machines and keep them up to date and protected.”

Campus Manager greatly improves the university’s security posture, he says. “It’s simple and straightforward. Everyone’s happy. It gives us a layered defense and control over the network.”

Source: SCMAgazine US