88% of IT Admins Would Steal Passwords If Laid Off 448
narramissic writes "According to identity management firm Cyber-Ark's annual 'Trust, Security & Passwords' survey, a whopping 88% of IT administrators would steal CEO passwords, customer database, research and development plans, financial reports, M&A plans and the company's list of privileged passwords if they were suddenly laid off. The survey also found that one third of IT staff admitted to snooping around the network, looking at highly confidential information, such as salary details and people's personal emails."
a survey (Score:5, Insightful)
Yea, and I'm training to be a cage fighter.
More like 88% of IT Admins like to say they would steal CEO passwords if laid off, but something tells me when the time came to break the law they would let the opportunity slide.
And Cyber Ark are selling? (Score:5, Insightful)
Let me guess...
Figures Seem Inflated (Score:5, Insightful)
But... (Score:5, Insightful)
How many of them are just saying that to sound cool?
Survey is Pants (Score:5, Insightful)
"According to identity management firm Cyber-Ark's annual 'Trust, Security & Passwords'"
Making the IT folk out to be bogeymen is great business for security pros. I'm sure there are some idiots out there, but most IT people are normal honest people like anybody in any other profession. I don't buy that we are so far off the curve, 81% is bullcrap and makes me question everything about that company and it's motivations and methods for the survey.
Re:And Cyber Ark are selling? (Score:2, Insightful)
Nothing to see here (Score:5, Insightful)
Re:Not reasonable (Score:5, Insightful)
Sounds like an unreasonable estimate to me.
I would be much more interested in the percentage that has already stored such information just in case such an eventuality occurred.
Let me guess (Score:5, Insightful)
....you take a survey saying something like "Have you in your work had access to..." or "Have you known company information after leaving..." which you often have then tweak it into "IT admins spy on you and will steal your IP" in order to make FUD and sell your product? I think I know enough people in the IT business to tell that these numbers are horribly off.
Re:a survey (Score:5, Insightful)
...but something tells me when the time came to break the law they would let the opportunity slide.
And they'd be wise to do so. Anyone who thinks that stealing such things once laid off is a bright idea just does not have a criminal mind.
Think it through, fellas - what, exactly, do you plan to DO with this data?
Do you intend on working in your field, ever again?
How do you feel about seeing the inside of a federal prison??
Seriously, lay off the power trip. It's just a fucking job. Don't screw up your ENTIRE life just because you have the password...
The other 22%... (Score:5, Insightful)
When I was an admin (short stint so I could pay bills, 3 years) I usually didn't give a rat's ass about what the users stored on their system unless it showed up in my virus scan reports or I was told to investigate someone due to "suspicious behavior". (BTW folks, before you get off on the 'evil spying on users' tangent for me, it was only twice and it was two girls working in tandem selling info to another company on how much certain people were paid.) I never could understand the whole "I have the power!" attitude some people showed when it came to passwords or how they'd screw the company if they were laid off. If I felt I was unfairly fired or downsize or funsized, whatever, that's what my lawyer is for (he works for cheap cause I fix his laptop, heh). Why complicate issues by fudging with the network access?
Maybe I'm just too young to understand yet. Now if you'll excuse me, I have to play with my army men, we're planning an attack on the tan army on the coffee table and I gotta move equipment for em.
Re:Not reasonable (Score:3, Insightful)
88% of IT Admins Are Stupid (Score:5, Insightful)
If I'm ever show to the door, I would insist on my ability to operate on the system being terminated at that moment. I don't want VPN access. I don't want an email account. I don't want SSH keys. I sure don't want the boss's password. Why? Because I don't want to be accountable for anything that goes wrong afterward.
Think about it, people. If the IDS catches you SSHing in a couple of weeks after you've left, then they have carte blanche to hold you responsible for whatever breaks, even if it's totally unrelated. Good luck convincing a jury that Oracle coincidentally just happened to explode an hour after you logged into your old workstation. Seriously, what good can possibly come from putting yourself in that situation?
Re:Not reasonable (Score:5, Insightful)
A company hawking privacy management claims your IT department is filled with thieves and extortionists. Shocking, I tell you, shocking!!!!
Re:a survey (Score:5, Insightful)
Uh... as the admin what need do I have for the CEO's password? I have more access to the network than he does.
I'd have to agree this whole article sounds like BS to me.
Re:And Cyber Ark are selling? (Score:5, Insightful)
Re:The other 22%... (Score:5, Insightful)
As a system admin who has access to ten years of email at an institutional finance firm, I can tell you that I have absolutely no desire to go through these records; sure there would be juicy tidbits about office relationships, hot stocks, whose getting what promotion etc but your integrity is way too valuable for any such tomfoolery. Moreover, my experience is that my coworkers have pretty much all been of like-mind. There's just no upside to doing any of the things listed in this article; it most certainly will not get your job back nor will it help you get another job and as has been said before it will get you put in jail.
And, as was said earlier, it's so shocking to find a company that does security consulting say that the weakest link in your security chain is your people, I mean who would of thunk it? Oh wait, Michael Milken did way back in the 80's and I'm sure someone else did it before him...
Re:Not reasonable (Score:3, Insightful)
I can't believe 88% of those surveys would steal data simply because they were layed off, presumably to turn to a life of crime that would likely pay less than just getting another IT job. We're not talking about janitors stealing trash liners here, IT Admins make a nice chunk of change and what we're talking about here could send them to prison, it just doesn't add up.
Re:Not reasonable (Score:5, Insightful)
Yes, it's security through obscurity, and I'm as big a fan of Schneier as anybody, but that is still no reason to give out information.
It's no secret that with enough knowledge of the system, any system can be hacked. That alone is reason to not make knowledge of the system public information.
To some extent, security through obscurity is absolutely necessary.
Re:Strong morals? (Score:4, Insightful)
And they do - Those morals and ethics just don't overlap 100% with "corporate policy" (or for that matter, "the law").
And I don't mean that as a joke... IT pros have a rather unusual role in the history of humanity, in that without trying, we become aware of far more details of peoples lives than they realize. Even priests in the confessional don't have the insight we do - People can lie to their priest. They can't lie about logfiles.
People, as a whole, count as (by their own standards) hypocritical perverted criminals. They all (and I mean that deliberately as an unqualified universal quantifier) do things they would themselves describe as disgusting and/or reprehensible if asked in a neutral context. They all steal, they all lie, they all cheat, they all put #1 ahead of everything else unless pretending to do otherwise will result in a self-preferable outcome.. And you expect those of us who know (rather than merely suspect) this to have a traditional world-view when it comes to right and wrong?
I think the survey should have asked a slightly different question, to make it more meaningful... "Do you already have memorized enough info about the company to bring it to its knees if you decide they've really screwed you over"? And I'll bet you'd get a similarly high percentage answering "yes".
Re:Not reasonable (Score:5, Insightful)
Not if your systems are properly secured. Unless you consider obscurity keeping your actual password(s) secret :)
Seriously though: most systems have some vulnerabilities and explaining the details will occasionally open the door for someone who knows more than you do. Yes, it's good to keep this information private. BUT, when designing a security system you need to work based on the assumption that an attacker knows the entire layout. Knows exactly what hardware, software, version, firmware, etc. you have exactly. Anything less is NOT a properly secured system.
If a network is properly secured the person/group/department who designed it should not be able to gain unauthorized access
Re:Not a surprise. (Score:4, Insightful)
Another reason to hire older admins, younger ones get bored easily and as a result commit more mischief, I remember the last few years I worked, it seemed that the younger people were always trying to find out how to bypass Squid to go look at porn sites, etc.
It just made my job harder and more annoying. Short attention spans and an inability to function without continuous entertainment seems to be a common failing among millennials.
Re:Not reasonable (Score:3, Insightful)
I know you're just being funny, but to put a point on your post - you're still subject to the cleaning staff.
Any idea what it takes to get hired on as a janitor? Not much I suspect.
-Matt
Confidential salaries? (Score:3, Insightful)
If the company considers salary information "highly confidential", they have bigger problems than their IT staff.
lunch (Score:1, Insightful)
Heh, that is why you take them to lunch and give them "the news." All the while your other sysadmins are disabling their accounts and removing access to company resources...
Re:Not reasonable (Score:3, Insightful)
I am constantly amazed at how willing people are to tell you how to attack their own systems, particularly on Slashdot, where simply implying somebody is doing poorly will practically get you full description, network maps, and vulnerability reports.
Similarly, I was talking to a friend in the Army the other day about IT security, and he told me that he didn't think I could attack his unit's systems, then went into a long discussion about what protections are in place. Out of curiosity, I decided to find out what I could learn. He only clammed up when I started probing for specifics about password policies on a particular device.
People: please don't tell anybody about your IT configuration. At least not on a public forum like /. Admittedly, a lot of it is easy to find out other ways, but that's no reason to give that information out.
I believe the Navy's heard about that for ages. They have a phrase loose lips sink ships that applies very well in that case. Be honest, it's much harder to crack a system completely blind. If I tell you the IP, the exact OS, service patches and what apps that I have running on it, you should be able to easily determine how crackable that system is within minutes. If all you know is that I have a computer on the planet Earth somewhere turned off and not connected to the net, you've got much more problems cracking it.
Re:Not reasonable (Score:3, Insightful)
In real life, including 'banking', there are often holes that are left because of business requirements and policy. These holes include not patching core servers to avoid instability, retaining legacy systems that are no longer supported but for which there is no budget to replace them, or using internal applications that are unencrypted but for which source code no longer exists or for which encrypting them would overload the server.
I've seen all of these. I don't publish where they occur.
Re:Might Be Reasonable (Score:3, Insightful)
And, of course, check every server for cron jobs...like the one that just exits if the last login time of "joeuser" was within the past day/week/month/whatever, but otherwise does very nasty stuff as root.
Seriously, as others have said, treat them like you would want to be treated, and you won't have any problems, and might be able to continue to find people that want to work for your company.
Re:Not a surprise. (Score:5, Insightful)
This is one of the things that I love about proxy firewalls. I have colleagues that try to run connections over port 80, and then get stopped because it's not HTTP. They come complain to me, and find a very unsympathetic ear.
I am bothered by the poor ethics of those around me. They think nothing of talking in the aisles about which BitTorrent sites get them the best movies, or how they only watch screeners or play cracked games because only stupid people pay for entertainment. They get frustrated when they run into refusals when trying to get the discs or keys for Microsoft software for which they have no clear need, and try to talk me or the other two people who do have access to them into giving it to them. I tell them that if they need it cheaply that bad they should get a TechNet subscription. They usually just wander off at that point, or sometimes storm off, as if they were somehow entitled to it.
I used to grab everything that I could off of various sites, pulling things down over Kazaa or eDonkey at the time, but I've left that in the past. I've got a job that pays well, and I know they're not underpaid.
I think that ethics in IT have slid dramatically downhill, so that the norm seems to be that people don't want to get caught, rather than not wanting to break the ethics guidelines in the first place. I'm not sure what exactly to do about it, other than try to set a good example. But even then, I've heard some suggesting quietly to others that I'm just hiding my own sins (hint to those people: make sure I'm not in the cubicle next to you when you talk about me). I'm at a loss at that point.
Re:Betray the betrayer? (Score:2, Insightful)
You may stab me in the back, but I will still treat with you fairly, for my sake, not yours.
But don't expect me to trust you again.
Re:Not reasonable (Score:1, Insightful)
maybe he was smart enough to know that they assumed all he was doing was looking at porn.
Best Revenge Ever... (Score:5, Insightful)
... Is being missed.
I was vindictively fired by a total idiot. I made sure that everyone I knew at the company knew the hows and whys of my dispute (including where I _was_ at fault). I also always start grooming my replacement the first day I take a job or can identify the best guy to replace me, because who wants to be stuck in the same job forever.
In the days following my firing I took several opportunities to talk the guy who replaced me (my friend Dan) how to lock me out of various machines and such.
For almost eighteen months people at that job were forced to say "is a good thing (my name) made sure we had extra capacity laid in while the trench down the block was opened", or thing-x was purchased, or policy-y was in place.
By the end of that eighteen months, the guy who had fired me had been shown to be the kind of person who he was, and he was invited to leave the company. (I was long gone and made no attempt to return.)
If you have to "do something" to your company to make them feel the pain of your absence when you are gone, you weren't previously doing your job.
Competence, and never looking back except to laugh, is the best revenge ever.
Re:Not a surprise. (Score:5, Insightful)
In other words, now that you've had your fun you're going to go criticizing the young whippersnappers having theirs.
by Computerworld UK staff - Thats the way to... (Score:2, Insightful)
What a crock, who are these IT Admins working for? Are they right out college? Did they read some BS hacking book off of amazon? SO LAME, when did slashdot become the national enquirer?
people get canned, people get laid off, if you don't want to have it to happen to you know more about the business than anyone else. Yes know more than just IT, be able to justify and defend IT objectives to the business folks. Yes those individuals that read some airline magazine or talk to their kids friends and then think they know it all.
Don't be afraid to point out the error of their ways, just make sure if it is the CEO or CFO that you give them an out. OR YOU WILL BE OUT...
Bullshit. (Score:2, Insightful)
Having been in the field now for 20 years, I've met all manner of IT people, and interviewed thousands. Several of my interview questions were designed to try and test the interviewee's character and drew on hypothetical situations that I have been faced with in the IT field.
I know that 88% of my coworkers, mentors and affiliates do not bother to violate the trust of the environments that I have worked in.
This is FUD - intended to generate an environment of fear to motivate potential clients. It's destabilizing propaganda and dishonest.
I take personal offense at this, being that this is my field and this encompasses most of the people I call my friends and have known and admired in my professional life.
Considering the difficulties and often long hours of the job, it's a serious injury on top of insult to have some vendor-slash-consultant-slash-propagandist snake oil peddlers call us criminals too.
I'll make a counter assertion. 88% of all consultants whose assessments determine if you need their services are lying assholes.
Re:a survey (Score:3, Insightful)
Because we don't go to their schools, date their daughters, or otherwise count as being human beings in their world.