Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Five types of rogue IT admins to guard against

Watch out for unscrupulous employees

Article comments

You can't survive without them. They wield enormous power over your systems, networks and data, the very lifeblood of your organisation. Few people outside IT have any understanding of what they do, and fewer still exercise any oversight over their actions.

To be sure, the overwhelming majority of IT admins are honest, hard working and underappreciated. But when they go rogue, bad things happen. Organisations find themselves locked out of their own networks. Customer data files inexplicably vanish. Companies scan their networks and discover somebody's running a porn site from inside their data center. Trade secrets get destroyed or stolen and employees get the creepy feeling somebody is watching everything they do. Sometimes they're right.

Those are just the cases you hear about. Most companies do everything they can to keep news of rogue admins quiet, because the damage to their reputations could be even greater than the havoc wreaked by disgruntled or overzealous geeks.

And many companies are virtually helpless to do anything about it, says Steve Santorelli, director of global outreach for security researchers Team Cymru.

"It doesn't matter if your systems are utterly bombproof and you're patched up the wazoo with nuclear-grade security," he says. "A rogue system administrator with root or privileged access can bypass all your perimeter security and your tripwires, because they have to get into the system to do their jobs. The persons responsible for carrying out insider attacks are often the same ones responsible for spotting and preventing them. They know how to overwrite the firewall logs or change their access controls so that no one else can get in. They know where the backup logs are kept and how to manipulate their encryption keys."

You may already have rogue admins in your organisation, ready to blow. Here's how to spot them and what you can do to minimise the damage.

Rogue IT admin No. 1: The crusader

He knows what you should be doing and how you should be doing it, and he's not afraid to take matters into his own hands if you don't agree. A well intentioned but overzealous admin can often do as much harm as a malicious one.

There are lots of rogue activities that don't involve disgruntled employees, says Josh Stephens, head geek for SolarWinds, maker of network management software.

"A rogue admin could simply be someone who chooses to do things his way instead of the company's way," he says. "Say your organisation has standardised on Windows, but your rogue guy loves Linux. Three months down the road, you may discover that a third of your servers are now using Linux."

Sometimes, though, when the crusader takes over, destruction results. Back in the mid-'90s, Jon Heirmerl worked for a software developer on a government contract.

"We had one network administrator, I'll call him Jim, who would walk the halls looking for people who left their desks with their terminals still logged on," says Heirmerl, who's now director of strategic security for Solutionary, a managed security solution provider. "If Jim found a terminal still logged on, he would go into that person's system and delete all their files to 'teach them a lesson.'"

Then one day a senior developer caught Jim in the act as he was deleting files. The developer, who had no recent backups and lost months' worth of work an instant after Jim hit the Delete key, went postal.

"He punched Jim in the face," says Heirmerl. "Jim didn't delete any more files after that."

Perhaps the best known crusader is Terry Childs, the former network administrator for San Francisco who refused to surrender passwords to key city systems, because he felt his supervisors were incompetent. Childs was convicted of violating California's computer crime laws in April 2010 and is now serving a four-year term in state prison.

"It's fair to say [people like Terry Childs] think they're doing the right thing," says Santorelli. "Hitler also thought he was doing the right thing. Just because you feel justified isn't a defence for criminal acts. Most people would argue there are sufficient safeguards that allow you to be a whistleblower without restorting to destruction, whether it's the media, government or some regulatory agency."

Anti-rogue defence: You can limit the damage individuals can do by implementing separation of duties and two-person controls, says Ken Ammon, chief strategy officer at Xceedium, a maker of appliances that manage how privileged users access key systems. That will ensure that sensitive tasks are performed by multiple people, and the same individuals don't have responsibility for both performing tasks and auditing how they're performed.

Rogue IT admin No. 2: The entrepreneur

You'd think keeping the lights on, the servers running, end users happy (or at least not mutinous) and protecting the network from hackers and hooligans would be more than a full time job for most admins. And yet, there's the occasional rogue who decides to open up a little side business at work, on company time and using company equipment.

Heirmerl says he's encountered rogues using company servers to sell everything from pirated satellite equipment to tarot products. In the latter case, the entrepreneur's retail operation was discovered after he'd been laid off, and his replacement had unraveled the complex firewall rules the rogue created to allow him access to the network.

"Within 30 minutes after the firewall rules had been changed, the first admin called to complain that his access had been cut off," he says. "This was two weeks after he'd been let go. He was very insulted and thought it was totally unfair."

Winn Schwartau, chairman of smartphone security company Mobile Active Defense, says he was doing independent consulting for a financial services company in 2003 when it discovered one of its sys admins was running a fee-based porn site on his work desktop, using an external modem and a partitioned hard drive. The modem was discovered during a routine scan of the network for rogue communications devices, which led them to the porn site, Schwartau says.

The problem in cases like these is that no one else is watching, says Heirmerl.

"These people are not responsible to anyone," he says. "The guy running the tarot site configured the system audit logs to hide his behaviour. They've got all the authority and no accountability."

Anti-rogue defence: Access and network management tools can go a long way toward preventing rogue activities, says SolarWinds' Stephens. "There's no reason not to build in a management system that will notify you when someone is accessing systems they shouldn't or changing passwords, so you can investigate what's going on," he says. "Solid management software can protect you from these kinds of activities."

Rogue IT admin No. 3: The voyeur

They have the keys to the kingdom, and sometimes they use them when they think no one's around. Given their almost unfettered access to company networks, some rogue admins can't help but snoop.

Josh Stephens says he's worked with numerous sys admins over the years who've been fired for reading other people's email, or worse. One day about five years ago, Stephens says he was running a WebEx demo for 30 executives, showing off how SolarWinds' Netflow tool could let you see what any user on the network was doing at any time. During the demo he picked an employee at random, a tech admin, and drilled down on his desktop.

"We saw he was on updating his resumé, he had a World of Warcraft session open, and he was running a terminal server session to access the computers at the company he used to work for," says Stephens. "I tried to back out of there as quickly as I could, but everybody saw it. I felt bad for the guy but... he wasn't working there much longer after that."

Joe Silverman, CEO of New York Computer Help, says in 2009 his computer repair service came to the rescue of a public relations firm that was being stalked by a former IT admin. The employee would remotely access the company network when he thought no one was in the office and snoop around the desktops of employees, who were mostly attractive women in their 20s. He pawed through their photos, spied on their calendars, and bcc'd himself on all their emails.

"He knew their schedules, so he would access their computers while they were at lunch," says Silverman. "If one of the women came back early they'd see the mouse cursor moving on its own, or they'd end up getting in a tug of war with him over control of their systems."

Silverman says they managed to lock the IT voyeur out by changing the admin passwords and cutting off all his access privileges, and that's where the matter ended. The owner of the PR firm didn't want to pursue charges.


More from Techworld

More relevant IT news


Jennifer Jenkins said: Reading this seems to show both ends doing it totally wrongEmployer side of employee or consultantfirst and foremost there is password escrowevery honest IT admin or consultant will hand unasked for an envelope with the current passwords to the next up in command supervisor manager or project leaderthis escrow contains all passwords of all different equipments and levels of course in case of an employee not herhis domainHRemail or whatever personal passwords these are anyways reset when an employee leavesif you hired someone who did not do this yet 1 place your craigslist ad 2 ask herhim for it and try them all out not changing anything just access itself 3 have your case ready a good manager always does a no brainer if it is a contractor so you can bring in the new guy any moment on an instants noticepassword neurosis if you employer of employee or contractor did miss the bus any average good professional three important words at least average good and PROFESSIONAL ie not self appointed expert who can do the monkey push button thing knows how to reset passwords without service interruption on Microsoft systems without knowing the old one and the network devices routers switches etc linux service systems can be down for a short time at night and if your mission critical systems cannot stomach a router down then your architecture is wrong So why insist on give me the passwords they will be changed anyways dont waste your time unless of course you are a neurotic and need to winIf your next guy does not know how to get the old passwords from your MS servers and how to reset passwords on routers switches and LinuxUnix hosts then you hired the wrong personEmployeecontractor sideall wrong because the best method to get back at an employer for any reason is totally legal efficient and has the biggest greatest impactthe 2 minute noticeof course if you are not good enough then you just stay put suck it up and do your work as good as you can holding nothing back so your side of the street is always cleanif your are an outstanding excellent expertEspecially in IT there is always something that is a good legal reason to quit an employment Ever been asked to just install it we get the license later Here you go you were asked to perform felony software piracyJust leaveEither line up a job and have one where you go from there orand sometimes you want to really get back at the employer and have eg rampant SW piracy publishedget unemployment for the legally good reason to leavethere will be a hearing no HR department will want to have someone get UI benefits who leaves especially when everyone is mad shehe did the way shehe didbecause that makes the UI payment of the employer go up makes the employer look bad in all kinds of statistics where potential high value customers prod and poke aroundif you are unlucky then they will just fold ok you get UI until you have the next jobif you are lucky you can spill your beans and everything becomes public domain that is part of the hearingcannot be taken back by the empl coming later and offering a settlement eitherand all those bozos who are not good enough just frustrated or just mean ppl and think they can from the Internet do something you just need to be fired because you are definitively not good enough to know that there is no hiding place on the Internet if you see your ex employers server that means it knows where YOU are down to the wall socket No matter how many intermediate steps you take And real idiots use a Microsoft OS for this kind of things they really need to be put away for good

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *