The Real Persistent Threat

Among the many issues associated with the revelations of Edward Snowden, one stands out among the speculation and sensation: the risk posed by those who have the keys to your digital kingdom. A system administrator has to have root privileges in order to do their jobs. Depending on the size of the organization in question, they may have root on everything, or just on a sub-set of systems. Regardless, they have life-and-death control over those systems. They may not know how to use a given application as a user would, but they can make that application and its associated data disappear if they so choose.

As a business owner or executive you place a lot of trust in your sys admin, and most of the time that trust is well placed.

Until it isn’t.

A sys admin compromised by an adversary (business, national or otherwise) is your worst nightmare because you have no idea they are robbing you blind until it is too late. Even if you begin to suspect your sys admin is doing something unauthorized if not illegal, how do you investigate that without tipping off the person who knows more about your IT enterprise than you do?

You can’t.

Let me be a little more precise: most of you are not able or willing to conduct the kind of operation it takes to root out a rogue sys admin. Such activities are effectively intelligence operations. They cost money, they are conducted in secret, and they come with massive amounts of overhead . . . you run a business, not a counterintelligence outfit. Most of you, if faced with such a problem, will find a way to manage the suspected offender out of the company or into a position where they can’t do any more damage. Even then, you can’t be sure they didn’t leave behind a surprise that will allow them to maintain access even when they are not officially supposed to have it, or destroy evidence or data if they think you’re on to them and they have nothing to lose.

So what are your options?

From the world of accounting (and nuclear weapons) we have the “two man rule.” If you’re large enough to warrant more than one sys admin in your IT department, anything one of them does should be checked or logged or otherwise noted by another. Collusion is a risk, but it’s a much lower risk than one person going rogue.

Occasionally and randomly bring in an outsider to audit what has been done, system configurations, etc.; someone who knows their stuff but doesn’t know the sys admin. In the context of my opening point, you’re hiring a Congress to provide oversight over your intelligence agencies.

You can’t change the fact that you will get hacked at some point, but you can take steps to reduce the threat posed by an insider whose trust may be wildly misplaced.