Saving Money with IT Security Processes. Example 9/26: Preventing the Angry Administrator Revenge

Article number 9 in a series dedicated to giving examples of the way IT security processes can help your company save money.

The incident that I refer to when I speak about the "Angry Administrator Revenge" is the one that happens when you sack an admin and that he uses his administrative rights to wreak havoc in your Information System. That's a pretty common case:

• Example 1: Ex-Gucci IT Employee Seeks Revenge on a $200,000 Hacking Spree
• Example 2: 10 Ways Fired Employees Got Their Revenge On Their Ex-Bosses / Former Firms
• Example 3: Disgruntled employees may seek IT revenge

This is when the IT Security process of Password Management comes in. (It's sometimes part of a larger Identity and Access Management process.)

Basically, almost everything in IT is protected by a password. Rare exceptions are the things that are not protected at all or the things that require more than just a password. However, password is the rule.
There are two kinds of passwords to be distinguished:

• The personal passwords, that are known by one person only.
• The shared passwords, that are known by multiple people.

Whatever your degree of maturity, shared passwords can't be eliminated completely. So, virtually any Information System in this world has both personal and shared passwords and they give access to virtually every server, storage, application...

The Password Management process does the following:

• It knows who's supposed to know (be in the shared secret) each password.
• It knows how to change them.
• It does change them whenever someone who knows them is no more in charge (or has been sacked).
• And, because there are sometimes more people who know a password than the few supposed to know it, it changes all passwords on a regular schedule, like once a year, or more for critical data.

So, with a sound Password Management process, you can avoid what's happened to Gucci and so many other companies.

Identity Management Steps, from the Ground Up

Norms and legal compliance often require companies to do strong authentication. But it must not be forgotten that strong authentication is merely the cherry on top of the cake.

Strong Authentication is an improvement upon Authentication, weak or not. Authentication is built upon a correct Identification of people. Identification allows for Authorization based on rules, for instance, ORBAC or RBAC.

Or, if we put it into natural questions:

1. Who are we speaking about? Identification
2. And who's that? What's he supposed to be doing around here? Authorization
3. Let him prove he's really who he means! Authentication
4. Let him prove that he's not cheating on authentication! Strong authentication.

Strong Authentication Authentication Authorization Identification

The most important is to understand that a compliance requirement about Strong Authentication is only the tip of the iceberg. Any project targeting Strong Authentication should first concentrate on cleaning and validating Identification (list of users → list of all users → list of all users individually identified → up to date list of all users individually identified → up to date list of all users individually identified with all information related to their work assignments and related Authorizations), then choose specific areas among all possible Authorizations (among the many things people are allowed to do in the Information Systems, which are now to be protected?) and then enhance Authentication into Strong Authentication.