74 Percent of IT Pros Admit to Network Snooping

[JMcEntegart]

IT professionals may carry a great amount of power, but with great power comes great responsibility.

74 Percent of IT Pros Admit to Network Snooping : Read more

 

[haunted one]

70% said they'd steal data?????? O__o

 

[snoogins]

Seems pretty ridiculous if you ask me, but I'm not an IT guy, so maybe they have their reasons.

But ya, the amount that said they would steal data is no good at all.

 

[freename]

It says "Among the stuff 70 percent of the British and 36 percent of Americans said they'd take was..."
So, they would take data - personal emails, photos maybe? And some (an undisclosed number) said they'd take more.
Seems like a lot of FUD re: taking stuff. More information required.

 

[calinkula]

And even though that percentage seems high, that doesn't even count the off shored outsourced data management company that got hired on to replace most IT staff cause it's cheaper.

 

[4745454b]

I laugh a bit about this. When I interned at my local cities IT dept as a college student they foolishly gave me the default admin (both to the machine and network) user name and password. Its set up so that the city has one user name, while the Police have a name one digit higher. Fire is one digit higher, while the water dept has the highest numbered user name. (password never changes) I wouldn't have to steal these names as I had to use them so much they are a part of me. I understand this is different as they are grabbing the userass of certain people, but I'm sure with enough knowledge they could do ??? I know I could.

 

[Guest]

It said they want to take the database and other important information. the most important information that they would most likely be stealing is the customer list with all of the contact info included. they could take all of that and use it at another company...even with an NDA, no way to prove where they got it( if they are smart).

 

[matt87_50]

"74% of IT professionals are board out of their f*&$ing minds and have nothing better to do, the other 26% are incompetent."

 

[manitoublack]

what's not mentioned is that 26% of network admins are lairs.

 

[lostalaska]

**sigh** at least they are shilling a product to fix this problem, what a coincidence! I'm feeling like they tweaked the hell out of the questions/data to get the numbers they wanted... Now lets all go buy their cyber-arc security systems and feel safer....

 

[SAL-e]

I call the assumptions made in this survey a BS. If the info should be seen by person A, B and C only person A, B and C should have access on the first place. If the IT has access and the John's account has permission to see the data ... well he has permission and it can't be called snooping. Only other way is for the sys admin to crack the security measures and this takes far more time then "free time on the job" average sys admin has.

The result of this survey really means that 70% of the networks has not been configured correctly. You don't need survey for that they just need to ask any Sys Admin to confirm it.

And don't get your Sys Admin angry. It could cost you big time.

 

[JMcEntegart]

[citation][nom]SAL-e[/nom]I call the assumptions made in this survey a BS. If the info should be seen by person A, B and C only person A, B and C should have access on the first place. If the IT has access and the John's account has permission to see the data ... well he has permission and it can't be called snooping. Only other way is for the sys admin to crack the security measures and this takes far more time then "free time on the job" average sys admin has.The result of this survey really means that 70% of the networks has not been configured correctly. You don't need survey for that they just need to ask any Sys Admin to confirm it.And don't get your Sys Admin angry. It could cost you big time.[/citation]

By your logic, because IT has access to the HR database (should something go wrong, they would of course need access to fix it), it's not snooping if they look at why so-and-so was off sick for depression for two months, or who's got maternity leave booked, or even look up home addresses and phone numbers for all employees.

Likewise, most IT staff can tell you your password if you forget it; that doesn't mean they're entitled to check your emails, which may contain confidential client information, etc.

 

[Pyroflea]

These just means 26% of IT Pros are liars

 

[chodaboy]

I've snooped around the secretary's personal folders in search of nudity. It seems that she keeps all her naked pictures at home though...

 

[Supertrek32]

"74 Percent of IT Pros Admit to Network Snooping"

"The survey found that 64 percent of UK IT professionals admitted to accessing information not relevant to their role, while 74 percent of U.S."

Thanks for the sensationalized headline. Snooping is definitely not the same as looking at something irrelevant. Facebook is irrelevant, but I wouldn't call that snooping by any means.

 

[visa]

As an IT consultant, I can say there's no good excuse for snooping around randomly on client networks.

However, I'd also like to know how many end users bitch and moan that they should change their network password from "Password1". This is especially true of smaller businesses.

 

[micr0be]

trust is a weakness... remember that.

 

[TheKurrgan]

[citation][nom]SAL-e[/nom]I call the assumptions made in this survey a BS. If the info should be seen by person A, B and C only person A, B and C should have access on the first place. If the IT has access and the John's account has permission to see the data ... well he has permission and it can't be called snooping. Only other way is for the sys admin to crack the security measures and this takes far more time then "free time on the job" average sys admin has.The result of this survey really means that 70% of the networks has not been configured correctly. You don't need survey for that they just need to ask any Sys Admin to confirm it.And don't get your Sys Admin angry. It could cost you big time.[/citation]
[citation][nom]supertrek32[/nom]"74 Percent of IT Pros Admit to Network Snooping""The survey found that 64 percent of UK IT professionals admitted to accessing information not relevant to their role, while 74 percent of U.S."Thanks for the sensationalized headline. Snooping is definitely not the same as looking at something irrelevant. Facebook is irrelevant, but I wouldn't call that snooping by any means.[/citation]

Do you have any concept of system administration? Lets break this down:
Unix systems - root = god of all. There is no securing files from it at the *SYSTEM* level. Non administrated certificate based or 3rd party user encryption is the only way.
Windows: Yes, you can "deny" the administrator from looking at files and what not.. however, SOMETHING has to access it for it functions, such as most network based backup systems that run as a user account that can see it, which IT Staff setup.
Both of those items pointed out, a database requires setup and Maintenance. Whoever administers that will need access for at least that much, which gives them the ability to see everything.

Bottom line, SOMEONE has to have the power to setup security measures, and therefore have the ability to turn them off or go around them. The only security "Measure" there can be is an audit log, which even then is setup by the administrator. As far as "snooping" goes, because it is done with out changing anything, its impossible to keep the sysadmin out, beyond the measures I indicated above, which means the system administrator wont be able to read the contents of the files, but also could cause issues with backup and other operations if there are shared files.
I've gone through 10 years worth of audits, and ITIL + SOX all acknowledge this known limitation of security.
Know what you're saying before you comment on it.

 

[dEAne]

Yeah but thats all natural for IT pros.

 

[jsm6746]

don't piss off your it guys...

enough said...

 

[SAL-e]

[citation][nom]JMcEntegart[/nom]By your logic, because IT has access to the HR database (should something go wrong, they would of course need access to fix it), it's not snooping if they look at why so-and-so was off sick for depression for two months, or who's got maternity leave booked, or even look up home addresses and phone numbers for all employees.[/citation]
With all of my respect, thanks goodness you are not running the security of the bank for example. By your logic the janitorial staff would have keys to the banks' vaults because they have to go cleanup the floor once every week. I have solved the problem by setting encryption. The access password is set by security and I don't know it. If something breaks the security will give me the password and I will fix it. After I am done security will change the password. That way even if you seduce me (for example) you not going to get access to the data.
[citation][nom]JMcEntegart[/nom]Likewise, most IT staff can tell you your password if you forget it; that doesn't mean they're entitled to check your emails, which may contain confidential client information, etc.[/citation]
This is absolutely NO-NO. In fact I believe in some EU countries this is illegal. On my network I only can force password change and the user has to follow security protocol to set his/her new password. Theoretically I can crack the passwords, but this will take so much time that I can not do it without me get noticed.

 

[viometrix]

when my company laid me off for no reason after 17 yrs of loyal service with no severence and a statement they would fight unemployment, i set loose a chain of events that wiped clean every server and computer across 19 states costing them billions and ultimately sinking the company into non-existence. i still have all the data i leeched.

do i believe what i did was right, no - but neither were they. do i believe others should be snooping? nope. if your company is good to you, be good to them, if they burn you, burn them down to the ground.

that stupid little severence package would have saved his company (and unemployment which i ended up getting after a few weeks of fighting it).

 

[SAL-e]

[citation][nom]thekurrgan[/nom]Do you have any concept of system administration? Lets break this down:Unix systems - root = god of all. There is no securing files from it at the *SYSTEM* level. Non administrated certificate based or 3rd party user encryption is the only way.Windows: Yes, you can "deny" the administrator from looking at files and what not.. however, SOMETHING has to access it for it functions, such as most network based backup systems that run as a user account that can see it, which IT Staff setup.Both of those items pointed out, a database requires setup and Maintenance. Whoever administers that will need access for at least that much, which gives them the ability to see everything.Bottom line, SOMEONE has to have the power to setup security measures, and therefore have the ability to turn them off or go around them. The only security "Measure" there can be is an audit log, which even then is setup by the administrator. As far as "snooping" goes, because it is done with out changing anything, its impossible to keep the sysadmin out, beyond the measures I indicated above, which means the system administrator wont be able to read the contents of the files, but also could cause issues with backup and other operations if there are shared files.I've gone through 10 years worth of audits, and ITIL + SOX all acknowledge this known limitation of security. Know what you're saying before you comment on it.[/citation]
Thank you for stating the obvious. There is no perfect systems, but you can build security layers and split responsibility for each layer of security. That way single person can not access the data alone. Just like in your bank vault you need two keys (the master key and your personal key) to open your box. The real problem is that security has 3 dimensions: 1) how effective it is; 2) how easy it is; and 3) how expensive it is. The trick is that you can have only 2 of them. For example if you select to be effective and easy you need to invest quite a bit. But guess what?! Most businesses go with the 'cheap' and because people hate to be difficult they also select 'easy' and as result they end-up whit not effective security.
One more thing if you really are doing security for 10 years by now you should know that access-logs have only one purpose - to make it more easy to troubleshoot and monitor the security process, but not to prevent the break. But most businesses falsely believe that because the have evidence of data access they can prevent the data use after has been leaked by calling the law enforcement agencies.

 

[suncho]

Gee. I wonder why they fired you.

 

[eddieroolz]

This isn't limited to IT pros though. Stealing data from your former workplace has been going on for a loong time.