You can't survive without them. They wield enormous power over your systems, networks, and data -- the very lifeblood of your organization. Few people outside IT have any understanding of what they do, and fewer still exercise any oversight over their actions.
To be sure, the overwhelming majority of IT admins are honest, hard working, and underappreciated. But when they go rogue, bad things happen. Organizations find themselves locked out of their own networks. Customer data files inexplicably vanish. Companies scan their networks and discover somebody's running a porn site from inside their data center. Trade secrets get destroyed or stolen, and employees get the creepy feeling somebody is watching everything they do -- and they're right.
Those are just the cases you hear about. Most companies do everything they can to keep news of rogue admins quiet, because the damage to their reputations could be even greater than the havoc wreaked by disgruntled or overzealous geeks.
Off the Record submissions
And many companies are virtually helpless to do anything about it, says Steve Santorelli, director of global outreach for security researchers Team Cymru.
"It doesn't matter if your systems are utterly bomb-proof and you're patched up the wazoo with nuclear-grade security," he says. "A rogue system administrator with root or privileged access can bypass all your perimeter security and your tripwires, because they have to get into the system to do their jobs. The persons responsible for carrying out insider attacks are often the same ones responsible for spotting and preventing them. They know how to overwrite the firewall logs or change their access controls so that no one else can get in. They know where the backup logs are kept and how to manipulate their encryption keys."
You may already have rogue admins in your organization, ready to blow. Here's how to spot them and what you can do to minimize the damage.
Rogue IT admin No. 1: The crusader
He knows what you should be doing and how you should be doing it -- and he's not afraid to take matters into his own hands if you don't agree. A well-intentioned but overzealous admin can often do as much harm as a malicious one.
There are lots of rogue activities that don't involve disgruntled employees, says Josh Stephens, head geek for SolarWinds, maker of network management software.
"A rogue admin could simply be someone who chooses to do things his way instead of the company's way," he says. "Say your organization has standardized on Windows, but your rogue guy loves Linux. Three months down the road, you may discover that a third of your servers are now using Linux."
Sometimes, though, when the crusader takes over, destruction results. Back in the mid-'90s, Jon Heirmerl worked for a software developer on a government contract.
"We had one network administrator -- I'll call him Jim -- who would walk the halls looking for people who left their desks with their terminals still logged on," says Heirmerl, who's now director of strategic security for Solutionary, a managed security solution provider. "If Jim found a terminal still logged on, he would go into that person's system and delete all their files to 'teach them a lesson.'"
Then one day a senior developer caught Jim in the act as he was deleting files. The developer, who had no recent backups and lost months' worth of work an instant after Jim hit the Delete key, went postal.
"He punched Jim in the face," says Heirmerl. "Jim didn't delete any more files after that."
Perhaps the best-known crusader is Terry Childs, the former network administrator for the City of San Francisco who refused to surrender passwords to key city systems because he felt his supervisors were incompetent. Childs was convicted of violating California's computer crime laws in April 2010 and is now serving a four-year term in state prison.
"It's fair to say [people like Terry Childs] think they're doing the right thing," says Santorelli. "Hitler also thought he was doing the right thing. Just because you feel justified isn't a defense for criminal acts. Most people would argue there are sufficient safeguards that allow you to be a whistleblower without restorting to destruction, whether it's the media, government, or some regulatory agency."
Anti-rogue defense: You can limit the damage individuals can do by implementing separation of duties and two-person controls, says Ken Ammon, chief strategy officer at Xceedium, a maker of appliances that manage how privileged users access key systems. That will ensure that sensitive tasks are performed by multiple people, and the same individuals don't have responsibility for both performing tasks and auditing how they're performed.
Rogue IT admin No. 2: The entrepreneur
You'd think keeping the lights on, the servers running, end-users happy (or at least not mutinous) and protecting the network from hackers and hooligans would be more than a full-time job for most admins. And yet, there's the occasional rogue who decides to open up a little side business at work -- on company time and using company equipment.
Heirmerl says he's encountered rogues using company servers to sell everything from pirated satellite equipment to tarot products. In the latter case, the entrepreneur's retail operation was discovered after he'd been laid off, and his replacement had unraveled the complex firewall rules the rogue created to allow him access to the network.
"Within 30 minutes after the firewall rules had been changed, the first admin called to complain that his access had been cut off," he says. "This was two weeks after he'd been let go. He was very insulted and thought it was totally unfair."
Winn Schwartau, chairman of smartphone security company Mobile Active Defense, says he was doing independent consulting for a financial services company in 2003 when it discovered one of its sys admins was running a fee-based porn site on his work desktop, using an external modem and a partitioned hard drive. The modem was discovered during a routine scan of the network for rogue communications devices, which led them to the porn site, Schwartau says.
The problem in cases like these is that no one else is watching, says Heirmerl.
"These people are not responsible to anyone," he says. "The guy running the tarot site configured the system audit logs to hide his behavior. They've got all the authority and no accountability."
Anti-rogue defense: Access and network management tools can go a long way toward preventing rogue activities, says SolarWinds' Stephens.
"There's no reason not to build in a management system that will notify you when someone is accessing systems they shouldn't or changing passwords, so you can investigate what's going on," he says. "Solid management software can protect you from these kinds of activities."
Next Page: The voyeur, the spy, and the avenger