How to Spot Rogue Admins in Your Company

Written by

Most administrators are likely to be honest, hard-working and reliable workers, although some have been known to turn to the dark side. Why? It's hard to say. Maybe they are bored. Maybe they feel underpaid or unappreciated. Perhaps they feel ostracized by the other members of staff.

Regardless of the reason, it only takes one rogue admin to bring the system to its knees. You will to need to pay close attention to who's on board and know how to spot the warning signs.

Rogue admins come in many shapes and sizes. They may adopt a God-like position of authority, leading them to become overbearing and reckless. For example, should the admin come across an unattended computer that was still logged on to the network, they may decide to delete the employee’s files in order to teach them a lesson.

They may be able to run an illegal side-business for some time without getting noticed, or stream inappropriate content from the company's servers. They may decide to sell sensitive data, such as business plans, product designs and trade secrets, to competitors.

Alternatively, they may decide to sell customer's credit card details to criminals. They may attempt to sell pirated software to their employer, or snoop on staff emails without authorization. There's really no telling what a rogue admin is capable of.

The problem with rogue administrators is more common that what you might think. The reason why there are not so many reported cases is because most companies don't want to publicly disclose such information. This is completely understandable; however, keeping quiet makes it hard for other companies to find solutions to address such problems.

The most common mistakes made by companies who are victimized by rogue admins are: inadequate screening during the hiring process, careless monitoring of access privileges, and being too slow at observing suspicious behavior.

One of the key issues we are faced with when dealing with rogue admins is that it's very hard to monitor unusual activity, as such activity will often look the same as their usual activity. Of course, they likely have a good idea of how to cover their tracks. However, there are some steps that can be taken to help prevent such issues:


1.    Firstly, separate duties! Giving too much power to your administrator could be risky, as it would allow them conceal malevolent activities. As such, you ideally want to split certain tasks and privileges among multiple staff members. Clearly, it makes no sense to place your sys admin in a position where they are effectively monitoring themselves. Basically, any duties that could lead to a breach in your security protocol should be separated into smaller steps, each assigned to a different member of staff.

2.    Secondly, ensure that you perform a thorough background check when hiring a sys admin. Check whether they have a criminal record, and ensure that they provide at least three references. After all, these people will be in charge of your crucial data, and you will need reassurance that they've demonstrated trustworthiness in their previous roles.

3.    Thirdly, pay attention to certain behavioral characteristics; for example, do they seem to believe they are smarter than everyone else? Are there any signs of malice or entitlement? Do they get on well with other employees? Do they seem happy to be working for the company?

4.    Be sure to avoid what is known as 'privilege escalation'. This is what happens when administrators are granted privileges to deal a specific task, but are not revoked once the task has been completed.

5.    Encourage other staff members to log/report any unusual activity. For example, this could be done anonymously via a web-form. Of course, you would need to ensure that the admin doesn't have access to the form data.

6.    If your company is likely to make any significant changes which may anger staff members, you will need to pre-emptively act, which may involve temporarily revoking certain admin rights in order to prevent a back-lash. On the same note, if you are planning to make significant changes, ensure that any information about the changes are not leaked to other members of staff before you make an official announcement.

At the end of the day, there's no fool-proof method for protecting your company from rogue staff. The best you can do is choose your staff wisely, don't give too much power to any one person, and watch out for certain behavioral characteristics.

Keep a track record of admin privileges, and note when they should expire. Train your staff and encourage them to be vigilant in spotting and reporting rogue behavior. Be sure to plan ahead, and finally, make sure that you have the best suit of tools available for auditing, monitoring and reporting events that take place on your company's system.

What’s hot on Infosecurity Magazine?