Read the boss' email - go to jail

According to this snippet, a Utah man is most likely going to jail for 15 years for illegally intercepting the email of a former employer.  I quote, "After Dobson left the company over business and financial disagreements, he accessed the company's e-mail system twice to program it to send e-mail to an unauthorized inbox he created on the company's system, the DOJ said. Dobson allegedly routed the e-mail of the company's chief executive officer and its vice president of engineering to this in-box."

So, then the guy downloads the email to his home computer and reads at his leisure.

I can't tell you how easy this is.  And the fact that it happens all the time, only no one really knows about it or hears about it, is crazy.  As many of you know Administrators have full rights on a network.  In any email system, if you can access the server, you can access the applications.  Yes, there are many ways to circumvent the security controls of an application.  If you have full rights to the server, you own it and every thing on it. 

It is unfortunate and sad, but true, that not everyone in IT is to be trusted.  It is a bad security practice to allow people in IT full rights to the network.  Privileges should be given on a need to know basis, in the same way that it is true and accepted for end users.

Since most people not in IT do not understand the technology upon which the company rests, they don't think about things like this.  Thanks be to federal legislation (SOX, for instance), poor security practices are found out usually during an audit.  At one company I worked at previously, IT was out of control.  It seemed that every new IT person that was hired was given Domain Admin privileges on the network.  That was found out during a SOX audit.  By the way, the company failed their audit, not just for that reason, but for many others.    At the time, even though I managed security for the company, I was kept out of the SOX audit altogether.  I think my boss wanted all the glory, then failed, sadly and unfortunately.  I wish she had asked for my help.

The result of that unfortunate event caused a few heads to roll.  I had taken my leave, so I wasn't a part of the head rolling.  And I'm glad I did.  That company has steadily gone downhill.  But as I was saying, the Security department became tasked with monthly audits of the Domain Admin accounts, and all accounts that were created from then on required Security's approval. 

This kind of vigilance towards account auditing is what it takes to ensure that a disgruntled employee does not create an unauthorized account, does not secretly set up the email server to forward a copy of someone's email to his or her secret account, and then access it later for reading.

Doing a monthly audit of all accounts on the network and within applications would be a good idea if never done before.  Instituting a process whereby Administrative privileges are documented and only appropriate permissions given to network resources is also a very good idea.  Good luck.