Back To Top

Who’s Watching the Watcher?

detech-watchingBy: Laura A. Combs, CISSP

As an auditor, I have to admit to being very attached to a good audit trail and the appropriate review of said audit trail. This is especially true for the logging and reviews of administrative activities on an organization’s network. Thorough monitoring of administrative activities on an organizations network can detect anything from insider threats to innocuous mistakes. However, all too often I find organizations fulfill the “letter of the law” with respect to the controls they’ve put in place around the review of administrator or privileged user activity logs without taking into consideration the “spirit of the law.”

The importance of considering the “spirit of the law” when monitoring privileged user activities can be seen in any number of case studies done on insider threats, but one of my favorite examples revolves around a disgruntled duo of employees who had helped build the traffic control system for a large city. The city was involved in a negotiation with a union representing these employees, so the employees’ access had been temporarily disabled to prevent any temptation to do something malicious. Unfortunately, one of the employee’s supervisors had previously shared his credentials to his own high level system account with that employee. With that login, the employees were able to access the system and disconnect the control boxes for the traffic lights at a number of major intersections. The employees then changed the login credentials, which effectively locked out any efforts to fix the problem. The city was unable to discover why the traffic lights weren’t working for a week because no one was looking for possible malicious activity related to privileged accounts.

I find myself likening network admins, system admins, and privileged users to the wizard behind the curtain in Oz. They’re responsible for an incredible amount ranging from the everyday creation/deletion of users, network monitoring, and patching to designing and planning the entire network from scratch. Also, like the wizard in Oz, people tend to associate a certain amount of mystery with what those administrators do. So much so, it can be difficult to assign someone with enough knowledge to adequately monitor the administrator’s actions to the point that anomalies could be detected.

In fact, in order to support separation of duties, many organizations will assign privileged user activity log reviews to someone in the organization who does not have administrative access and may not even be a member of the IT staff. That isn’t necessarily a bad thing in-and-of-itself as long as that person completely understands their role and what they’re looking at. If that’s the direction your organization has decided to go in, I recommend creating an environment that de-mystifies privileged user activities for the people reviewing them. If you’re the administrator, take the time to explain what means “good” and what means “bad” to the reviewer; and if you’re the reviewer, don’t be shy about asking questions. Understanding what they’re looking at can help reviewers breathe new life into monitoring controls and processes that may have grown stale over time and make those controls more valuable to the organization.


Laura is a Manager at YHB and serves on the Risk Advisory Services Team. Laura focuses on assisting organizations in a variety of industries with IT-related audit and consulting services.