They're the stuff that nightmares are made of, the rude beasts that haunt IT pros' dreams and make them wake up in a cold sweat. Look closely and you'll start to see them everywhere.
Witness the bloodthirsty Warewolves who use software audits to squeeze more money from you, BYOD Vampires who suck down all the bandwidth from critical business apps, and mindless Keyboard Zombies who lose sensitive data and introduce malware to the network. You'll also need to be wary of malicious insiders (Ghosts in the Machine), attackers with an agenda (Frankenhackers), and rogue admins who threaten to hold your data ransom (Crypto Keepers).
[ Also on InfoWorld: Beware the nine circles of IT hell, and learn steer clear of 20 common IT blunders and the 12 "best practices" IT should avoid at all costs. | For more IT management wisdom, sign up for Bob Lewis' Advice Line newsletter. ]
Perhaps the scariest of all: Shape-shifting managers who promise the world to customers and their bosses, then leave you to take the blame when they can't deliver.
Fortunately, silver bullets, wooden stakes, and exorcisms are available, if you know where to look. Here's how to venture forth without fear.
Some software vendors are warm and fuzzy when you're signing contracts and writing checks. But when the moon is right, they won't hesitate to rip out your trachea -- or, worse, call for a software audit, says Rob Scott, managing partner of Scott & Scott LLP, a law firm specializing in software and intellectual property disputes.
"This is what really should be keeping IT managers up at night," says Scott. "It's not when the data center goes down, it's when a third party comes along with a big compliance complaint and you're facing litigation. Those are the kinds of things that get people fired."
IT managers are the ones who end up howling when the Business Software Alliance, the Software and Information Industry Association, or a Big Four accounting firm wants a look at their books. Even for companies in compliance, a typical audit process takes a year or more, says Scott, and many publishers don't specify what they'll accept as proof of compliance until an audit is already under way.
Organizations like the BSA, which offer bounties to employees who rat out their current or former employers, add to the horror, he says.
"Oftentimes the whistle-blowers are the ones who were responsible for keeping the company in compliance in the first place," he says.
Your best defense: There is no silver bullet, says Scott. Stay in business long enough and a software audit is virtually inevitable. But having your records in order helps a lot, he adds, and cloud-based services are typically easier to manage.
Large companies need to implement a software asset management system and reconcile their records at least once a year, if not more. But the best defense is to negotiate for a clean slate when signing any new licensing agreements, Scott says.
"When you draw up the new agreements, make sure you get a release of any backward-looking claims," he advises. "At the time you're writing the checks, everyone needs to be comfortable with your counts, your documentation, and any potential compliance issues."
IT monster No. 2: Keyboard ZombiesHow to identify them: They move slowly and eat brains, but rarely display any.
These creatures plod along, day by day, mindlessly copying sensitive data to USB drives or attaching them to email messages, where they are promptly lost, creating a huge security and legal mess for their employers.
This type of zombie isn't malicious, says Tim Matthews, senior director of product marketing for information and identity protection at Symantec. In fact, most of them think they're being helpful by trying to get work done at home or on the road.
"The biggest issue is the well-meaning insider who doesn't understand he's not supposed to email himself sensitive files or copy them to a flash drive," says Matthews. "Or he knows he shouldn't do it but perceives it as a very small risk -- like not wearing a seat belt when going to the store to buy milk. He thinks no one will know or that they won't lose that data, but in many cases it ends up being lost."
The other kind of zombie is one that falls for phishing emails or scareware scams, unwittingly installing malware that can steal data or bring down the network.
"Both of these types of insiders make the wrong choices and go about their days in a trancelike state, oblivious to the security risks they pose to the organization," he says.
Your best defense: While you could cut off their heads, the HR paperwork would be murder. A better fix is to fill their heads with information, so at least they know the rules and the risks, says Matthews.
But because not all zombies can be educated, smart organizations should also implement a data loss prevention solution that blocks sensitive information from being attached to an email message, copied to a thumb drive, or uploaded to a cloud storage service, he says. Or the system could allow the data to travel, but only after it's been encrypted.
"Typically, once people know the DLP is in place you see the number of incidents go down, as people start paying closer attention to their own behavior," he adds.
They may be bringing their own devices to work or keeping their YouTube addiction to lunch hours, but these fiends are still feasting on your bandwidth, draining the lifeblood from your network.
The BYOD revolution in particular has caused a strain on network bandwidth, especially as more business-critical apps are delivered via the cloud, says Jim Melvin, CEO of AppNeta, a provider of cloud-based performance management and end-user experience monitoring services.
"These vampires are everywhere," he says. "Some are updating iTunes or streaming Pandora Radio, others are playing games or updating Facebook. The really scary ones are downloading media files and installing viruses. Not only are these people not doing their jobs, they're also slowing everyone else down. Then suddenly your IP phones stop working because somebody is downloading a BitTorrent."
Your best defense: Sunlight. The first step is to find out who's sucking up all the bandwidth and bring them into the light of day, says Melvin.
"These companies all have policies about what you can and can't do on their networks," he says. "The problem is they have no idea what people are actually doing, so the policies are completely unenforceable. Our solution is to bring these bandwidth vampires out into the sunlight and watch them melt."
Another option: Deploy software at the network gateway to dictate how much bandwidth each device will be allotted for YouTube, Facebook, and other nonbusiness applications, says Tim Naramore, CTO for Masergy, a provider of managed network services.
"To drive a stake through the heart of employee-owned devices you need to shift your network controls from the endpoints to the network," he says.
Like Keyboard Zombies, Ghosts in the Machine put sensitive corporate data at risk -- but these malicious insiders are doing it on purpose and often for a profit. There are also two kinds of ghosts, says Symantec's Matthews: one seeking revenge, the other looking for a payday.
"The first kind is usually a good employee who's been doing good work, only something happened at work that caused them to be disgruntled," says Matthews. "The other kind is the opportunist. He's looking to rip off a company's intellectual property to start his own company or sell it to your competitors."
With the collapse of the Soviet empire, many old-school spies are turning to corporate espionage and recruiting operatives inside U.S. companies, says Matthews.
Your best defense: Who you gonna call? If the Ghostbusters aren't available, your next best bet is to sit down with HR on a regular basis and identify people who could potentially pose threats. It could be a middle manager who's been passed over for promotion or has been shortlisted for the next round of layoffs. It could be an employee who's traveling overseas far more often than normal, whose mortgage is underwater, or has a spouse with big medical bills -- essentially, the points of vulnerability that a veteran spy wrangler would attempt to exploit.
Once potential ghosts have been identified, IT pros can use a DLP system to flag anomalous behavior -- like if someone is accessing files they shouldn't or copying higher volumes of data than they normally would -- and bring it to HR's attention, says Matthews.
"Inevitably the motivation is either revenge or greed," he says. "They got their hands on some intel, and they're going to try and sell it to someone. They often fly under the radar. But living in a networked world as we do, we end up catching a lot of these people."
What's scarier than an ordinary hacker? A hacker with a social cause bolted onto his or her quasi-criminal activities. Whether they're graybeards or script kiddies, a determined group of hacktivists can wreak havoc with your data, your network, and your company's reputation -- at any time, for virtually any reason.
Just ask Sony, PayPal, HBGary, or any of the dozens of other corporations that have been publicly pwned by Anonymous and its offshoots. There's no telling what might set off Frankenhackers, and there's no way to persuade them to leave you alone once you're in their path of destruction.
Worse, they may have friends on the inside, says Jason Mical, director of network forensics for AccessData, a digital investigations and litigation support firm.
"They are organized," he says. "They engage in information sharing. They are capable of large-scale collaboration, because they've established clear lines of communication. And honestly, any employee at any company or government agency could be a friend of a hacktivist or even a member of a hacktivist group."
Your best defense: You'll need more than torches and pitchforks -- or antimalware and intrusion prevention systems -- to fight off Frankenhackers, says Mical.
"The truth is you can't stop them," says Mical. "Unfortunately, today's exploits are constantly evolving, so signature-based threat detection won't work. You need an integrated technology that allows you to forensically monitor your computers and network communications for suspect behavior. You want the ability to see what's happening across the network and with your traveling employees, so when cyber security practitioners see something unusual they can say, 'Something's not right here.'"
But early detection alone isn't enough, says Rob Kraus, director of the engineering research team at Solutionary, a managed security service provider. You need to respond quickly and thoroughly, then analyze the attack and your response afterward so that you'll do better next time. Having a close relationship with your ISP helps, says Kraus, because they can help isolate the attackers and get your business back online.
"Organizations are usually unprepared to defend themselves against threats, mostly because they never believe it will happen to them," he says. "But now they're starting to believe it."
If your company handles sensitive data -- virtually all organizations do, these days -- you need to encrypt it to keep it safe from the aforementioned zombies, ghosts, and Frankenhackers. That means every enterprise needs a Crypto Keeper: someone to manage the encryption keys and the policies around them. If that Crypto Keeper goes rogue, though, you're in for a real horror show.
If the Crypto Keeper withholds, corrupts, or loses the keys, the data your company runs on could become inaccessible, says Rami Shalom, vice president of data encryption and control for SafeNet, a cloud-based data protection company.
"This is a real concern for enterprises," says Shalom. "You have to make sure when you use crypto that you don't increase the risk of losing data -- not to someone else, but permanently. When your keys are eliminated, that could put you into deeper trouble than if someone else got their hands on your sensitive data."
Your best defense: Don't leave your organization's encryption keys in the boney hands of an animated corpse or trust them to a single admin who could go rogue, says Shalom. Separation of duties and giving different people responsibility for different parts of the process can protect you.
"In the early days, IT admins were like gods who could access any data they wanted at any time," he says. "Now you need to make sure you don't have a single user with that kind of power. Organizations need to find ways to have multiple copies of the same key and to replicate the key management system in more than one location. That way, even if one person decides to do damage the data can still be retrieved."
Perhaps the most insidious archfiend in the IT army of darkness is the Shape Shifter: the manager who presents a different face to everyone he meets. He's the devil who makes impossible promises to customers or executives, then expects you to deliver on them.
Not surprisingly, Shape Shifters adopt many demonic forms, says Steven A. Lowe, CEO of Innovator LLC, a consulting and custom software development firm.
"The sales goblin who confidently reveals an internal deadline to the customer, only he gives them your internal code-complete date, not the ship date," says Lowe. "The marketing ghoul who promises features that are nonsensical, impossible, or both ('Of course it runs on Windows ME'). The product manager witch who agrees to a flock of new flying-monkey functionality without changing the delivery schedule. Once you connect what they said to what it actually means, you hear that bone-chilling, breath-stealing sound that says you are destined to fail."
If by some miracle you manage to pull it off, the Shape Shifter always takes the credit. And when none of this happens -- because it was never possible in the first place -- he points the finger at you.
Your best defense: When dealing with any metamorph, avoid the temptation to point fingers back. Seek protection from a higher being, and document everything, says Lowe.
"The moment you realize you've been set up to fail, howl like a lovesick werewolf baying at the moon," he says. "Then pull yourself together, martial your logic demons, and push back. Clearly and succinctly explain the 'inadvertent' issue you 'discovered' to someone with appropriate authority, and ask for advice. Use email, so you'll have a record of the issue."
You may still fail, he adds, and you may still shoulder the bulk of the blame. But at least you suited up and did battle -- and when you're dealing with monsters, that's most important.
Related articles at InfoWorld.com:
- The 9 most endangered species of IT
- 12 "best practices" IT should avoid at all costs
- Dirty IT jobs: Grime and punishment
- 5 dysfunctional IT relationships -- and how to repair them
- True tech confessions: Sinners and winners
- IT inferno: The nine circles of IT hell
- 7 IT superheroes -- and their fatal flaws
- A-Teams of IT: How to build your crack strike force
- IT personality types: 8 profiles in geekdom
- IT's worst addictions (and how to cure them)
- 10 hard truths IT must learn to accept
- 20 IT gotchas: How to avoid these common big blunders
- 12 effective habits of indispensible IT pros
- IT turf wars: The most common feuds in tech
- IT admins gone wild: 5 rogues to watch out for
- Jackass IT: Stunts, idiocy, and hero hacks
- Stupid user tricks 6: IT idiocy loves company