Too many IT administrators are taking their eye off the ball and allowing easy back-door entry into company systems, a leading computer forensics expert has claimed.

In an interview with vnunet.com, Bryan Sartin, technology director at security service provider Ubizen, said that breaches are often the result of poor monitoring.

Ubizen works with police authorities, banks and businesses to investigate attacks on networks.

The company uses computer forensics to discover and analyse potential evidence of the activities leading up to an information security breach.

"With many security breaches which we investigate, the problem arises because administrators were not watching the web logs," said Sartin.

"Sometimes it is a case of the IT administrator not doing his job properly. Other times it is because he must wear many hats, from office manager to web developer.

"There is pressure of time and having to bear the burden of lots of responsibilities which can lead to security breaches."

Reported security incidents, which can involve thousands of sites, have soared in recent years from around 20,000 in 2000 to over 80,000 in 2003, according to the Center of Internet Security Expertise.

Sartin explained that poor monitoring meant that some vulnerabilities identified by Ubizen "have been around for a year" with administrators failing to spot and patch the weaknesses.

He added that the vast majority of security breaches target web server vulnerabilities "regardless of the operating system".

Sartin said that investigations frequently uncover the same exploits. Two of these are web-based back-doors - root.exe and cmd.asp - which give an attacker access to a system through a web browser and the power to send unauthorised commands.

Common exploits in terms of tools are iroffer.exe, an operating system tool that has its own website and a perfectly legitimate purpose for in-house security.

But iroffer.exe is often used by hackers who install it on a breached machine where it acts like a public chat server. Information can then be swapped with other hackers.

"With the evolution of computer forensics, hackers are becoming more sophisticated at covering their tracks," said Sartin.

"They will use tools like iroffer.exe to put MP3s on a machine as a diversionary tactic. The administrator is fooled into thinking that the only security problem is unauthorised music files and misses important deleted files."

Unfortunately, by the time Sartin has been called in, the damage has been done.

"It is a reactive response to security problems," he said. "The fact that we are on site is never a positive thing."