When Insider Threats Come From Your Privileged User
A recent Balabit survey of over 200 IT executives and security professionals found that more than a third of IT professionals see themselves as the biggest internal security risk to networks within their organisation. And, within the privileged user network, 42% of IT professionals listed sysadmins as the biggest threat. How can privileged users negatively impact security, and what can organizations do to lessen the threat?
Privileged users typically have the ‘keys to the kingdom’ that can unlock corporate secrets and sensitive corporate data. Verizon’s 2017 Data Breach Investigations Report found that the confirmed number of data breaches caused by privilege misuse actually increased from 172 in 2015 to 277 in 2016.
Privilege misuse can take two forms: 1) a cyber criminal obtaining the credentials of a privileged user and doing harm or 2) a privileged user causing harm due to negligence or malicious intent. Let’s take a look at some threat examples and a few ways to mitigate potential danger from a privileged user.
The Negligent Privileged User
There are several ways in which a negligent privileged user can introduce security vulnerabilities:
- Insecure cloud storage. Recent incidents involving Accenture and the NSA have thrown a spotlight on negligent attitudes toward security in the cloud. Improper setup of cloud repositories that leave data open to a breach, or storing sensitive login data on a third-party repository such as Github, are two examples of negligence.
- Lax attitude regarding passwords. Sharing logins and passwords within the IT team is another example of negligent behavior. Administrative identities are particularly powerful because they grant access to so many systems. In an effort to ensure speed and responsiveness, IT teams may fall prey to this bad practice. In addition, a failure to change standard default passwords on admin accounts can leave the door open to outside attack.
How might a malicious privileged user do damage within an organization?
- Using compromised admin passwords. A malicious privileged insider – either on the job or after leaving the organization – can take advantage of shared admin passwords. And, obviously, the very nature of the share password makes it difficult to hold the proper person responsible. A malicious insider can change the password, locking out all other administrators from the affected system, or can use his privileges to install damaging software.
- Being targeted and turning professional. Privileged users are targets of outside influence because they have access to the data most in demand by cyber criminals. Whether a privileged user is blackmailed into stealing data, or is swayed into becoming a professional insider, the results can be equally damaging.
Guarding Against Privileged User Misuse
There are several best practices to help guard against privileged user misuse:
- Consider the difference between protecting data and viewing data. A Ponemon study found that approximately 70% of surveyed IT operations and security managers think it is “very likely” or “likely” that privileged users believe they are empowered to access all the information they can view. Nearly 70% also believe that privileged users access sensitive or confidential data simply out of curiosity. Privileged users on your IT team are charged with protecting sensitive data; this doesn’t necessarily mean they need to see this data. Consider how you might restrict the ability to see data to allow only those users who need it in order to do their jobs.
- Audit privileged user access regularly. Employ a least privilege policy, and periodically review your list of privileged users to ensure the right people have the right access.
- Be smart about passwords. This means disallowing shared passwords, employing strong passwords, and changing default passwords. You should also consider secondary authentication for privileged accounts. Additional authentication measures work as a safety net in case a password has been compromised and also allow you to confirm the identity of the person trying to get access to the sensitive information.
- Monitor privileged users. Use monitoring software to detect and alert on suspicious behavior. Such software can help you catch the creation of back-door accounts, attempts to gain additional privileges or edit configuration files, and attempts to access sensitive personal information.
- Review and revoke access. A job role change should initiate a review of access credentials. Similarly, if a privileged users leaves the organization, access rights should be revoked.