Privileged users and the ‘Insider Threat’, by Sol Cates, CSO at Vormetric, pictured.
While the global community remains polarised around the activities of Edward Snowden, praising or demonising his actions misses the central issue. The uncomfortable reality we must all face up to is that, for better or for worse, a contracted system administrator had the ability to see all data in a company’s operating environment and privileged insiders like Snowden exist in every organisation.
Although many may assume that a privileged user would be a senior executive, like the managing director or head of finance, a privileged user is typically an IT or database administrator with access across computer networks. Of course the senior staff do see sensitive data on a regular basis, but IT maintenance workers often have even greater access to company data stores which, crucially, they do not need to be able to read or view in order to do their job. Moreover, if their access rights are left unchecked, they pose a serious security risk. It is important to remember that it by no means requires an insider with ill intent for a breach to occur. In recent months, security professionals have witnessed an alarming rise in Advanced Persistent Threats (APTs) that seek to gain access to sensitive data by “becoming” the insider.
Perpetrators of APT hacks look to steal data or compromise networks by pirating the credentials of privileged insiders, and do so by carrying out particularly insidious spear phishing schemes. Most IT professionals have discounted the risks of phishing, assuming that their users – especially those with access to important data – have enough awareness not to fall for cheap fakes of company emails and websites. However, well-financed and highly motivated attackers now use advanced reconnaissance techniques to target specific individuals. For example, cyber criminals may gain information from company websites or social media to tailor the attacks with personalised information designed to elicit trust from the intended victim, or create slick emails and bogus websites that effectively masquerade as the genuine article. According to the recent Mandiant report*, 100 percent of APT data breaches involved stolen credentials.
While the threat from within is not a new concept, it is one that urgently needs to be revisited. With insider-related fraud up 43 per cent in 2012 and 76 per cent of unauthorised data access going undetected**, traditional perimeter layer defences like data loss prevention systems, anti-virus, Internet monitoring tools and other traditional controls alone are clearly not able to protect information properly.
The only way to effectively thwart the insider threat in all its guises is by firewalling your data – this involves encrypting data, setting up rules that determine who can see the data and for what purpose, as well as gathering security intelligence on what is happening to data. Gathering security intelligence yields information in two key areas. First, it will reveal unauthorised attempts that didn’t succeed, indicating that a malicious insider or compromised account is attempting to hijack data. Secondly, it will help IT managers spot changes in the access patterns of authorised users, unusual access patterns may indicate the same – that these authorised users may be compromised or trying to steal information.
Taking a more data-centric approach to security and introducing encryption in such a way that any files that don’t need to be read can’t be, those privileged users within the organisation can still do their jobs – ranging from maintaining systems to performing backups and installing applications – without actually having the ability to read the data within the files they oversee. This means that even if they decide to steal files, or are compromised by an attacker, there is no risk to company data.
* https://www.mandiant.com/threat-landscape/
** http://enterprise-encryption.vormetric.com/analyst-report-esg-insider-threat.html
