Privilege abuse is the unseen threat, writes Matt Middleton-Leal, pictured, GM, EMEA of Netwrix Corporation, an IT risk assessment product company.
Most organisations admit to having limited awareness of user privilege abuses on their network. Poor oversight of user privileges has the potential to let insiders deliberately or unwittingly expose an organization’s network, systems and data to risk. Today, discovering such incidents can take months or even years. Industry standards bodies understandably regard as this unacceptable and are busy ushering in fresh regulations that will force firms to tighten up procedures. Penalties for unsafe data practices or failure to report breaches early will range from tougher fines to being publicly named and shamed. In such a climate of elevated data vigilance any knowledge gaps could prove very costly indeed.
Privileges abuse has a common root cause. It happens when IT admins grant users more access rights than their everyday duties require. In our own 2017 IT Risks Survey of more than 700 IT pros, only 36 per cent of respondents claim to have complete visibility into the activity of regular employees. A large proportion (66pc) says the biggest threat to security comes from within. Of course, no one is suggesting IT admins purposely hand out too many privileges. In fact security responsibilities are taken very seriously indeed. Yet there are certain situations where oversights can occur, making it possible for users to overstep permission boundaries.
Among the top five are:
1.Delayed provisioning updates – When employees change roles in the organization following an internal transfer or promotion their access privileges need to be updated. Any delays may result in data becoming exposed. In reality IT project deadlines or resource shortages can intervene causing privilege updates to be delayed.
2.Access privileges granted by mistake – It is sometimes possible for users to be granted access rights by mistake. If the user then uses those privileges, either accidentally or maliciously, or if a hacker or malware manages to penetrate an SQL database that stores customer billing information it can lead to downtime or worse.
3.Former employees find their old log-ons still work – Ex-employees and temporary workers may be tempted to find out if their old logons are still working. Sometimes they do and this can tempt them to siphon off data or make changes that leave their old employer exposed. This is a huge problem for all types of organizations, most especially for educational institutions. The combination of stretched IT resources and high turnover of staff/students makes keeping pace with privilege updates very difficult.
4.Contractors slip up – It is not unusual for organizations such as financial institutions to give access to partners and other third parties. Sometimes they have access to large volumes of confidential records. A mistake by just one of these contractors can expose data just like any other insider.
5.Finger of blame always points at IT – When a data breach occurs it is the IT professional that is held responsible. Even if the breach was not really the fault of IT assigning too many privileges to users, the burden of proof to show they were in the clear will fall on them.
Unfortunately, protecting against privilege abuse will always be an uphill battle. User accounts with elevated privileges will always make a tempting target for criminals. Even the most trusted of insiders could intentionally or mistakenly overstep the mark. This could be all it takes to open up a security threat.
There are, however, a number of things IT admins can do in mitigation to reduce the chance of privilege abuses and, at the same time, simplify detection of any resulting security vulnerabilities as follows:
1.Continuously review assigned privileges – Privilege provisioning should never be a one-off task. Instead access rights need to be regularly reviewed and updated as quickly as possible whenever user roles change. This includes removing any excessive permissions in line with the principle of least-privilege. Regular housekeeping of user permissions and group membership changes can significantly reduce the risk of data overexposure and privilege abuse.
2.Use tools that give visibility into your IT environment. The key to responding quickly to cyber threats – both internal and external – lies in being able to see all critical changes and user activities across all levels of the IT environment. Actions indicative of privilege abuse such as the unauthorized modification of a security group or a suspiciously high number of failed attempts to access a critical database should stand out. Unusual actions should be recorded automatically to allow the IT team to analyse what users are doing and respond quickly to any policy violations so that sensitive data may be protected.
3.Enable user behaviour analysis. Tools that collect data across the entire IT environment and provide clear understanding are vital for quickly spotting incidents that require attention. It is also important these tools provide deep insight into what users are doing to determine whether they pose a real threat to sensitive data. User behaviour analysis allows IT admins to distinguish normal behaviour from aberrant activities and detect security violations that could otherwise go unnoticed.
In summary
Most organisations have little insight into what privileged users are up to within their IT. If the changes privileged users make are allowed to go unchecked it can seriously compromise an organization’s defences. With regulatory penalties for unsafe data practices getting stiffer, privilege abuse is becoming a really big deal. Effective measures to counter such insider threats start with the continuous monitoring of user activity with tools that help quickly identify and respond to vulnerabilities caused by unwanted manipulation of data.
