Blog LBMC

Print Divider Print Divider Branding
 

Mitigating Privileged User Insider Threats

11/18/2015

Share

Social Logo Social Logo Social Logo Social Logo

They’re necessary to your organization but they can be a threat too. They’re your privileged users.

What is a Privileged User?

Before an organization can address privileged user insider threats and implement the right monitoring and mitigation best practices, it must first define the privileged user. Typically, it’s an employee with the authority to access sensitive company data. Often they have the approval to execute administrative tasks on the organization’s network. Companies need privileged users to handle source code, maintain file systems and implement network upgrades or address other technical changes.

Most privileged users will maintain the integrity of their organization’s assets. However, the ease with which they can circumvent normally restricted controls makes the assets vulnerable. Additionally, there’s occasional abuse of temporary access privileges necessary to perform tasks. There are two methods to determine privileged user access:

  1. Consider what the user can access physically
  2. Consider what the user can access digitally with their credentials

With greater access and fewer controls come increased security challenges. When an organization lacks a good security program or doesn’t consistently enforce it, it leaves intellectual property – such as sensitive product data or employee information ­– vulnerable to privileged user threats.

In fact, the Association of Certified Fraud Examiners (ACFE) noted that the average organization loses 5% of its revenues due to fraud by its own employees each year. Typically, it’s committed by those in an organization’s IT department, since they have greater technical knowledge that other employees lack. However, it’s important to remember that the offender might not always be the privileged user. It could be someone outside the organization that was able to obtain an IT employee’s credentials via phishing.

What is a Privileged User Threat?

The Ponemon Institute’s report, “Privilege User Abuse & the Insider Threat,” found that most organizations have trouble identifying a credible threat associated with an insider’s actions. Among them, 69% revealed that they’d be unable to identify such a threat prior to a breach. Moreover, the report found that 42% of those surveyed weren’t confident that they could discern whether their privileged users were policy-compliant – just 16% felt very confident in those areas.

Privileged user threat red flags can be subtle. Others are more obvious. Here are some examples:

  • Attempting to access one area that isn’t approved for entry.
  • Using credentials in a way they are not normally used (e.g. network logons).
  • Taking advantage of permission creep, which usually occur among transferred and former employees.

So how can an organization protect itself? Determine the context and intent of the privileged user – by monitoring human behavior. Monitoring can be achieved through a defense-in-depth approach by implementing the right policies, controls and technologies. If security monitoring is in place and enforced consistently, the enterprise will know quickly if there is an incident that requires action.

Implementing Best Practices to Mitigate Risk

Once you’ve defined your privileged users and identified potential threat signatures for your environment, you should implement controls, policies and technologies that mitigate your risk. Consider the following:

  1. Limit privileged user accounts within the company to only those who require it for their positions – including shared privileged user accounts and local administrator rights. This step requires regular monitoring to track the nature of the authentication attempts.
  2. Get key players onboard with approving all access. Ideally, approval should come from someone within the employee’s chain of command where access is being requested (e.g. a direct supervisor). Formally document the request for access in the ticketing system. A request submission for access along with a business justification for the access should be a requirement.
  3. Give employees a clear blueprint that guides them through the security process, so there is no room for misinterpretation or abuse. Processes should include: a) communicating and enforcing strict account management and password policies; and b) ensuring that they logout of the privileged user account properly after each task and only access the areas pertinent to their jobs. Surprisingly, the Ponemon report also discovered that 65% of those surveyed had delved into sensitive or confidential data out of curiosity rather than job necessity. Additionally, all personnel – whether they are a privileged user or not – should be trained and regularly reminded to avoid forwarding sensitive data to their personal emails.
  4. Invest in the right technologies to protect your organization and take a multi-layered approach. A single technology won’t protect your organization fully. Consider implementing some of the following: Privileged account management (PAM) – which enables the enterprise to control privileged shared accounts usage such as root/Administrator accounts. PAM permits granular, context-driven or time-limited super user privileges. It also monitors shared account use and super user privileges in greater detail. Security Information and Event Management (SIEM) systems can notify an organization of unauthorized data access if configured and monitored correctly. It can baseline behaviors and note deviations (i.e. accessing one area that the privileged user hasn’t accessed in the past). Bear in mind, that SIEM won’t prevent an actual breach though. Data Governance solutions have the capability to determine a user’s current access and make intelligent recommendations on what the user’s actual access should look like if least privilege were enforced. Data Governance solutions can also analyze file system permissions and make additional intelligent recommendations on removing access from file resources if resources are not being accessed by the users and groups currently defined for having access.
  5. Enlist human resources to support your efforts. Steps can be taken to enhance privileged user access security. They include non-disclosure agreements, non-compete agreements and background checks. The aforementioned report found that 57% of those surveyed said that background checks weren’t present prior to issuing privileged account credentials. Proactively conducting these checks could easily reduce the threat scope and serve a dual purpose in complying with Payment Card Industry – Data Security Standards (PCI-DSS), Federal Information Security Management Act (FISMA) and Sarbanes Oxley (SOX) regulations. Taken a step further, a more thorough interview process with job candidates (i.e.-actually calling references, asking more specific questions, etc.) could further reduce potential threats.
  6. Act on privileged user insider incidents immediately.  When one is identified, an incident tracking ticket should be opened with the relevant information (applicable logs, for instance). It should be assigned to the help desk or the security team to investigate further. One might even find that someone other than the privileged user accessed his or her login credentials via hacking techniques.

Although most organizations have policies and procedures in place, many don’t follow through on them regularly. At a minimum, there should be a yearly review of privileged user access. The review can determine if access is granted for users that don’t need it as well as whether it should be revoked due to abuse or changing job roles.

Undervaluing Technology & Process ROI

Several technologies and processes that can reduce privileged insider threats have been highlighted above. However, many organizations don’t assign a value to such technologies and processes. Unfortunately, less than half have budgets dedicated to technologies that could reduce such threats. Frequently, management doesn’t even see the value in making sure permissions are tight – and the current security architecture might not be set up to address these security measures.

Moreover, some organizations with an Internet presence opt to have cyber insurance in case they get compromised. However, the insurance companies rarely hold these organizations accountable in implementing technologies and processes to prevent them from public harm/other breaches. Many simply don’t view it as important enough to enforce or implement.

It drives home the point that complacency leads to problems. Although technology can’t solve all problems or mitigate all threats, it can go a long way to reducing many of them, particularly if the technology is implemented thoughtfully and monitored consistently.

Conclusion

As a starting point, conducting a risk assessment is strongly encouraged for all organizations. The risk assessment will help to ascertain privileged user insider threats, as well as give a clearer picture of what controls are missing or policies need to be refined. 

Once it’s complete, you’ll be better equipped to create a security plan that covers all areas (people, processes and technology). Plan accordingly and enlist the support of management. Then implement the appropriate technologies and processes if it will reduce risk to an acceptable level for the organization.

We’d all like to think that our employees would never compromise our organization’s security, but it does happen. And even if your privileged users access the network with integrity, there are others out there just waiting and hoping that your privileged users will slip up, so that they can slip in.

Check out our free guide, Breach: Network Security Best Practices for Prevention, Detection, and Response, for more information on ensuring the safest network security for your firm.

On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter @lbmcsecurity. Learn more about how our team at LBMC Information Security can help your team armor up with a wide range of network defense servicesContact us today!