As numerous data breach news reports reveal, attacks by people with legitimate access to an organization's computers, devices and networks represent a growing problem across the globe, and are increasingly difficult to thwart.
These insider threats frustrate employers who lack the resources to properly identify them, oversee their behaviour and protect mission-critical information technology (IT) assets from the misuse of privilege.
It is important to realize the fact that insider threats are not all intentional.
Today, insiders include contractors, business partners, auditors, customers, and moreover, it is also important to recognize that all insider attacks are not done intentionally. The misuse of privilege in an organization can result in three different forms of harm.
Accidental
Accidental misuse of privileges on desktops and servers does happen, and it does have a measurable impact on the organization as a whole. For example, desktop configuration errors cost companies an average of $120/PC, according to IDC report, “The Relationship between IT Labor Costs and Best Practices for IAM.”
Then of course there is the so called fat fingered error, where instead of being restricted to only perform specific commands, technicians may unintentionally disrupt other applications. Unix/Linux environments don’t have friendly user interfaces with sequences of screens to prompt and approve each action, just lines of code, and the opportunity to mis-key a command remains high.
Indirect
Indirect misuse of privileges is when one or more attack types are launched from a third party computer which has been taken over remotely – i.e desktop computers which have been left wide open by running on administrator rights, and so providing a doorway in for malware which can assume those rights, and enter the entire network.
A startling statistic revealed by Gartner is that 67% of all malware detections ever made were detected in 2008. Interestingly, while administrators admit to running desktops on administrator rights, for the sake of productivity, Gartner also estimates managed desktops, or users who run without admin rights, produce on average a $1,237 savings per desktop and reduce the amount of IT labor for technical support by 24%.
Intentional
Administrator who have full root privileges to servers or users with administrator access to their desktop have the ability to do whatever they want whenever they desire despite corporate governance policies or government regulatory requirements.
A 2010 CSO Cyber Security Watch Survey published findings that demonstrate the significant risks posed from insider attacks. Cyber criminals now operate undetected within the very "walls" erected to keep hackers out. Technologies include rogue devices plugged into corporate networks, polymorphic malware, and key loggers that capture credentials and give criminals privileged authorization while evading detection.
In the 2010 Data Breaches Investigation Report conducted by Verizon and the United States Secret Service "48% of breaches occurred through the misuse of privilege and this is up 26% from the previous survey."
Don’t shut the gate after the horse has bolted.
Today, it’s simply not enough, either from the perspective of security, compliance, or both, to set policies in place and hope people will comply with them. The truth is that when it comes to insider threats – accidental, indirect, or intentional - businesses today can’t rely on everyone being a saint or competent all the time.
Though difficult for many to admit, humans are the weakest link because we are fallible. We are not perfectly consistent in our principles personally or professionally. Indeed, as a 2010 Harris Interactive poll revealed: employees frequently bypass IT security policies to do their jobs.
No single user, regardless of seniority, should have unchecked and complete root access on a server or admin access on a desktop, and yet, that should not restrict business as usual.
At all times, privileged access needs to be elevated and brokered, determined by the employees role, function, and the time frame in which the task needs to happen. And at the same time, anything done at an administrator level, must be monitored and logged, to provide necessary audits and meet compliance requirements.
The key is not to stick your head in the sand, and have the foresight to recognise how to elevate privileged access at a granular level, without either hampering productivity by locking the whole system down, or, leaving the door dangerously wide open so people can do their jobs freely.
ABOUT GEOFF HAGGART
Geoff Haggart leads all international aspects of BeyondTrust, including customer relations and support, business development, operations and international revenue growth. Before joining BeyondTrust, Mr. Haggart served as senior vice president of international sales at Websense, overseeing the growth of the company’s international business from $1.5 million in 1999 to $150 million annually.