Privileged users pose a risk to your company's security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.theguardian.com/media-network/media-network-blog/2013/sep/24/privileged-users-company-security

Tales of espionage and cyber attacks are no longer confined to the
corridors of government agencies, military departments or badly written
movie plots; they are now a day-to-day reality for many businesses. Whether
from hackers or their own employees, every business, regardless of its
sector, is at risk of a data breach of some kind.

All businesses hold valuable intellectual property, private customer
information or even technical resources that could cause both financial and
reputational damage in the event of a leak. While threat from within, such
as an employee gone rogue, has long been a security consideration for many
businesses, thanks to the Edward Snowden fallout it is an issue demanding
to be revisited.

> From a business perspective, while the NSA and GCHQ revelationsrevealed the
scope and depth of a national surveillance programme, it also exposed a
fundamental weakness in our business infrastructure: the risk posed by
'privileged users'.

Privileged users exist in all organisations. Although many assume that
privileged users are senior executives – the managing director or head of
finance, for example – privileged users are to be found elsewhere in the
business, at the IT administrator level. It's fairly typical to have
administrators working unmonitored across networks and systems, especially
when it comes to managing a sizeable IT estate. Unfortunately, this
necessarily broad access required to maintain IT environments comes with
real dangers to the safety of sensitive data.

At the heart of this problem is that these admins essentially hold the keys
to the kingdom – with these passwords and other credentials comes unchecked
access to all the data in your organisation.

Unsurprisingly, these accounts pose a serious security challenge to
businesses today and not least for their attractiveness to perpetrators of
the cyber attacks du jour, Advanced Persistent Threats (APTs). In recent
months, security professionals have witnessed an alarming rise in APTs and
other malware that seek to gain access to sensitive data by pirating
privileged user log-in details so that they 'become' the insider.

These attacks are both sophisticated and patient, getting inside the
network and sitting there for weeks, months or even years, accessing and
ultimately stealing valuable data.

We have to remember that it doesn't require a malicious or complicit
insider for these attacks to succeed. The 'culprits' can range from
employees circumventing cumbersome security policies to just simple human
error, like clicking on a spoof email that results in opening a door into
the organisation's network for a hacker (known as spear phishing).

That being said, what's to be done? Often the case is that the technology
that protects electronic data is only as effective as the people who use
it, and the bottom line is that, in many cases, those people have way too
much access to data. Traditional anti-virus and firewall defences that sit
only at perimeter level aren't going to protect your information from
attackers who are already within the company walls. As a result,
organisations should revisit their user access policies and protections.

Start by reviewing current policies around access to systems and sensitive
data to understand what information both privileged and standard users have
access to. To reduce the risk, insiders should be assigned access only to
information that matches their role within the organisation.

Look for technological solutions that provide access controls to fit
operational purposes. Match access to information by role. Allow database
administrators only database access, for instance. Limit access so that
administrators can't actually read or edit the information in data files,
but can still move them around as their job demands to reduce the risk.

Moreover, whether by mistake or intention, sensitive information will not
leave the organisation in a legible state.

Equally, choose solutions that provide detailed access information,
security intelligence about what is happening to your data. This creates an
audit trail so that you can review what information was accessed, by whom
as and when you need it. This security intelligence can then be used to
recognise individual access patterns, allowing you to understand when a new
access pattern might indicate an incident in process. Armed with controls
on user access, and security intelligence information, businesses can
implement administrative, technical, and physical controls to combat the
insider risk – in whatever guise they come in.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.