Businesses risk data breaches due to 'confusion' over privileged users

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computing.co.uk/ctg/news/2345362/businesses-risk-data-breaches-due-to-confusion-over-privileged-user-information-security

Organisations remain confused about the threats posed by "privileged users"
within their organisation, something that presents risks to their networks
and sensitive information.

That's according to "Privilege User Abuse & The Insider Threat", a new
report from Ponemon Institute, commissioned by defence contractor Raytheon,
which examined practices surrounded privileged users and information
security.

It found that 88 per cent of organisations believe that the potential
damage which could be caused by an insider threat - malicious or not -
represents a cause for concern.

However, as Michael Crouse, Raytheon's director of insider threat
strategies told Computing, despite high profile cases of data breaches
coming from IT contractors, information security should be viewed as an
enterprise-wide concern.

"There's a lot of confusion when you talk about privileged users; a lot of
people go right to Edward Snowden or Wikileaks and think they're just IT
guys," he said. "But they're not just IT guys, a privileged-user insider
threat can happen with anybody. Anybody who has access to your company's
information is a threat," Crouse continued.

"It could be in HR, legal, the car park; if they have access to information
and you haven't done a good job controlling those accesses, that's a
potential for an insider breach."

However, as Crouse points out, data might not necessarily be leaked or
stolen by a disgruntled employee; human error is more likely to lead to a
privileged user accidentally losing sensitive information.

"Some of the worst breaches out there are people who are really not trying
to be malicious but are just the dumb actors who have made mistakes but
have caused vulnerabilities in your company," he said. He described insider
threats posed by privileged users as "a people problem" because the
networks themselves won't be leaking data without human help.

"It's not about a machine. A machine isn't being manipulated by social
engineering. It's a person on the other end that's either leaking data
intentionally or unintentionally."

The report suggests that 65 per cent of privileged users will access
sensitive data, if they are able to, just because they're curious about it.

Crouse told Computing how, much like "rubberneckers" passing the scene of a
car crash, when it comes to sensitive information, you might not want to
look, but curiosity will get the better of you.

"How many times do you see an accident on the highway and you don't want to
look? You want to look forward, but how many times do you look over?
Because you're curious and you have the access so you take a look.

"It's the same thing with privileged users. They're curious and sometimes
they want to know," he said, but warned it's important to keep check of
what an employee is doing with that information once they have access it,
because it could be a security risk.

"What does that person do with that information one they access it? Do they
save it on a hard drive? Do they email it to their buddy? Put it in their
Gmail account?" Crouse asked, citing methods by which the data could escape
from an organisation.

As a result, the report suggests organisations should be deploying software
and systems to properly monitor what privileged users are doing with
sensitive information, an area where complacency must be avoided.

"Select a proper tool," said Crouse. "And what I mean by proper tool is
select tools that do the requirements, don't just assume that the current
information assurance tool that you've been using for the past ten years is
the one you're going to need to protect against the insiders, because
they're different.

"Sometimes you need to think out-of-the-box. There are tools out there for
insider threats and privileged user monitoring, you should investigate
those with due diligence," he added.

But despite the warnings and high-profile data breaches, Crouse concedes
there will always be those that ignore the threats posed by privileged
users, an approach he described as "playing with fire".

However, those ignoring the threats are in a minority, he added, telling
Computing that cases like Edward Snowden are forcing businesses to
seriously examine their information security strategies.

"I think they're reacting because now you've had a breach, the trend over
the next few years will be trying to be more proactive. You can always
react after a problem happens, but for many organisations that'll be too
late," he said.

"So I think you're seeing a trend of trying to be more proactive and
heading off problems at the pass," said Crouse.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!