BreachExchange mailing list archives
Privileged users pose a risk to your company's security
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 24 Sep 2013 20:59:54 -0600
http://www.theguardian.com/media-network/media-network-blog/2013/sep/24/privileged-users-company-security Tales of espionage and cyber attacks are no longer confined to the corridors of government agencies, military departments or badly written movie plots; they are now a day-to-day reality for many businesses. Whether from hackers or their own employees, every business, regardless of its sector, is at risk of a data breach of some kind. All businesses hold valuable intellectual property, private customer information or even technical resources that could cause both financial and reputational damage in the event of a leak. While threat from within, such as an employee gone rogue, has long been a security consideration for many businesses, thanks to the Edward Snowden fallout it is an issue demanding to be revisited.
From a business perspective, while the NSA and GCHQ revelationsrevealed the
scope and depth of a national surveillance programme, it also exposed a fundamental weakness in our business infrastructure: the risk posed by 'privileged users'. Privileged users exist in all organisations. Although many assume that privileged users are senior executives – the managing director or head of finance, for example – privileged users are to be found elsewhere in the business, at the IT administrator level. It's fairly typical to have administrators working unmonitored across networks and systems, especially when it comes to managing a sizeable IT estate. Unfortunately, this necessarily broad access required to maintain IT environments comes with real dangers to the safety of sensitive data. At the heart of this problem is that these admins essentially hold the keys to the kingdom – with these passwords and other credentials comes unchecked access to all the data in your organisation. Unsurprisingly, these accounts pose a serious security challenge to businesses today and not least for their attractiveness to perpetrators of the cyber attacks du jour, Advanced Persistent Threats (APTs). In recent months, security professionals have witnessed an alarming rise in APTs and other malware that seek to gain access to sensitive data by pirating privileged user log-in details so that they 'become' the insider. These attacks are both sophisticated and patient, getting inside the network and sitting there for weeks, months or even years, accessing and ultimately stealing valuable data. We have to remember that it doesn't require a malicious or complicit insider for these attacks to succeed. The 'culprits' can range from employees circumventing cumbersome security policies to just simple human error, like clicking on a spoof email that results in opening a door into the organisation's network for a hacker (known as spear phishing). That being said, what's to be done? Often the case is that the technology that protects electronic data is only as effective as the people who use it, and the bottom line is that, in many cases, those people have way too much access to data. Traditional anti-virus and firewall defences that sit only at perimeter level aren't going to protect your information from attackers who are already within the company walls. As a result, organisations should revisit their user access policies and protections. Start by reviewing current policies around access to systems and sensitive data to understand what information both privileged and standard users have access to. To reduce the risk, insiders should be assigned access only to information that matches their role within the organisation. Look for technological solutions that provide access controls to fit operational purposes. Match access to information by role. Allow database administrators only database access, for instance. Limit access so that administrators can't actually read or edit the information in data files, but can still move them around as their job demands to reduce the risk. Moreover, whether by mistake or intention, sensitive information will not leave the organisation in a legible state. Equally, choose solutions that provide detailed access information, security intelligence about what is happening to your data. This creates an audit trail so that you can review what information was accessed, by whom as and when you need it. This security intelligence can then be used to recognise individual access patterns, allowing you to understand when a new access pattern might indicate an incident in process. Armed with controls on user access, and security intelligence information, businesses can implement administrative, technical, and physical controls to combat the insider risk – in whatever guise they come in.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: # OWASP http://www.appsecusa.org # Builders, Breakers and Defenders # Time Square, NYC 20-21 Nov o()xxxx[{::::::::::::::::::::::::::::::::::::::::> Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Privileged users pose a risk to your company's security Audrey McNeil (Sep 30)