Privilege comes with peril in world of cybersecurity

Security experts have been warning enterprises for some time that the greatest security threats come from within: their own employees. And that message has apparently gotten through, according to a new survey.Ã'Â But those results also came with a disturbing twist: malicious employees.

Security vendor Cyber-Ark's "2012 Trust, Security & Passwords Survey" finds 71% of 820 IT managers and C-level professionals interviewed said insider threats were their priority concern. But instead insider threats being unintentional -- employees being careless or simply unaware of security protocols and with the Bring-Your-Own-Device (BYOD) trend -- survey respondents said a significant share of the threat is from malicious insiders.

Insider hostility could be for any number of reasons: being passed over for a promotion, not getting an expected bonus, the threat of being fired or even industrial espionage. But it gains major potency when insider knowledge or access is combined with "privileged accounts," which can be the "keys to the kingdom."

Mark Diodati, senior analyst for identity management and information security at Burton Group, writing on SearchSecurity, notes that such accounts are necessary for platforms to function, for emergency and for day-to-day tasks. "[But] they are notoriously difficult to secure because they don't belong to real users and are usually shared by many administrators," he wrote

"Yet a down economy increases the risk of disgruntled workers, making it more important than ever to have a system in place to control privileged access,"Ã'Â Diodati wrote. "[Privileged accounts can] breach personal data, complete unauthorized transactions, cause denial-of-service attacks, and hide activity by deleting audit data."

Udi Mokady, founder and CEO of Cyber-Ark, said that attackers target employees with such privileged access. "It's clear that privileged access points have emerged as the priority target of enterprise cyber-assaults," he said.

However, some experts agree that breaching privileged accounts can cause major damage, but they say the threat posed by insiders -- especially malicious insiders -- is exaggerated.

Mark Baldwin, CISSP and principal researcher and consultant for InfosecStuff, said while 71% of respondents to a survey may believe the insider threat is the greatest, "evidence does not support this belief."

For example, the 2012 Verizon Data Breach Report, which uses empirical data rather than survey data, shows that only 4% of data breaches in 2011 involved insiders, Baldwin notes.

"And the percentage of breaches involving insiders has been declining for years," he said. "This is an example of peoples' beliefs not aligning with reality."

Kevin McAleavey, cofounder and chief architect for the KNOS Project, said he believes some employees may deliberately sabotage their employers, "but they are few."

"The vast majority of 'sensitive leaks' are from people who get 'spear-phished.' Some interloper successfully pretending to be them is a major problem," McAleavey said.

Adam Bosnian, executive vice president of Americas and corporate development for Cyber-Ark, contends that the malicious insider threat is more than just perception. He notes the case in 2006 of a former systems administrator at UBS, unhappy about receiving less of a bonus than he expected, who set off a logic bomb, knocking out 2,000 servers and causing the failure of backup systems, as well as deleting files. He was eventually sentenced to eight years in prison.

"[But] the question is not so much quantity as impact," whatever the raw percentage, Bosnian said. "An insider can have a major impact because they are already inside and have some domain knowledge."

On that point, there is general agreement, which means there is also agreement that enterprises could save themselves enormous amounts of risk and potential grief if they took steps to manage the risk from privileged accounts.

"Obviously, attackers want to gain access to privileged accounts. This enables them to have complete access to the system," said Mark Baldwin.

"This is why it is important to grant staff only the access they need to perform their duties, keep administrative accounts tightly controlled, closely monitor administrative account access as well as access to sensitive data, and use controls such as separation of duties to prevent any one person from having too much access that would enable them to steal data and cover their tracks," he said.

Right now that is not common, according to the results of the Cyber-Ark survey, which found that 43% admitted they did not monitor their privileged accounts or were unaware of them.

"You need to be aware of who should have rights," said Adam Bosnian. "Who really has the access as opposed to who should have access? You need to trust but verify."

That, he said, doesn't require buying a product. "I want to sell product," he said, "but all it really takes is knowing about [privileged account holders] and managing them. When you start automating that process, that's where we come in."

Bosnian said the encouraging thing is that IT managers are becoming more aware that "building a wall" is no longer an effective security strategy. "Companies may have a hard shell," he said, but attackers still get inside, and once they are, things are pretty soft.

"There's a growing awareness that companies need a hard center as well as a hard shell," he said.

Read more about access control in CSOonline's Access Control section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place