By Sol Cates, CSO at Vormetric
Thanks in no small part to the activities of Edward Snowden, the ‘insider threat’ has become a much greater cause of concern. From a business perspective, this incident demonstrates something that could happen to any business or organisation in any sector. Someone from within has taken it upon themselves to leak information that the organisation concerned – for whatever reason – intended to keep private.
Snowden was not unusual in that he was an IT contractor – IT is an aspect of operations that most businesses will, at some time or another, hire in specialists for short periods of time. Where this introduces problems, though, is that this type of employee will need to have access to computer systems. If this access is not handled carefully, there will always be the potential for data to be breached.
IT contractors are often technically referred to as ‘privileged users’. Along with full time IT staff, they will often have powerful, privileged, computer system access rights. Now, it is fair to say that these users do indeed require a high level of access to enable them to conduct the tasks that they need to perform – such as software installation, configuring systems, creating new user accounts et cetera. However, there is a significant security issue that arises when these users also have access to the data, specifically having the ability to actually read documents and other files, copy or change them.
The risk posed is twofold. Firstly, a privileged user could, by accident or intentionally, abuse the privileges bestowed upon them, leaking or damaging data; Snowden would fit in this category. Additionally, privileged users also provide an alluring way in for hackers. For example in the financial sector, more than 3.3 million unencrypted bank accounts and 3.8 million tax returns were stolen in an attack against the South Carolina Department of Revenue in 2012. The attack started when a state employee responded to a phishing email that enabled the hackers behind the attack to hijack the employee’s computer account to access the state’s databases and steal sensitive data. Indeed it was also recently reported* that the Bank of England has warned that legacy infrastructure and the ‘interconnectedness’ of operating networks within the financial sector hampers the ability of organisations to adequately protect systems and data from cyber-attacks.
The challenge in mitigating the risks posed by privileged users is that the tasks they perform to maintain and repair computer systems are absolutely essential to the successful operation of the business. There is no option to simply revoke their access as there would be nobody to sufficiently fix computer issues. Being too heavy handed with these users is also likely to interfere with their fundamental ability to do their job.
What’s needed are solutions that enable these users to perform their work tasks, while effectively removing their ability to access private data. On top of that, it’s very important to be able to match access to information by an employee’s role. Access for IT personnel with privileged user accounts must be limited so that they can’t actually read or edit the information in data files, but can still move files around as their job demands. In taking this approach a point is arrived at where, whether by mistake or intention, sensitive information will not leave the organisation in a legible state, therefore removing risk.
Traditional IT security simply can’t effectively defend against this type of threat as, to all intents and purposes, the malicious activity will appear to be legitimate. To practically defend computer systems, a way must be found to make accounts less attractive to hackers and harder to abuse by employees in the first place.
This is done by initially defining an organisation’s current level of exposure. Are computer system rights too broadly assigned to begin with? ‘Superuser’ privileges are often assigned to users that don’t have a real need for a high level of access to read confidential data. Privileged accounts are often also shared between multiple users, which leads to a loss of accountability. Equally, with the advent of cloud, virtualisation and big data technology adoption, many new user accounts are created across organisations creating new opportunities for levels of access to be inappropriately set.
Once the level of exposure has been defined, isolating specific accounts that present a risk of abuse or a target for attack, encryption can be introduced in such a way that any files that don’t need to be read can’t be. That way, even if an account with a high level of access is taken over, it cannot practically be used for any gain. This is looking at the problem from a very simple level, however, and considerations must be made regarding all the possible ways in which systems can be bypassed. For example, if an administrator is able to create new accounts, what’s to stop them creating one with extensive data access rights with the intention of switching to that account themselves?
Of course, it not strictly privileged users that pose a threat but indeed all users that have access to sensitive information. For example an accountant with access to company financial records or a HR administrator with access to employee data all have legitimate access rights needed every day to perform their jobs as well. With the right security solution in place if one of those accounts goes rogue and becomes a malicious insider, there will often be changes in their access patterns that can be flagged, and that can then crucially be acted upon.
Unfortunately, as systems become even more closely interlinked the risk posed by privileged user accounts in particular will increase. Only by first understanding where these accounts can be found and how many exist can the full extent of the resulting security issue be addressed. Once exposure is established, adopting solutions that effectively ‘blind’ certain users from accessing private data will reduce the risk of identity hijacking or employee misadventure, offering a practical way of addressing ‘the insider threat’ in its many forms.