Insider threats remain a key concern for businesses, as they can lead to data breaches or system outages. US-CERT¹ estimated in a report that 76% of internal computer sabotage incidents are perpetrated by a company’s own IT workers without legal action or law enforcement, while 33% of participants in the 2011 CyberSecurity Watch Survey responded that insider attacks are more costly than external ones.
Clearly there will always be disgruntled employees looking to make a quick profit, or to damage former or current employers by attempting to steal sensitive information. More recently, the BYOD trend (Bring Your Own Device) has seen unmanaged devices accessing the network at greater rates. But how can companies minimise this risk?
Analysts and IT professionals are now spending more time focusing on “privilege management” technologies that can help to reduce the risk of Inadvertent or malicious activity by users with privileged access to systems. Most mission-critical systems, applications and databases have an administrative username and password (a privileged account) to enable installation, configuration, and management of those platforms. Most large businesses have hundreds of people that need to administer Windows or UNIX systems, their databases, their networks, as well as personnel who either develop or administer applications. These administrators are in effect the superusers, and businesses need to ensure that they are properly managed to reduce the risk of the insider threat.
In this scenario, it is not your average end-user that businesses need to be wary of, as they often have limited access to critical data. Instead, superusers usually have administrative access to the valuable information that resides within the company firewall. They could include staff, or outsourced or contracted resources. Given this awareness, businesses should work out who within the business has administrative access, whether staff are sharing these privileged accounts and how they can better control and audit what those users can do.
So how can businesses control and manage these superusers? The motto “trust but verify” is one that I would suggest sticking close to. The majority of IT staff are trustworthy people, but safeguards need to be in place to ensure that bad apples don’t cause serious disruption.
The first step in safeguarding critical assets is to avoid handing out shared privileged accounts. Businesses should ensure that all staff use personal accounts for greater accountability, forcing IT users to login as themselves instead of sharing a common “root” account.
To further improve accountability and traceability of actions, businesses need to consider adding software that can monitor all activity taken by privileged users. User activity auditing can create the accountability required for security and compliance, such as:
· The capture and storage of user activity so that suspicious actions can be examined to determine if an attack is occurring — before the damage is done.
· Change privileged user behaviour through deterrents ensuring that trustworthy employees are not taking shortcuts and disgruntled employees know any malicious actions will be recorded. Many organisations also use monitored sessions as a means to train employees.
· Establish a clear, unambiguous record for evidence in legal proceedings and dispute resolution.
To fully account for actions on a specific system, at a specific time, by a specific user, there is no substitute for high-fidelity recording of individual user sessions. By recording all privileged user activity (screen actions, events and metadata) a complete picture of intentions and impacts can be achieved.
Another concern for businesses is the management of a mixed IT environment of Windows, UNIX, Linux, Mac, and mobile systems, as well as web and enterprise application platforms. Most organisations are managing silos of identity that have grown up around specific operating system environments or have evolved organically within individual departments. IT analyst firm Gartner estimates that the average large business maintains more than 20 identity stores, where the average user must remember five or more user names and passwords. This is simply too many credentials for any person to remember. As the number of identity stores increases, so does the possibility that unauthorised personnel will exploit dormant or orphaned accounts to access sensitive information. Users that are forced to manage multiple passwords, and changes to policies, are likely to store passwords in an unsecured fashion. The greater the number of identity stores, the more difficult it is to implement consistent security policies. Without a cross-platform access control solution, IT faces difficulties in maintaining a consistent set of access rights for every platform.
To address the challenges around managing a mixed IT environment, businesses can easily consolidate identity stores by extending an existing one to replace them. The goal is to build a centralised directory system by selecting a robust, futureproof identity system and using it to replace or consolidate others over time. Consolidating and centralising make it easier to de-provision the accounts of a terminated employee or contractor and reduce the risk of unauthorised personnel accessing sensitive information, as well as offering clear benefits in terms of productivity, cost savings, security and reporting.
The final step in reducing the threat from superusers is to implement the concept of “least-privileged access,” limiting what they can access by granting only the privileges required of them to perform their role in a granular manner.
Of all the insider threats, the most recent development comes from the proliferation of mobile devices within the enterprise. As well as the risks associated with a lost or stolen device that now contains corporate information, most companies are yet to deal with the injection of employee owned devices, with many not even aware of the real number of personal devices that are being used to access the corporate network.
Given this explosion in new devices and device types, businesses now need policies in place to ensure that they can secure lost or stolen devices and manage device access to the corporate network. Many businesses are turning to Mobile Device Management (MDM) software solutions to control and secure the increasing heterogeneous number of employee owned devices.
There are three broad options for MDM. The recommended approach is one which involves centralising the management of mobile devices, Mac OS and other systems into Active Directory, a robust and secure on-premise directory system that can control and manage systems and devices inside and outside the enterprise. Solutions that use existing investments in directory systems have the benefit of lower management costs, better compliance and increased security.
Alternatively businesses can deploy a standalone product for mobile devices. However, this can further fragment the management system and requires the IT department to dedicate time and resources to manage this environment.
Thirdly, businesses can also synchronise identity stores across all mobile and desktop systems but this can deliver only simple capabilities and forces administrators to manage multiple consoles.
For businesses to reduce internal attacks they will need to develop an awareness of the changing enterprise landscape while continuing to control superusers. By forcing privileged users to login as themselves and providing a centralised authorisation management solution to control what users can do and audit their activity, businesses will have a far greater understanding of their employees’ actions. Furthermore, by getting a mobile device management policy in place now, it will enable IT departments to future-proof the organisation and severely reduce the threat from both inside and outside. Taking a user centric view by linking access control and security policies back to an employee’s identity helps ensure that the organisation has a consistent, future-proof way of achieving visibility and control over user access – even when the systems and mobile devices are rapidly changing within the environment.
¹ Source: 2011 CyberSecurityWatch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Deloitte, January 2011.