Chapter 2: Misuse of Privilege Is the New Corporate Landmine

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

images

Misuse of Privilege Is the New Corporate Landmine

“Organizations continue to struggle with excessive user privilege as it remains the primary attack point for data breaches and unauthorized transactions.”

—Mark Diodati, Gartner, Inc.

In organizations, it is a sad and harsh reality that trusted individuals are getting away with too many things. For example, at HSBC, a systems administrator named Falcini had unfettered root access. And what did he do with those credentials? He stole thousands of customer files and then tried to sell them to banks and tax authorities. This is becoming an increasing trend, with more and more breaches coming to light each month.

There are three fundamental misuses of IT privilege that you need to be perpetually on the lookout for:

Intentional harm is the most visible and usually results in significant cost to your corporation. This “insider attack” is the result of an administrator intentionally deleting or stealing data, or planting some malware. To better examine this type of privilege misuse, you will be introduced to “Disgruntled Dave,“ a fictitious character created out of the amalgamation of recently caught and reported insiders responsible for breaches ranging from the obscure to the profane.

Accidental harm is the most common but is usually not measured in direct impact to your corporation. This is the result of someone attempting to do a specific action (for example, install or upgrade software, go to a specific web site, use a system task) and either miss-keys a step or doesn't follow the directions and a problem occurs that requires the Help Desk to step in and fix the mistake. To better examine this type of privilege misuse you will be introduced to “Annie,” a fictitious character created out of the amalgamation of numerous customer interviews and reported accidental insider breaches.

Indirect harm is the most esoteric but in reality another potential for significant cost to your corporation. This is when some malware hijacks an administrator's credentials and causes damage while impersonating that administrator. To better examine this type of privilege misuse you will be introduced to “Identity Thief Irene” a fictitious character created out of the amalgamation of recently caught and reported hackers responsible for breaches by hijacking an over-privileged insider's credentials for their own use.

Each of these steps is iterative, and the whole process uses feedback mechanisms to continually improve the overall effectiveness and efficiency of the corporation. Let's consider each of these areas and identify the key activities and responsibilities of each one.

Disgruntled Dave Examined Closer

Intentional misuse of privilege often stems from insider attacks. An insider attack is defined as any malicious attack on a corporate system or network where the intruder is someone who has been entrusted with authorized access to the network, and also may have knowledge of the network architecture. See Figure 2-1.

A 2010 CSO Cyber Security Watch Survey published findings that demonstrate the significant risks posed from insider attacks. Cyber criminals now operate undetected within the very “walls” erected to keep hackers out. Technologies include rogue devices plugged into corporate networks, polymorphic malware, and keyloggers that capture credentials and give criminals privileged authorization while evading detection. In 2008, the White House issued the Cyber Security Policy Review, which profiled systemic loss of U.S. economic value from intellectual property and data theft as high as $1 trillion.

The Computer Security Institute and FBI report states that an insider attack costs an average of $2.7 million per attack. CSO magazine cites the following points regarding this threat:

Figure 2-1. Disgruntled Dave.

Organizations tend to employ security-based “wall-and-fortress” approaches to address the threat of cybercrime, but this is not enough to mitigate the risk.

Risk-based approaches hold potentially greater value than traditional security-based “wall-and-fortress” approaches.

Organizations should understand how they are viewed by cyber criminals in terms of attack vectors, systems of interest, and process vulnerabilities, so they can better protect themselves from attack.

Economic hardships spawned by the 2008-2009 recession may generate resentment and financial motivations that can drive internal parties or former employees to crime. International consultancy agency, Deloitte, stated the survey conducted by CSO magazine reveals a serious lack of awareness and a degree of complacency on the part of IT organizations, and perhaps security officers. Organizations may focus on unsophisticated attacks from hackers or insiders because they are the noisiest and easiest to detect. Yet, that focus can overlook stealthier attacks that can produce more serious systemic and monetary impacts.

The trial of a former Goldman Sachs programmer accused of stealing source code to take to a competitor began in somewhat of a public spectacle. The Wall Street Journal unveiled some particularly interesting details. For example, the programmer was one of the highest paid in the company with a $400,000 annual salary, but competitor Teza Technologies offered him over $1 million in total pay, including a $700,000 bonus.

So how does the highest-paid programmer of one of the largest investment banks in the world get a nearly three-fold salary hike by a much smaller competitor? We would bet a good chunk of cash that the $1 million paycheck was the price the company was paying for Goldman's code.

Here's the breakdown. He was offered $300,000 in salary, $700,000 in bonus, and $150,000 in profit-sharing. Here's my question to you—which portion of his pay do you think was (could be) the bribe and could the programmer have gotten more? How much is Goldman's source code worth?

We think he was drastically underpaid for the value of the code, but a clean million is plenty to motivate someone to steal data despite the actual value of the stolen property being much higher. Unfortunately, this could be construed as a case of dealing with the symptom instead of the disease. Had a least privilege solution been instituted, he wouldn't have had the ability to misuse privilege and accomplish the theft at any price.

When the trial ended, Sergey Aleynikov was convicted and received a sentence of eight years for stealing proprietary software source code as he was leaving the company in order to sell those assets to the competition for about $1.2M.

The only bright spot for Mr. Aleynikov was that the maximum sentence possible was ten years, so we can only guess that with those other two years, he can figure out even more creative ways to prove insider threats are in fact the most costly.

Employee terminations are, unfortunately, a necessary evil in corporations globally today. In a time of recession, layoffs are more copious and often leave those affected angry and upset. Albeit in a very small minority of cases, some terminated employee backlash has led to disastrous consequences for former employers.

In April 2011, a former network security engineer at Gucci America was indicted on charges that he illegally accessed the company's network and deleted documents shortly after he was fired, costing Gucci nearly $200,000 in damages. Using an account he secretly created while working at the company, the former employee allegedly later accessed Gucci's network and deleted virtual servers, shut down storage areas, and wiped corporate mailboxes.

This case and the many others like it call attention to the importance of having policies and procedures in place to ensure terminated employees no longer have access to company information and resources. E-mail, network, and application accounts must be deactivated swiftly. Employees granted administrative privileges while at the company could also pose an even greater threat. Organizations need to take precautions to ensure departing employees' privileges are revoked, root access passwords changed, and so forth. It sounds simple enough, yet it's surprising how often these necessities are overlooked.

Another solution to consider is looking at the amount of information employees have access to even when they are employed. Are the right limits currently in place? It's much easier to control former employees' ability to access information when they were never able to access the information in the first place.

Accident Prone Annie Examined Closer

Though difficult for many to admit, humans are fallible. We are not perfectly consistent in our personal or professional principles. Accidental misuse of privileges on desktops and servers does happen, and it does have a measurable impact on the organization as a whole. For example, desktop configuration errors cost companies an average of $120/PC, according to an IDC report, “The Relationship between IT Labor Costs and Best Practices for IAM.”

Figure 2-2. Accident Prone Annie.

In September 2004, HFC Bank, one of the largest banks in the United Kingdom, sent 2,600 customers an e-mail that, due to an internal operator error, exposed recipients' e-mail addresses to everyone on the list. The problem was compounded when out-of-office messages—containing home and mobile phone numbers—automatically responded to the mailing.

As one famous hacker said, “The weakest link in any network is its people.” The most fortified network is still vulnerable if users can be tricked into undermining its security—for example, by giving away passwords or other confidential data over the phone, or performing some activity that allows malware to hijack admin rights on desktops.

For this reason, user education should be one cornerstone of a corporate site security policy, in addition to privilege authorization management. Make users aware of potential social engineering attacks, the risks involved, and how to respond. Furthermore, encourage them to report suspected violations immediately. In this era of phishing and identity theft, security is a responsibility that every employee must share.

A common fear of all CSOs and CIOs is that their organization winds up in the press for some breach of privacy or data theft. So when it happens because of an accident and not an intentional attack, the embarrassment is compounded.

Accidents happen. It's part of the human experience. Unfortunately, there are times when some accidents lead to very serious consequences.

According to a security breach research project done by in April 2011, nearly one-third of the 25 reported serious data breaches occurred due to accidental employee actions or mistakes, which resulted in the exposure of Social Security, credit card, bank account, and financial account numbers. A data loss of this magnitude is devastating to an organization on many of levels, yet it's understandable due to basic human nature. Companies that don't have preventative safeguards in place can therefore be in real trouble.

Although IT managers and compliance professionals are aware of these potential threats, most are still unsure of how to effectively manage and mitigate the problem. As most network security experts will agree, a multi-tiered approach to threat protection, whether coming from inside or outside the company, is necessary to minimize the risk of data breaches. Unfortunately, not all managers do this.

More Insider Breaches in the News

In August 2010, an Arkansas State University employee mistakenly e-mailed personal information belonging to 2,484 full- and part-time members of the faculty and staff and some former employees. The personal information was stored in a file accessible only by someone with privileged access. Private Information belonging to about 70% of the faculty and staff of Arkansas State University was then sent out.

According to Arkansas Matters, “An employee mistakenly attached a [Privileged] report to a distribution list and that report contained some information about current and former employees, said Associate Vice President of Information Technology Services Mark Hoeting. We're working directly with each of the individuals who received it to validate that the file has been removed, said Hoeting. Even though these steps are being taken, Faculty member Jack Zibluk said they are concerned.”

Based on the Ponemon Institute's 2009 Annual Study, “Cost of a Data Breach Report,” this accidental misuse of privilege will cost ASU approximately US $149,040. Has your organization performed an IT security review to help minimize any costs associated with accidental misuse of privileges such as this?

Identity Thief Irene Examined Closer

Indirect misuse of privileges is when one or more attack types are launched from a third-party computer that has been taken over remotely. A startling statistic revealed by Gartner in December 2008 is that 67% of all malware detections ever made were detected in 2008. Gartner also estimates managed desktops, or users who run without admin rights, produce on average a $1,237 savings per desktop and reduce the amount of IT labor for technical support by 24%.

Figure 2-2. Identity Thief Irene.

The Georgia Tech Information Security Center (GTISC) hosted its annual summit on emerging security threats on October 15, 2010, and published its annual attack forecast report. According to their research, the electronic domain will see greater amounts of malware attacks and various security threats in the coming year.

Data will continue to be the primary motive behind future cybercrime, whether targeting traditional fixed computing or mobile applications. According to security expert George Heron, “It's all about the data,” so he expects data to drive cyber-attacks for years to come. This motive is woven through all five emerging threat categories.

As technology continues to develop and expand, it's an unfortunate reality that sensitive information is becoming decreasingly safe. While this isn't new news (data breaches are becoming as common as a morning bowl of Cheerios), for some reason companies aren't heeding these devastating warning signs. At least Barracuda Networks didn't.

Here's what happened: A hacker, dubbed “fdf,” posted screenshots of Barracuda employees, partners, and customer credentials that were obtained through an SQL injection of their web page. Chris Wysopal, CTO at Veracode, offered more information about it, including that, “Barracuda employee password hashes were disclosed to the attackers. It is likely that many of these will be cracked swiftly and that some of these passwords give other access within Barracuda, perhaps through reuse.”

Let's take a minute to think about how this happened, or how any security breach happens. The simple answer is that someone who should not have had access to sensitive information did. Honestly ask yourself these questions: if this happened in your organization, would you know whom to question? Do you know everyone who has admin rights? Or whose passwords can grant access to high-level tasks? Do you have a way to monitor who is accessing what and when?

This breach highlights the importance of accountability. In each of our enterprises, we must know who operates with privileged user rights and how their actions can affect the security of sensitive information. Could you answer all of these questions? Or are there holes in the security of your company? Addressing the internal misuse of privilege is no longer a nice-to-have; it's a need-to-have. And if it's not something that's currently a priority in your enterprise, now is the time to make it one.

The truth is, whether it's malware, hackers, or a vulnerability, chances are it's very difficult for anyone to deal serious damage without admin rights. So when we read the latest vulnerability from Adobe, we were eager to jump on the soapbox and scream once more from the hilltops.

Adobe's Shockwave had a vulnerability that could allow hackers to inject malicious code. Now this is where two common but unpractical and unproductive thoughts come to mind on the situation as a knee-jerk reaction:

Adobe: You can blame Adobe for the vulnerability and wait for their patch, but with dozens of common applications that are full of vulnerabilities (some discovered and some not), it's a pretty mediocre (but easy) solution.

Hackers: You can blame hackers who take advantage of the vulnerability for hacking into your desktops (usually after the fact), but just as there will always be software vulnerabilities (and lots of them), there will always be hackers. The real question is: how will you stop them?

It's easy to blame Adobe for having the vulnerability or hackers for using it, but the fact is that no organization should be unable to protect themselves from the combination of these two very likely foes.

If desktop users don't have administrative rights, how much damage could someone like Irene using the vulnerability cause? Any code the hacker injects would most likely install malware or keyloggers, or change system settings such as security configurations, but the desktop would be unable to do any of that.

We all need to stop blaming vulnerabilities and hackers like Irene and start taking responsibility for restricting desktop users so that the users (and anyone else) simply don't have the privileges to cause so much damage.

Even the largest of companies are vulnerable. The headline used by WSJ.com on Mar 8, 2011, was “Google Takes Heat Over App Security” and reported “The company behind the now ubiquitous Android operating system came under fire after computer-security experts last week uncovered more than 50 malicious applications that were uploaded to and distributed from Google's Android Market.” In fact, this is not the first time that Google experienced this type of intrusion, as was reported back in October 2010 by the New York Times, A Google employee in China “inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google's headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.”

But Andrian Kingsley-Hughes over at ZDNet cuts to the heart of the matter in his article of March 2, 2011, by saying “To many of its fans, the openness and freedoms offered by the Android mobile operating systems is one of its main selling points. But that openness comes with a price—it makes it easy for nefarious types to sneak malware into apps. And that's exactly what they are doing.”

What Hackers Don't Want You To Know About User Privileges

Believe it or not, there are people out there who aspire to be hackers. Not just the run-of-the-mill, crack a password or two, but a bona fide “Neo” who can play with your secure data like a personal version of “The Matrix.”

These would-be data pirates and malcontents have web sites that teach them their craft and even annual conferences like DEFCON to compare tips, tricks, and vulnerabilities. They are more organized than the average business executive or auditor realizes and they are inspired by nothing short of total access to anything and everything on the information super highway, especially what is hidden within your servers and on any one of your user's desktops.

The recurring theme and core principal is basically to find access to admin credentials, and you own the keys to the kingdom. So, when users are granted excessive privileges (admin on desktops, root on servers), then you have an environment just begging for a hacker to attack.

Patient to Doctor: “Doctor, doctor, when I do this it hurts”
Doctor to Patient: “Then don't do it!”

Sage advice that hackers don't want you to know: if you don't grant admin rights, you don't run the risk of someone stealing them, hijacking them, or even intentionally misusing them from inside.

Top Five Excuses for Data Breaches and What They Really Mean

In all of our customer interviews and research of actual data breach incidents for this book, we discovered five recurring excuses used to respond to said breach:

Data Breach Excuse 1: It's Too Sensitive to Comment Further, for Fear of Risking Security Further.
When Vodafone terminated several staff in Australia over a breach in its customer information database that led to a leak of private data, they used this excuse to buy them some time, while they figured out what really happened. According to WCJB.co.uk, “The company said it continues to investigate the matter and is attempting to determine if an employee misused the password or sold it to criminals outside the company. The telecommunications firm said in a statement yesterday that a number of staff had been terminated and the information had been passed on to the NSW Police.” All bold positive statements that expertly relay the concern of Vodafone on the errant behavior of one or more of their employees. And yet, likely to be a smokescreen for a company that knows full well what happened, and fears saying more because it was so neglectful on their part that to share the full details would risk incurring serious damage to their very trusted brand.

The bottom line is that it doesn't matter if their errant employee misused the password or sold it to criminals; the employee in question was over-privileged, meaning he or she had access to a server beyond the remit of his or her work role, or, had legitimate but unmonitored access.

Further on, we learn that in fact the CEO has already brought in an independent security firm to review the systems, and to preempt any further leaks, and that the company is changing the database password every 24 hours.

Now if the independent security firm knows their onions from their shallots, they will know that by installing an automated privilege access management system, it would be possible to change the password not just every 24 hours, but every time someone needs to access the server.

A password automatically generated, based on the approval of the employees, requests to access the server, and against the role definition of their job. Indeed, protecting the enterprise from those with the motive and expertise isn't just a matter of mission-critical servers. The mindset that there will be those with access who have IT skills should be incorporated into security in everything we do.

Data Breach Excuse 2: Sadly, It's Not Possible to Trust All People All of the Time.
Amongst many US and UK hospitals and health-care organizations who seem to have experienced data breaches in the last year, Florida Hospital used this excuse when it admitted to a data breach in November 2010. Their CEO was at pains to stress: “While it may be impossible to absolutely prevent an employee from violating our values and policies for personal gain, we are determined to take all necessary steps to review and strengthen our administrative procedures to ensure that we are providing the highest level of data security possible.”

We are, of course, happy to point out that with a good privileged access management solution in place—and one that helps health-care organizations comply fully with HIPAA requirements—they don't have to rely on trust alone.

Accidental, intentional, or indirect, abuse of privileges is mitigated because employees, partners, and third parties only get pre-approved access to the network or servers based on the need their job requires, not their position within the organization hierarchy.

Data Breach Excuse 3: Shut the Door After the Horse Has Bolted.
This excuse allows the breached organization to sound authoritative by providing an answer to how the breach could have been prevented to the media and public, even if it is a solution they haven't put into practice yet. Unfortunately, the damage is already done and the misuse of privilege has caused significant enough damage to warrant the excuse being used in the first place. By providing an example of best security practice after the event, the US Government took the moral high ground during the WikiLeaks debacle, and diverted attention away from its own complacency.

Their missive to those responsible for handling classified information, is revealing: “...create a ‘security assessment team’ to review the implementation of procedures to safeguard such information, a review to include making sure that no employee has access to information beyond what is necessary to do his or her job effectively.”

Data Breach Excuse 4: Don't Make an Excuse; Blame It on a Third Party.
Yep, that's what we heard next when data showed up stolen or vandalized. McDonald's adopted the “we've been hurt too and are in this together” tone when they warned customers to be on guard against identity theft, phishing, and other scams thanks to a data breach following the theft of customer data held by a third-party contracted by McDonald's. As PC World rightly pointed out in December 2010, the smaller third-party organizations frequently lack the security policies and controls of the larger companies, and provide an Achilles heel that hackers can exploit to gain access to the more valuable network—often flying undetected under the radar.

Our view is similar. With so many potential points of entry to sensitive data and so many different attack surfaces from which infection can happen, a shift in perspective is required. Companies need to think less about building walls and more about establishing clear boundaries. An employee at their desk or on the move, subcontractor, or partner: access to the network should be the same. When we talk about privileged access, it's not who is more privileged than who in terms of their relationship to the company; it simply refers to who gets access to what as defined by their role definition. As the straight lines of traditional security practice get increasingly blurred and permeable, privilege access becomes the cornerstone of not just good network security, but also good people management. Using open source software to solve this problem can be just as bad.

Data Breach Excuse 5: Apologize and Reassure Customers It was an Accident Rather than Intentional Harm.
You guessed it, that's what we heard as the last excuse when data showed up stolen or vandalized. The University of Hawaii used this “cover-our-butts” excuse recently when they realized a former faculty member had inadvertently posted the Social Security numbers, grades, and other personal information of 40,000 former students to an unprotected server. This information has been accessible by a simple Google search for the past year.

“We are troubled (and) determined to notify everyone according to law and committed to do everything possible in the future to prevent this from happening.” Their spokesman, Ryan Mielke, also stated that there didn't appear to be misuse of the information. That hardly makes it okay, especially when the information was available to all and sundry for 11 months, and that the former faculty member even had access to the data to conduct their admission research on behalf of the university. Monitoring database access is part of the solution, but addressing the misuse of privilege requires going beyond that. It is just as essential to continually audit privileges to ensure that employees and partners only have access to the minimum amount of sensitive data necessary to perform their duties. This requirement for separation of duties is also a cornerstone of virtually all compliance regulations.

HR and IT—How Security Can Make For Strange Bedfellows

Clearly the best group inside your organization to identity the insiders, and differentiate their levels—employee, contractor, partner, customer is your HR department. This group will have not only their current level of status, but their role and authority levels as well. Because of this, the interface between the IT department and HR must also be solidified in order to avoid the misuse of privilege and prevent the insider breach. Both organizations need to come together to understand that “rank” and “privilege” are two completely separate concepts:

Rank: In most every organization, there is a boss and a subordinate. The bigger the organization, the more layers of management are likely to be found. Ranks define the pecking order or hierarchy of this reporting and decision-making structure.

Privilege: Authorization, or privilege, on the other hand, is about who has access and can do what on a specific system: physical or virtual server or desktop, database, application, or cloud.

All too often, rank is confused with privilege and those higher in the organization are automatically given more IT privilege; usually an excess amount of privilege for their rank because the thought of fine-grained entitlements has not been considered. Fine-grained entitlements are simply calibrating the levels of authorization for a specific computing environment to a specific setting based on policy or role.

The challenge of managing insiders gets a little difficult when migrating to cloud computing. You can control the hiring practices of your own organization, but what about those to whom you are outsourcing? What are the IT employee hiring protocols or security checks employed by your cloud provider? The lack of visibility into the hiring standards and practices for cloud employees and a general lack of transparency into provider processes and procedures, such as how its employees are granted access to physical and virtual assets, make preventing data theft a potential nightmare. Depending on the level of access granted, a malicious outside-insider may be able to harvest your organization's confidential data or even gain control of the entire infrastructure with little or no risk of detection.

But we don't think that security concerns should be an absolute barrier to the adoption of cloud computing technologies. What we do think is that organizations are right to consider the implications of the cloud—and demand visibility into their suppliers' technology and processes to ensure the appropriate level of administrative privileges for better information protection.

Perhaps It's Time to “Geek Up” HR

For example, application and privilege controls can provide HR visibility into how businesses and individuals access and manage applications. With HR and IT in concert on privilege user parameters and administrative rights, policy enforcement can become more distributed and effective.

Security is an ongoing, collaborative process. Constant review of both policy and technology is necessary to safeguard corporate networks. And although you can never eliminate risk completely, when you improve relations between HR and IT so that policy and technology go hand in hand, an organization's security becomes a great deal tighter.

Top Ten Reasons Good People Do Bad Things Without Least Privilege

Taking a more tongue-in-cheek approach to highlighting the types of privilege misuse that occurs daily inside most organizations, we thought that a top-ten-list approach might appeal to you as well. How many of these have you seen throughout your organization?

#10: Michelle, the CEO's Exec Admin, leaves her current password list on a yellow sticky note taped to the bottom of her keyboard.

#9: Fred, the Rochester Linux admin, “loaned” his root credentials to another admin because he was late for a dentist appointment and the server needed to be rebooted.

#8: Ted in Tech Support reset file and directory permissions on a mission-critical Linux server to make his data migration project go smoother but, in the process, also gave access to sensitive data to the entire company.

#7: Sid in Development downloaded a couple of neat Apache applications and a few other unauthorized open source “tools,” injecting malware into the corporate network.

#6:Annie the Secretary completely cratered her PC configuration while trying to upgrade an application by accidentally “fat fingering” the wrong IP address, causing her to lose two days of productivity while IT reimaged her machine.

#5: Bob, the VP of Marketing, now adds 220GB of personal data to the nightly backups as his entire iTunes library of 23,000 songs and 15 movies were put on his corporate laptop.

#4: Alice in IT seems to bring down the entire network backbone every time she has a DNS misconfiguration error that seems to happen more often than not.

#3: Fred in IT installed a Trojan on the mission-critical server, bringing it down for four hours and costing the company over $1M in lost transactions, because he was passed over for a big promotion.

#2: Sarah, the CIO, “hides” all of the Linux root credentials (which are changed weekly) in a sealed envelope in the bottom drawer of her desk and has to deal with a manual check-in/check-out process, but everyone knows where she keeps the list.

#1: A member of the group known as “anonymous” overheard a systems admin bragging over a Palo Alto lunch how no one would ever figure out that his password was “talkingninjamonkey2” after his favorite video game avatar.

Weighing In

It never ceases to amaze us how predictable we are as human beings. Whether it's continuing to repeat our own mistakes or thinking the consequences of others' actions would never apply to us, it seems we're far too eager to turn a blind eye to reality. Reality, however, has a funny way of coming back to haunt us. When it comes to trusting good people not to do bad things, IT Admins and the CSOs and CIOs they report to are like a whole army of Homer Simpsons continuing to stick their finger into the light socket and expecting not to get a jolt.

We have analyzed numerous examples of intentional, accidental, and indirect misuse of privilege and the associated cost of these insider breaches. There are several lessons we can take away from these experiences. The first and foremost is to have an identity management solution in place within your enterprise. Allowing any employee unfettered access to all company assets is both unnecessary and dangerous. The second is to regularly monitor privileges as work roles, new employees, and new data emerge and change. Take the steps now to learn from the past, and prevent any insiders from misusing their privileges on any level. Let's hear from our Insider Heroes:

Secure Sam:

The misuse of privilege is unfortunately a rising trend amid enterprises. There are new data breaches reported daily it seems, and companies and consumers alike are losing faith in information security. Far too many of these breaches come at the hands of insiders. We can't understand why companies don't take measures to protect themselves from these kinds of attacks! The reality is there are far too many “Disgruntled Daves” out there. No matter how large a company is or how much they're worth, no one can afford the risk and the price of a security breach. $2.7 million is a lot of money, and the cost of cleaning up these kinds of messes is only going to rise. So why do companies continue to push the insider threat aside? Maybe it's not just that they're ignoring the obvious; maybe it's that they think that their tried-and-true security methods are still working. The unfortunate truth is that putting up a wall doesn't mitigate the danger anymore—the misuse of privilege is bigger than a firewall. The only way for enterprises and their managing IT personnel to adjust and eliminate these expensive risks is to actually manage access. Companies need to step up and take control of who has access to what, and until this happens, we don't think we'll see relief from the onslaught of breaches.

Least Privilege Lucy:

Privileges are one of the more complicated parts of the IT manager's job. Everyone thinks they need to have power to do everything, but the reality is that most of them don't come close to needing administrator rights, and it's downright dangerous letting them run with them! When users end up with more rights than they need, they inevitably download something with a virus, upgrade software they're not authorized to upgrade, accidentally mess with their settings, and/or just wreak havoc on the fragile network that is so vigilantly managed. Having unnecessary administrators running around really is like a landmine—you just spend time waiting until another time-consuming issue has to be dealt with because someone accidentally hit the download button or upgraded some software without thinking. “Accident Prone Annie” is part of my daily routine, and honestly the bane of my existence. Managing rights is the answer; taking all users to a least privilege model is the way to avoid the ticking time bomb and make enterprises more secure.

Compliance Carl:

There are always issues that come up with information technology. One of the issues that I see all the time is the leaking of that data. Ideally, I see it before an outsider comes in and spreads it across the Internet to the corners of the world, but it's something that's prevalent in IT environments across almost all industries. It's also something we've all seen lately, as data leaks and breaches are becoming more commonplace than ever. What doesn't get reported along with these breaches, however, is the root cause of how they happen. Everyone hears that data was leaked, information was hacked into, and passwords were stolen. But take a minute and ask yourself how that happens in the first place. How can outsiders access these precious enterprise tools? “Identity Thief Irene” is the answer to that question. While she is fictitious, there are thousands of real-life thieves just like her that do the exact same thing: hijack accounts with administrator rights. When a company is properly protected against data theft, hackers cannot gain access because least privilege is in place. By making admin rights something that only those who require them have, information can't be hijacked with as much ease. Least privilege, which is a best practice and a money saver for companies, really is the key.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 2: Misuse of Privilege Is the New Corporate Landmine

Create new playlist

Sign In

Sign Up