The Hard and Soft Cost of Apathy

“By far the most dangerous foe we have to fight is apathy—indifference from whatever cause, not from a lack of knowledge, but from carelessness, from absorption in other pursuits, from a contempt bred of self satisfaction.”

—William Osler, Founding Professor at Johns Hopkins Hospital

To understand the cost of apathy in relation to breaches and least privilege, we must first understand that how we manage risk impacts human behavior. If we box people in by removing all privileges, they will feel suffocated and likely rebel or withhold. If we give too many privileges, people will either feel scared of screwing up and breaking something, or take full advantage of their privileges and abuse the system. The key is to give them what they need, when they need it, and only then will they will feel safe enough to do their job well.

The primary theme of “good people can do bad things” cannot be overlooked here. Every example presented thus far in this book has magnified the unpredictable nature of human nature and its impact on your security, compliance, and productivity. The representative insider threats introduced in Chapter 2 as “Disgruntled Dave,” “Accident Prone Annie,” and “Identity Thief Irene” are right now sitting inside the perimeter of your extended enterprise. It's just a matter of time before apathy leads to them causing measureable harm.

So, why does the typical IT admin prefers to duck and cover when auditors or business executives come to gripe about why there are no controls on who can do what (auditors) or why everything is so locked down that work can't be done at all, let alone efficiently (business executives)?

Q: Why did the ostrich stick his head in the sand?

A: To avoid danger (actually lowering its head in high grass instead of self burial in sand).

Just avoiding the inevitable is never a good policy; you may as well just drop out, free your mind, and listen to Beatles records all day. For those admins looking to achieve the IT equivalent of Karmic Balance, then implementing a least privilege solution across desktops, servers, virtual, and cloud environments should be the next project on your to-do list. By implementing a least privilege solution, you will automatically facilitate the elevation (brokering) of admin privileges only when they are necessary in an auditable fashion that doesn't require handing out root or admin credentials.

If you keep up with current events, then you will find numerous examples of an over-privileged insider who misused their privilege to cost an organization millions of dollars—and reveal just how expensive your apathy can be/become.

Lessons from Jérôme Kerviel

A multi-billion dollar fraud from 2008 re-surfaced in the fall of 2010 in the news after a Paris court ordered Jérôme Kerviel, who engaged in over 1,000 fraudulent transactions, to pay a full $6.7 billion in restitution for his risky trades and serve three years in prison.

Forbes took their shot at what the events could teach us, which raised the compelling point that everyone is curious about—why is 100% of the blame being put on Jérôme? We don't know if the bank did indeed support Jérôme's risky trades, which were initially profitable. What we do know is that IT professionals have skills that are both useful and dangerous.

Kerviel came to the Societe Generale as a trader after being an IT worker at SocGen. ComputerWorld reports he used these skills to easily bypass the IT and process controls the bank put in place to detect fraudulent transactions.

We do think the single takeaway the news should remind us of are that the IT skills that are both dangerous and useful can be found anywhere. Protecting the enterprise from those with the motive and expertise isn't just a matter of mission-critical servers. The mindset that there will be those with access who have IT skills should be incorporated into security in everything we do.

Cyber Crime Can Be Lucrative

The economy of cyber crime is all too real—and too enticing. No longer sequestered to dark alleys and seedy bars, data thieves have almost unlimited options to market their ill-gotten wares to potential buyers. What this means to employers and organizations: the temptation to access and “appropriate” sensitive data may be too great for some to resist.

Q: So just how difficult is it for cyber criminals to sell data?

A: Shockingly easy.

Although the sale of stolen information often takes place completely underground in secret, closed to the public credit forums, people who want to join these groups can locate them quite easily. Once vetted by forum administrators to ensure they are not from law enforcement, they are invited into the network to market and distribute their wares.

And individuals need not even proactively seek out to divest an employer of sensitive, valuable data. Today, recruiters actively target individuals with local or specific data types—going so far as to even create job postings with criteria like “an established relationship with local banks” as a prerequisite for crime family consideration.

The ease with which individuals can locate black market buyers of data should scare every employer who provides mid- to low-level access to any type of sensitive information. Like some bizarro-world eBay, many of these markets actually have incentive packages. Competing prices, additional services, free trials, money-back guarantees, and terms and conditions are all offered. Prices for data are qualified like any other commodity: data is priced based on the domain, if the account belongs to a real person, and how popular it is. It can depend on the number of followers, how commercial the niche is, and if the data is real or bot-generated. Prices for online banking and payment systems depend on account verification.

To make matters worse, the cyber-crime black market, which has traditionally centered on distributing bank and credit-card details stolen from users around the world, has diversified its business model since 2010, and now sells a much broader range of hacked confidential information including bank credentials, logins, passwords, fake credit cards, and more.

So, while CSOs struggle to combat an ever-evolving crime organization that morphs and changes in a nanosecond, it may be the guy in the cube next to you that is seeking to supplement his bank account that could exact the most damage to your database.

How Much Is Your Code Worth?

In Chapter 2 we discussed the former Goldman Sachs programmer accused of stealing source code to take to a competitor for a much higher annual salary and $700,000 bonus. The ultimate question for you is at what point will your trusted employees do the same with your corporate information assets? When evaluating the cost of apathy you need to factor in the potential cost impact created when human nature defies legalities in favor of greed.

Lessons from Matt Miszewski

Arguably, former Microsoft employee Matt Miszewski is now a respondent in a recent motion filed against him for allegedly “retaining” some 600 MBs of sensitive and proprietary data. When he left the company to take up a position at Microsoft rival Salesforce.com, he was motivated by considerably less—at least as far as his personal return was concerned. Obviously, it's too early to pass judgment on such a case, or suggest that “retaining information” after leaving a company is just a posh way of saying stealing, but what we can do is comment on how Microsoft discovered Matt's supposed infraction.

Microsoft only discovered that the information had been taken as a result of due process in another, earlier case brought against Matt Miszewski. Mr. Miszewski had said he only took personal items with him when he left. Under discovery rules, the document cache stored on his laptop was produced. Simply put, this means that if they had not filed suit against Mr. Miszewski, they would have been unable to verify the “retention” of the data.

If we are to take 2011 Symantec/Ponemon Institute research seriously—which indicates that 59% of employees surveyed who lost or left a job in 2008 admitted to stealing confidential company information—then businesses should heed more attention to how they manage privileged access to sensitive data. Otherwise, they could be accused of aiding and abetting the theft by relying on trust alone. As our title suggests, he who holds the “over-privileged” ladder is as bad as a thief.

Whether via the desktop or from mission-critical servers, access to sensitive data needs to be managed on a needs-only basis. Employees get access based on the privileges they need to do their job, not how privileged (senior) they may be within the company.

One in 14 Can Cost You $129 Without Least Privilege

A May 2011 PC World article about malicious code and downloaded software reported “about one out of every 14 programs downloaded by Windows users turns out to be malicious.” This didn't come from some random blogger or disgruntled day trader. It came from Microsoft's own research and, according to the article, “even though Microsoft has a feature in its Internet Explorer browser designed to steer users away from unknown and potentially untrustworthy software, about 5 percent of users ignore the warnings and download malicious Trojan horse programs anyway.”

So the bottom line is that people can potentially take advantage of admin rights by downloading software and will have a 1 in 14 chance of infecting their computer with malicious code. According the Gartner, Inc.'s report, The Cost of Removing Administrative Rights for the Wrong Users (T. Cosgrove/April 2011), the primary difference between the two management profiles, “moderately managed” and “locked and well-managed,” is user rights. The moderately managed profile assumes administrative rights are granted, while the locked and well-managed profile has them removed. The cost difference between the two profiles is $653 annually. Interestingly, 90% of the cost savings associated with the locked-down user is realized by the user, not IT. The user will spend less time fixing his or her system and doing other administrative tasks, because the PC is better managed.

Who's To Blame?

As we've waded through the hundreds of published insider breaches from just the last two years, what was a clear recurring theme was that of the vagaries of human nature. Not meaning to wax poetic, but it was always an individual who misused their own, or some other insider's, privileged access authorizations to IT systems to their own devices and/or gains. That begs two questions:

• What sets these people on their path to misuse of privilege?
• Are they personally responsible or is the organization's lack of controls partially responsible as well?

As we have pointed out many times—at the intersection of people, processes, and technology that make up the engine of modern business—it's human nature that is the weakest link. And, all too often, it's the tendency of almost the entire IT industry—vendors, analysts, and press—to ignore this.

Put another way, you can't rely on everyone being a saint or competent all of the time. It's not just malicious malcontents intent on destroying the system who can cause havoc, but also the negligent, misinformed, and downright nosey who can compromise sensitive data. In all cases, it's more often than not the case that such people have way too much privilege access—admin rights on the desktop, root password on the server—for the role they are required to play.

Indeed, when technology is to blame, it's not always the technology company's use; it's the failure to recognize the importance of technology, such as privileged identity management (PIM) systems, which can restrain over-privileged users without hampering productivity, which is at fault. With increasing costs arising from data breaches, including cleanup costs, as well as customer churn due to diminished trust, it makes sense not to rely on trust alone when it comes to employee and third-party access to sensitive data.

Hard Versus Soft Costs

All costs aren't completely as obvious as these examples would suggest. Simply stated, the principle of least privilege means that a user must run with the least amount of privilege for the least being performed. And what does this mean for you? It means you should look closely at eliminating administrator rights from users who don't absolutely need them, and elevate privileges for users who require them. Let's take a look at a couple of scenarios that will better paint this picture and its relevance to hard versus soft costs:

Scenario A: A user in your company needs to install an application, and your IT department is slammed (as usual) and won't be able to help for several hours. Now that user can't install the application necessary for their job function, which results in loss of work and overall production.

Scenario B: A user in your company is operating with full administrator rights, and is unfortunately a little too cavalier in their download habits. Because they are operating with admin rights, malware hijacks their computer and enters your database. Now your IT department has to get involved to fix and debug your system, which is both expensive and time-consuming.

Both situations color the importance of least privilege and further emphasize how important it is to find the right amount of privilege for all end users. Scenario A is of course the soft cost example, while Scenario B is the hard cost example. Both can have measureable negative impact to your organization if you are looking out for signs of these scenarios and implemented vehicles for accurate impact assessment.

The Soft Cost of Identity Breaches

Many of you have been a loyal customer of Wells Fargo for over a decade for lots of good reasons. But over the long President's Day weekend in February 2011, you may have received a call from them saying that one of the vendors you've paid recently has had a data breach and leaked your credit-card information.

They didn't tell you which vendor it was, but it was pretty easy to figure it out based on the fact that they verified every recent purchase up to the one you could determine it was.

This got us thinking about the “soft” costs of data breaches. Whether this breach was an insider or hacker, it must have cost a good chunk of cash to call thousands of customers and re-issue a card to each one.

Then, we wonder how/if Wells Fargo punished this particular vendor. For some companies, relationships—even more so than data—are the most valuable asset they have and data breaches can put a lot of different relationships at risk.

Case Study: Saving Help-Desk Costs

Care New England, located in Providence, Rhode Island, was founded in 1996 by Butler Hospital, Kent Hospital, and Women & Infants Hospital. Care New England is a not-for-profit healthcare system that offers a continuum of quality care, including two teaching hospitals affiliated with the Warren Alpert Medical School of Brown University, Butler and Women & Infants; a community hospital, Kent; a visiting nurse and home care/hospice agency, Care New England Home Health; and the Care New England Wellness Center. Care New England's strengths are based on complementary programs and distinctive competencies of their partner hospitals to its partner hospitals and agencies.

Keith Lee, End User Support Manager for Care New England, manages operations that provide end users with assistance for technical issues, which include desktop maintenance and administration. Keith's department supports over 4,800 desktops and over 10,000 desktop end users, including over 250 applications such as Horizon. Many of the desktops include laptops used by nurses in the field. The end users are dispersed all over the New England community in Massachusetts, Rhode Island, and Connecticut.

The large coverage area needed for support, along with the challenges of managing Horizon with all the other applications, created many challenges for Keith Lee's team. A substantial amount of help-desk calls were focused around the need to have administrative rights to install applications or run many applications that required such rights. At the time, the only solutions available were to either send an IT tech to perform installations in person, provide admin rights to users who need the privileged access to run applications, or give a user full administrative rights to perform installs or run applications.

“It took no time at all to realize that the options available at that time were unacceptable,” said Keith. “Costs increased due to the rise in help-desk calls and tech hours needed to perform simple installs. There were also several security threats and compliance issues to Care New England.”

Prior to installation, Keith's team spent a week building an automated process to test and migrate their policies into their selected least privilege solution. Initial deployment took only two weeks and Keith saw immediate benefits and the ability to operate transparently to the 10,000+ end users without pop-ups or consent dialogues.

Since the installation of a desktop least privilege solution, help-desk calls have decreased and users have the rights they need to safely install and run applications necessary to perform their job. The selected least privilege solution gives network administrators the ability to attach permission levels to Windows applications and processes with ease.

“I believe that if Care New England had decided to use another solution, we would have been forced to increase help-desk personnel, which would result in higher costs and substantial security concerns,” said Keith.

Trust Alone Is Not an Option

At the RSA Conference in San Francisco in early 2011, we conducted a survey of over 111 IT professionals like you to find out if people trust their cloud vendors with their data. The findings were rather interesting:

• 71% of respondents wouldn't trust a cloud vendor with highly regulated data. Some participants even scoffed at the idea and the few who marked “yes” emphasized their wish for a “depends” option. If we can't trust our cloud vendors, how can we get there? What needs to happen so we can put sensitive data in the cloud? Let's keep going.
• 60% of respondents don't know or aren't sure what their cloud vendors' privileged access policies are. Cloud vendors need to provide this information to their clients, but they won't unless customers ask for it. This is where customers of cloud vendors need to be more proactive. Set requirements for privileged access, ask questions, demand reports, know their policies.
• At least 24% of respondents estimate that over 50 administrators have privileged access to their cloud-hosted data and 55% have no idea how many IT admins have privileged access. This is what makes privileged access from cloud vendors even more important—there's more IT staff and they don't work for your company. Is your cloud vendor doing what they can to limit the number of privileged access accounts with access to your particular data?
• 44% believe IT security has no influence or not enough influence in cloud vendor selections. Cloud vendors are in a business and IT security costs erode their revenue and force them to charge more. If their clients don't see the value in security enough to make buying decisions based on it, that makes it a good business practice for cloud vendors to glaze over security best practices. The best time to investigate your cloud vendor's security reporting and practices is BEFORE you buy from them.
• 61% of respondents have over $100 million worth of data on cloud-hosted servers. No surprise here. Your data is priceless. It's worth the security investment to protect it. One respondent said she wished there was an option for “priceless,” because some data is worth so much, you just can't put a price on it.
• 36% of respondents have made some kind of efforts specifically for preventing a leak to WikiLeaks at their organization. This is a bit off-topic from our cloud-centered survey, but it was interesting to see just how many organizations are really making an effort to prevent these emerging risks. Since WikiLeaks is primarily a risk only to very large organizations and is a reasonably new threat, the survey would indicate that the IT security industry has picked up on it very quickly.

In another survey that BeyondTrust conducted at the VMware show in San Francisco in the fall of 2010, over 55 respondents also had interesting things to say about trust in virtualized environments.

Has your company virtualized mission-critical servers?

Most of them: 21 (37%)

Some: 32 (56%)

None: 4 (7%)

If one of your colleagues wanted to steal sensitive information from a mission-critical virtual server in the company, do you think they could?

Yes: 28 (49%)

Maybe: 14 (25%)

No: 15 (26%)

What do you think your colleagues would be willing to do to get their hands on $20 million dollars?

Kill someone: 10 (17%)

Chop off their own arm: 9 (15%)

Jump into a water tank with a shark: 10 (17%)

Lose their job and leave the country: 20 (35%)

Leak information to a competitor: 20 (35%)

Wear a tutu: 23 (40%)

Steal data: 12 (21%)

Bottom line observations from this survey include:

1. Sensitive servers are prevalent in a virtualized environment
2. Staff WOULD steal data for money and
3. Staff CAN steal data and the problem is incredibly clear

Calculating Your ROI for Least Privilege

So you've decided to implement a PIM solution because you've realized that a least privilege environment is a perfect way to eliminate the misuse of privilege from your corporation, help satisfy ever-changing governance mandates, and deliver on-demand entitlement reports and keystroke logs to auditors when required.

You've completed a comprehensive technical evaluation and gotten buy-in from all of the business stakeholders on cultural fit into the organization. Your final hurdle to overcome is a trip to the CFO to get a release on the budget required to procure and roll out across the enterprise. The only problem is that you know he is only going to respect your decision and approve the procurement if you can show a hard dollar savings and not just perceived soft productivity and compliance gains.

To quote Hitchhikers Guide to the Galaxy: “DON'T PANIC!” Many companies, large and small, have already implemented a least privilege solution across servers, desktops, virtualized, and cloud environments. Literally thousands of companies like yours have already taken the plunge, eliminated admin rights from their IT systems, and have realized significant hard-dollar savings across IT administration, help desk, audit, and governance areas.

Cost-Justifying Least Privilege

Ultimately, cost-justifying a least privilege solution, or any IT solution for that matter, is very specific to the way your company recognizes and monetizes specific hard and soft costs. We've given you many techniques and examples in this chapter that you can model for your individual needs, but remember to put values on:

• Security: Privileged access is critical for smooth ongoing administration of IT assets. At the same time, it exposes an organization to security risks, especially insider threats.
• Compliance: Privileged access to critical business systems, if not managed correctly, can introduce significant compliance risks. The ability to provide an audit trail across all stages of the least privilege solution is critical for compliance, and is often difficult to achieve in large, complex heterogeneous IT environments.
• Reduced Complexity: Effective least privilege solutions in large heterogeneous environments with multiple administrators, managers, and auditors can be an immensely challenging task.
• Heterogeneous Coverage: An effective least privilege solution supports across a broad range of platforms, including Windows, UNIX, Linux, AS/400, Active Directory, databases, firewalls, and routers/switches.

Weighing In

As you've seen, there is a cost that can be applied to apathy in relation to breaches and least privilege. By now, you should understand that managing risk can impact human behavior if done incorrectly. Those you set up as “under-privileged” will feel suffocated and likely rebel or withhold. Those who are “over-privileged” will either feel scared of screwing up and breaking something, or take full advantage of their privileges and abuse the system. Establishing a least privilege environment means the best of both worlds and creates the perfect balance. There are a lot of risks to letting insiders run free with mission-critical information. One of those risks is the cost it takes to mitigate a breach. It costs a lot of keep sensitive information secure, and least privilege is a way to keep those costs in check. Let's hear from our heroes:

Secure Sam:

It can be difficult to govern something that is constantly moving. An IT environment, as we've discussed in detail, is an ever-changing entity. People come and go, job descriptions change, and information filters in and out of the database. The thing that doesn't change, however, is the security that must accompany it. Another thing that doesn't change is the cost of keeping mission-critical data secure. Part of managing and governing a security plan, however, is identifying how to be secure AND cost-effective. Least privilege is the way to do that. By eliminating many of the reasons users need the help desk, the cost of keeping a company secure and compliant is an easy-to-fix problem. Least privilege truly mitigates the risk of admin-related tasks gone wrong, and as the person in charge of making sure all things IT run smoothly, it makes my job a lot easier.

Least Privilege Lucy:

Sometimes taking risks can be a good thing. Like building a financial portfolio or going whitewater rafting with friends. Risk in your company's IT environment, however, is never a good thing. Putting sensitive information into the hands of accident-prone or malicious insiders is a terrible idea. You cannot risk mission-critical information and put the security of your company in jeopardy. There are countless examples of organizations that have done this in the past year, and the results of their failure have been smeared all over the media. Because they took a risk and did not secure the inside perimeter of their enterprise, data was leaked and stolen. Information was made available to people with mal-intentions, and cyber criminals are growing all the more powerful. Because this is such a reality in the world today, organizations cannot risk allowing insiders the temptation to steal or manipulate sensitive information. That's where least privilege is an effective solution. By giving only those who need admin rights access to information, in addition to closely monitoring data and the use of it, companies can mitigate the significant risks associated with insiders and sensitive information.

Compliance Carl:

The idea of trust in an organization's IT environment kind of makes me laugh. Trust is a great thing, but not plausible whatsoever when talking about the security of mission-critical assets. It's amazing how many times trust is given when asked why certain users have advanced administrative rights. “They've been with the company for so long so I know they're trustworthy” or “I trust them—they would never do anything bad” are just a couple of responses I've heard many times. That fact is this: even trustworthy and well-seasoned employees can have their credential hijacked or make mistakes. Sometimes they have malicious intentions that no one is aware of. There is really no way to know; therefore, all employees in any given company should be treated the same, and in a way that ensures information is kept secure. Least privilege is the answer. In order to be completely compliant, users must only have access to the information they absolutely need. This is especially true in a cloud setting, as there are oft-uncontrolled variables at work. The bottom line is this: least privilege saves money, keeps information secure, and allows your corporation to remain compliant.