Privileged Users and the Threat of Cyber Attacks
Every privileged account on your network is like a large chef's knife in the kitchen—necessary, but potentially dangerous.
Privileged accounts are typically given only to systems administrators and others who need elevated, unfettered access to a network's underlying platform. Overall, that's a good thing. But it also threatens your organization with two major risks:
- Privileged account usernames and passwords can be stolen by cyberthieves from outside of your organization, who can then use this access to steal valuable data or introduce crippling malware into your systems.
- Your own employees can go rogue, becoming malicious insiders who either steal privileged accounts from others, or misuse their own access rights.
For an example, Terry Childs, an application developer for the City of San Francisco, locked every member of the city's IT staff out of all critical systems. These systems were connected by a network that Childs had helped develop, and he secretly locked down the network with a password only he knew.
Only after being arrested and spending 9 days in prison did Childs give up the password. Two years later, he was convicted of felony computer tampering and sentenced to four years in jail. In the meantime, his crime had cost the City of San Francisco an estimated $1.5 million in losses.
Root of all Evil
Such incidents are becoming more common. In fact, one security firm estimates that fully 100% of all advanced attacks are made by exploiting privileged credentials. Damage caused by privileged users or those impersonating them is the most extensive, hardest to mitigate and most difficult to detect because authorized users are doing things they are authorized to do.
A Ponemon Institute report involving more than 740 IT security and operations managers, found that nearly half of managers expect the risk of privileged user abuse to increase. Similarly, 60% said they believe their organizations are unnecessarily granting access to users beyond their roles and responsibilities.
When asked whether they thought the abuse would come from inside or outside the organization, respondents to the survey were evenly split. Nearly half said it was likely or very likely that social engineers outside their organizations would target privileged users to obtain their access rights. And 46% said it was likely or very likely that malicious insiders would target privileged users to obtain their access rights.
What's the best way to protect against privileged access abuses? You can't simply revoke this level of access. After all, your sys admins need access to your network's inner workings. But you can take some concrete, protective steps. Here are 4 recommended by CERT and the SANS Institute:
- Leverage privilege control tools instead of providing direct access to privileged accounts. Tools like "sudo" for Linux and Unix allow authorized users to obtain root/admin privileges as needed, and are far more customizable than providing blanket access to root/admin accounts. This also simplifies the need to audit user actions and associate particular actions to specific users.
- Enforce separation of duties and the principle of least privilege. The former means not allowing any single employee the ability to perform all privileged actions for a system or application. The latter means granting employees only the bare minimum privileges they need.
- Implement strict password and account policies and be sure to enforce them for all users.
- Log and monitor employees' online actions. It's best to use a variety of techniques to see what actions your privileged users are taking.
To be sure, putting these policies into practice can be a challenge. That's why Masergy recommends using behavioral analytics to anticipate and discover aberrant activities. To learn more, see Masergy's Unified Enterprise Security white paper.