Three steps to avoid being the next victim of an insider data breach
You may be wondering why I’ve chosen to specifically focus on "insider" breaches. The answer is simple, virtually every breach of any consequence has been the result of abuse, misuse, or hijacking of legitimate user credentials. More often than not the credential in question is an administrative login such as root (aka Superuser), database administrator, system administrator, or any of the myriad of admin accounts that proliferate every business system that processes and stores sensitive data.
Let me start by providing you with some background.
In order for an employee to complete work on their company’s network, they must have a user account with sufficient permissions that allows them access to files and data necessary to perform the tasks required of their role. Accounts are given a wide range of permissions, depending on the role. The high-risk accounts have the most permission and are typically able to install software (or malware), view (and edit) a log, or reboot (shut down) an entire system. In order to keep your company’s network safe, it’s mandatory to maintain control over which accounts have permission to complete certain tasks. Unfortunately, it can be very difficult to keep track and change account permissions in real-time and is not treated as standard practice anymore.
For example, an organization may share the administrator credentials to multiple staff members that may need access to certain data or files to do their job. To make matters worse, because the credentials are tied to the company network and not the individual employee, there is a lack of accountability. If something goes wrong it will be almost impossible to identify which employee created the issue since there are multiple people using those credentials, and likely there are even more users the company is unaware of. This is why bad actors target these privileged credentials. If they can get their hands on an administrator password, they can access the network with no limits and no accountability. So, when using the term "insider" I’m not necessary talking about a bad employee that have gone rogue, but those cybercriminals that have gained inside access through stolen credentials.
So how can we minimize the risk of an outsider getting insider credentials without getting in the way of tasks that need to be completed? There are three fundamental practices that can dramatically minimize the opportunity for bad actors to obtain and abuse privileged credentials:
Step One: Eliminate password sharing. Instead create a process around issuing passwords. Since the password is the gateway to danger, anything that can be done to add individual accountability when an employee is using a privileged account it is a great thing. While it is possible to control the request, issuance, and return (along with changing) of privileged passwords through manual processes and home-grown solutions, these practices often prove too inefficient and error prone to deliver desired value. There is a whole category of privileged account management called password vault solutions that automates and controls precisely this process. With privileged passwords locked away and only issued when established criteria have been met, the risk of misuse is minimized and individual accountability is created. The best password vault solutions will also manage system passwords and service accounts as well as changing the passwords after every use.
Step Two: Add analytics to the mix. Controlling the flow of passwords is a valuable and necessary action, but it is not the apex of privileged access management. Analytics can be additional support that further minimizes risk while adding important insight to bolster the security of a privileged access management deployment. There are two types of analytics that prove valuable. First is behavioral analytics. This technique looks at user actions, and even biometric data, such as keystroke and mouse movement tendencies, to detect instances where criminal activity is being performed on a legitimate account. Second is identity analytics. This approach looks at the potential for bad actions by evaluating the permissions granted that are granted to every user and administrator account. Identity analytics can find permissions that are out of alignment with company policy, group norms, or even when compared to outside organizations and similar job roles.
Step Three: Expand monitoring permissions and access to accounts beyond your internal workforce. As many recent breaches have shown, third-parties, partners, and contractors are often the weak link in a privileged access management strategy. While these outside users often have legitimate needs to use your privileged credentials, steps should be taken to ensure that those accounts only have access to the credentials they need to fulfill their role, and that all activity they perform is fully monitored, controlled, and evaluated. The password vault and analytics you implement should apply to all users -- internal and external -- that may pose a risk.
In conclusion, the risk of an "insider" threat is high, but the opportunity to manage access is there for the taking. Following the simple steps of eliminating password sharing, implementing comprehensive analytics, and expanding your privileged access management scope beyond internal users to any third party that may require access will dramatically fortify your enterprise against the ever-growing threat of a breach.
Jackson Shaw is Senior Director of Product Management for One Identity’s Identity and Access Management product line. Prior to One Identity, Shaw was an integral member of Microsoft’s Identity and Access Management product management team within the Windows Server Marketing group at Microsoft. While at Microsoft he was responsible for product planning and marketing around Microsoft’s identity and access management products including Active Directory and Microsoft Identity Manager.