Privileged account abuse is one of the most dangerous threats because it is relatively easy to execute and takes a long time to detect. The 2017 IBM Cost of Data Breach Study disclosed that organizations lost at least $3.62 million on forensic and investigative activities, remediation and legal expenditures associated with security incidents in 2016. But the overall damage for businesses can be irrecoverable.
No matter who the threat actor is — a disgruntled ex-employee looking for revenge or an insider with sticky fingers anticipating financial gain — privilege abuse patterns are pretty much the same. Four common scenarios offer cybersecurity professionals valuable lessons about proper privilege account management.
Scenario 1: Privilege Abuse
The simplest and most common situation is when an insider uses legitimate permissions for malicious activities. A vivid example of this is the July 2017 Anthem breach in which a third-party consulting firm, LaunchPoint Ventures, discovered one of its employees, in July 2016, had sent a file containing personal health identity information of 18,500 Anthem customers to his personal email. Besides that, the employee allegedly committed identity theft and misused non-Anthem data.
The investigation is underway. It is not yet known how the attack started, what the motives were, or what the employee did with the stolen data. But both Anthem and LaunchPoint are likely to face fines for noncompliance, bad publicity, and lawsuits from enraged customers.
Lesson Learned: Be aware of what your employees and contractors are doing by regularly monitoring the activity of all privileged users. You can deter misbehavior simply by letting people know they are being watched.
Scenario 2: Privilege Escalation
Privilege escalation is when an insider deliberately raises his or her level of permissions to get more access rights. Privilege escalation requires more effort and knowledge than simple privilege abuse. The most obvious example is the case of Edward Snowden, a contractor who worked as a systems administrator for the NSA, who leaked classified details of a NSA electronic surveillance program to the Washington Post and the Guardian in 2013.
We don't know all the details, but the most reasonable version of what happened is that the agency had poor visibility into user activity and little awareness of the keys and certificates in the IT environment. Snowden fabricated digital keys to obtain privileged access to areas way above his clearance. He also asked some NSA staffers for their usernames and passwords under the pretext that he needed them for his job.
Lesson Learned: Make sure you have rigorous control over access to systems that store confidential information, and a complete key and certificate inventory. In addition, remind your employees about your security policy and the consequences of violating it, for example, by sharing their passwords.
Scenario 3: Unauthorized Access
The unauthorized use of another user's account is particularly difficult to detect and investigate. It occurs when an employee either purposely steals someone's credentials or obtains them by mistake. These cases rarely go public, but here is one good example. Before leaving his job at engineering firm Allen & Hoshall and starting his own competitive business, Jason Needham gained the email credentials of a colleague and used them over the next two years to steal marketing proposals and client correspondence — as well as the rotating password credentials to the firm's FTP server. This enabled Needham to download schematics, staff emails, budget plans, and other sensitive data.
It is still unknown how Needham gained access to his colleague’s account. Most likely, they were either left in a visible location (hello, sticky notes on the screen) or were shared with Needham voluntarily. Since the company couldn't explain to regulatory bodies how the incident happened, it's fair to conclude they didn't have sufficient awareness of what was happening in their systems.
Lesson Learned: Detecting account hijacking can be tough, but thorough monitoring and analysis of user activity will help you detect anomalies that could indicate a security incident. It's also a good idea to implement a user termination policy that includes steps such as immediately disabling the employee's account, terminating VPN and remote desktop access, and changing all shared account passwords. Be sure that the policy is closely followed whenever an employee quits or is terminated.
Scenario 4: Human Error
Human mistakes are perhaps the most common type of privilege abuse. Actually, there are two types of mistakes to consider: when a user accidentally misuses access rights that were granted properly, or an admin grants a user excessive access rights by mistake or out of negligence. I bet every organization has experienced this issue. One example that was made public was about two employees at Vanderbilt University Medical Center (VUMC), who were granted access to 3,000 patient medical records that they didn't need for work. Their unauthorized access to this protected health information continued for 19 months, until it was discovered during a routine audit of access logs.
The audit revealed the employees had viewed far more information than was necessary to perform their work duties, such as patients’ Social Security numbers and medical record numbers. While VUMC does not believe that any data was misused, the individuals involved were disciplined for their actions, and the data breach is a violation of HIPAA regulations.
Lesson Learned: Strictly enforce the least-privilege principle to minimize the amount of data each employee can reach, and closely monitor user behavior to detect suspicious activity and new patterns. Also educate users about proper behavior and let them know they are being monitored; these steps can go a long way toward preventing costly mistakes.
The Main Lesson
These four common scenarios for privilege abuse resulting in data compromise all share the same key problem: a poor understanding of what users are doing in critical systems and how they interact with sensitive data, according to the 2017 Netwrix IT Risks Report, which my company recently published. To mitigate the threat or privilege abuse, security pros need to ensure that users have only the permissions they need to perform their duties, and monitor user activity across all levels of IT infrastructure.
Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.Michael Fimin joined Netwrix Corporation in 2007, bringing more than a decade of IT industry experience, management practices and innovation. Prior to joining Netwrix, Michael held several key positions at Aelita Software (later acquired by Quest Software), driving the ... View Full Bio