Vulnerabilities / Threats // Insider Threats
04:00 PM
Connect Directly

Privileged Use Also a State of Mind, Report Finds

A new insider threat report from Raytheon and Ponemon reveals a "privileged" user mindset.

Most users with privileged access say they peek at their organization's sensitive or confidential data out of curiosity -- not as part of their work, a new study finds.

According to a Ponemon Institute report commissioned by Raytheon (registration required), 73% of privileged users -- network engineers, database administrators, security professionals, and cloud computing administrators -- say they are authorized to view all the information they can via their user privileges, and 65% of them do so merely because they are curious about the information.

"There's the human factor: [the ones] where it's not their job to go exploring. Over half are accessing that information just because they want to see what's out there," says Michael Crouse, director of insider threat strategies at Raytheon. "A person being curious and then exposes [data] could do damage to the company."

Crouse says the Ponemon report also shows how many of these users have a "sense of superiority" merely because they have such vast access to data in their organizations. "That tells me that's alarming to a CIO or CISO." The danger is that these entitled users may feel "above the law" and free to snoop at data unnecessarily.

According to the report, 83% of organizations say insider threats are worrisome, but they have trouble spotting potential insider threat activity. Nearly 70% say their security tools don't provide the analysis and context to determine intent behind incidents, and nearly 60% say their tools flood them with false positives.

Nearly half say a malicious insider likely could use social engineering or other ways to get another user's data access privileges, and 45% say outside attackers could socially engineer and target privileged users to gain access to their enterprise infrastructure.

Half of the respondents consider customer data most at risk, while 59% say general business information is in the bull's eye. A little more than 70% use authentication and identity management tools to track and manage insider threat issues.

"We've spoken to [enterprises] around the country and internationally, and they don't want to be the next Booz Allen" or government agency with a malicious insider, Crouse says. "They are trying to stay out of the limelight."

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/28/2014 | 8:55:14 PM
Nice paper here from SANS on setting up database logging and monitoring:

Surprised that the percentage using tools to track insiders isn't close to 100 in this and every other study with all the products that are out there.


Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
5/28/2014 | 12:43:02 PM
Re: Privileged means bad
Absolutely. Even if these privileged insiders had no intention of sharing the information or leaking it, if they get targeted, then their credentials can be abused by the bad guys, etc. 
User Rank: Apprentice
5/28/2014 | 12:36:00 PM
Re: Privileged means bad
It can be misunderstood as curiosity but in real senses it poses a danger to an organization. Think of an external party getting advantage of the 'privileged few' curiosity escapades and they get to access important and sensitive information about the organization. Things concerning their clients' personal details, their financial dealings, plan for the organization. This can pose as a threat since competitors' will bank on the information and use it to their advantage.
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-12
vpxd in VMware vCenter Server 5.0 before u3e, 5.1 before u3, and 5.5 before u2 allows remote attackers to cause a denial of service via a long heartbeat message.

Published: 2015-10-12
The JMX RMI service in VMware vCenter Server 5.0 before u3e, 5.1 before u3b, 5.5 before u3, and 6.0 before u1 does not restrict registration of MBeans, which allows remote attackers to execute arbitrary code via the RMI protocol.

Published: 2015-10-12
Cisco Unified Computing System (UCS) B Blade Server Software 2.2.x before 2.2.6 allows local users to cause a denial of service (host OS or BMC hang) by sending crafted packets over the Inter-IC (I2C) bus, aka Bug ID CSCuq77241.

Published: 2015-10-12
The process-management implementation in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 allows local users to gain privileges by terminating a supervised process and then triggering the restart of a process by the root account, aka Bug ID CSCuv12272.

Published: 2015-10-12
HP 3PAR Service Processor SP 4.2.0.GA-29 (GA) SPOCC, SP 4.3.0.GA-17 (GA) SPOCC, and SP 4.3.0-GA-24 (MU1) SPOCC allows remote authenticated users to obtain sensitive information via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.