informa
5 min read
article

How To Monitor And Control Privileged Users

Top executives, power users, and IT administrators may have access to more than they should. Here are some tips for keeping them in check
[Excerpted from "Monitoring and Controlling Privileged User Access," a new report posted this week on Dark Reading's Insider Threat Tech Center.]

Network administrators, PC support, engineers, server administrators -- they all do a great job of keeping our applications up and our data accessible. So what happens when they go rogue or inadvertently cause harm? The past 20 years of computer history is speckled with cases of internal sabotage, inadvertent losses and outright betrayal by those we trust the most -- our privileged users.

The threat to data by insiders appears to be trending downward, but it is also the most difficult to mitigate -- especially when the threat comes from users with elevated privileges. While there are dozens of methods that address certain elements of privileged-insider risk, the best approach is a comprehensive and layered one that involves people, process and technology.

According to InformationWeek Reports 2012 Strategic Security Survey, 52% of respondents said insiders were the top security threat at their organization. Although the 2012 Verizon Data Breach Investigations Report found that the incidence of misuse -- "the use of entrusted organizational resources or privileges for any purpose or in a manner contrary to that which was intended" -- has been decreasing in the past few years, the threat is still worrisome. The 2010/2011 CSI Computer Crime and Security Survey, for example, found that the threat of malicious insider actions and nonmalicious insider actions were up 20% for 28% and 26.6% of respondents, respectively.

The security controls around information must depend on the type of data and how it is employed. Data loss for a software company carries a much different implication than data loss in a financial organization. This is why understanding the CIA triad -- the security model of confidentiality, integrity, and availability -- is critical.

Confidentiality refers to information being available only to those who are authorized to view it. While it may be easy to understand the concept of confidentiality, it’s a lot harder to enforce it, especially when it comes to privileged users. Simply leaving a customer list on your desk to be viewed by a janitor could cost your company dearly should that person take the list to a competitor.

In other cases, a lost laptop can result in the identity theft of millions of users. In 2006, for example, a data analyst contracting with the Veterans Affairs Department took home a laptop and an external hard drive that contained the unencrypted personal information of 26.5 million people. The laptop was stolen, exposing a massive amount of sensitive data -- a prime example of a user with elevated privileges causing a major loss.

Indeed, confidentiality takes on an entirely different challenge when we begin the discussion of protecting data from privileged users. Many of these users have server administrator-level access to data, and database administrators can read the contents of the databases they maintain. Finding a way to protect the confidentiality of data from these users can be problematic, to say the least.

The phrase “data integrity” is often thrown around, but it’s rarely given the attention and understanding required to gauge its true meaning. The main goal in ensuring data integrity is to prevent it from being modified or destroyed. This applies to data in transit and at rest. A memorable example of data whose integrity was not protected occurred with the Gentoo Linux operating system. The unauthorized modification of the UnrealIRCd package (which went unnoticed for months) led to the compromise of a major Linux distribution release.

In addition to intentional insider attacks, many of your integrity issues will come from mistakes made by users with elevated permissions. In a recent case, a proactive network administrator found some older backup software installed on several servers and removed it, replacing it with the current version. Unfortunately, the older software was there because the new backup software corrupted the database contents on the servers. All the data was corrupted and had to be restored from backup.

The third component of the CIA triad, availability, is pretty straightforward: Data should be available to those who need it when they need it. For a major U.S. news agency, for example, any downtime at all is not only embarrassing but could cost millions in lost advertising and customer confidence. According to Income Diary, Google makes $691.27 per second. You only have to do the math to determine the cost of even an hour’s downtime for the search company.

While there are a number of ways to ensure uptime, many of them require close monitoring by an administrator. That same administrator could misconfigure a load balancer and block access to a website or online resource. This is why any such changes must be closely monitored and approved. Many of these issues can be solved by requiring partner oversight. This means that any change must be approved and implemented by two administrators. Policy-level controls, combined with technology, can provide a greater overall level of security.

To get more insight on protecting your data from abuse by privileged users -- and for a look at some of the technologies that can help monitor and enforce privileged user policies -- download the free report on managing security for privileged users.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.