While much ado has been made in 2014 of mega breaches coming at the hands of external hackers, the truth is that insider attacks are still top of mind for security practitioners today. In fact, a report out just recently from PwC shows that malicious activity from current and former employees is the most cited risk for cyber security to contend with, above the actions of organized criminals, nation-states, or any other outside attacker. Not long after that report, the industry got a stark reminder of why it's such a concern, with news breaking that an employee at AT&T managed to tap into a customer database and access sensitive information for approximately 1,600 telco subscribers.
The breach highlights once again the importance of privileged identity management and identity-aware monitoring to make sure that employees only have access to the data they need to get their jobs done and that they don't abuse their privileges to access that data to compromise customer records.
"One must realize that there is no 100% way to keep a malicious employee who has access from compromising customer data. The best way to prevent this is by restricting access to only those who need it," says Chris Silva, senior director of development for BeyondTrust. "For instance, does a customer support rep need access to Social Security data? Likely yes, so they can verify the identity of a caller -- but you can limit the potential damage by logging all transactions, and by limiting the scope of what an individual can access."
It's still unclear what kind of employee caused the situation at AT&T, though Silva speculates that the firm may have had some controls in place, considering that 1,600 compromised records is relatively small compared to the firm's entire customer data store. However, it does serve as a reminder of why organizations need to find ways to keep reins tight on accounts that control a large amount of sensitive data.
"Although details are sparse about this situation, it is not uncommon for database administrators to have unlimited and unaudited access to vast amounts of customer data without any oversight," says Phil Lieberman, CEO of privileged identity management firm Lieberman software. "One of the most feared scenarios is the compromise of a database administrator and their ability to surreptitiously steal information for resale or other use."
Greater accountability through better privileged access management can also potentially put in check some types of intellectual property (IP) theft. Because for every AT&T, there are dozens more costly insider attacks involving IP that go unreported: When matters are internal, many companies choose not to tell anyone about them unless they're legally required to do so. PwC's study showed that 75% of organizations don't report insider theft.
Similarly, instituting the so-called rule of least privilege tends to stem the severity of external attacks, as they often depend on lateral movement through the network via poorly managed privileged accounts.
The following are some key ways organizations can get started.
Enumerate privileged accounts
"If you cannot measure the environment effectively for privileged accounts, you will never be able to properly remove or manage them," says Silva. "Auditors basically want to know where all the privileged accounts are located in an environment."
Organizations should also recognize that privileged users may come in the form of different roles besides IT administrators.
"Traditionally we call administrators privileged users. But in practice, important users, like [line-of-business] managers, can cause serious problems through IT systems," says Csaba Krasznay, product manager for BalaBit. "For that reason it is advised to control and monitor their activity as well."
Attach identities to accounts
Insider breaches may never be detected at all if super-user account credentials are shared and reused by multiple employees across IT and the rest of the business. It sounds like common-sense to limit that kind of access, but these accounts are shared in enterprises every day.
"As a basic step, accountability should be provided for all privileged access," says Krasznay. "All privileged users should have their own identity in the system."
Limit the data available to any one employee
The AT&T breach highlights the need for automated systems to not only monitor access to sensitive systems but also to limit how much access to data an employee can accumulate, Lieberman says.
"This scenario points out the need for behavioral analysis and response systems that trigger a lockout and organizational response when 'normal' behavior of data access is violated," he says.
Monitoring and other super-user risk mitigation
Sometimes it may not be possible to tie every privileged account with user identities. In that case, monitoring and other mitigating practices can help reduce risks.
"For many organizations, robust privileged password management practices with such controls as check-in and check-out of administrator credentials, automatic password cycling, session recording may suffice," Silva says. "In some cases more fine-grained delegation policies that remove administrator or root credentials from users may be more applicable."