A growing threat: Privileged user abuse

Share this article:
Michael Crouse, director of insider threat strategies, Raytheon Cyber Products Company
Michael Crouse, director of insider threat strategies, Raytheon Cyber Products Company

A U.S.-based global energy company employee with privileged user access was enticed by a foreign company to steal source code and other intellectual property from his employer. As a result of his theft, the company lost three quarters of its revenue, half of its workforce, and more than $1 billion in market value.

This incident caused such extensive damage one might consider it to be an anomaly, but it is not; it is an all too common example of one of the costliest risks companies face daily, that of privileged user abuse. According to a national fraud survey, $348 billion a year in corporate losses can be tied directly to privileged user fraud.

Chief information officers across the country are keenly aware of the threat not only to their intellectual property, but ultimately to their bottom line. The risk of intellectual property theft isn't limited to a certain industry, it happens across the board from the financial sector to energy and health care to the federal government. In fact, the federal government is so acutely aware of this risk they recently issued a memo renewing their efforts to thwart privileged user abuse.

The concern in the commercial market is no less than that of the government, and a global survey of 5,569 IT practitioners by the Ponemon Institute showed 42 percent of respondents believe the threat will continue to grow. Increasingly aggressive federal regulations on commercial companies are compounding the cost of governance, risk, and compliance (GRC) by levying unprecedented penalties for breaches of oversight. U.S. regulators handed out more than $22 billion in fines to the financial industry during 2012, and the impact on market values, reputations, and civil liability will take years to tally.

Because privileged users have greater access and are limited by fewer controls, they have access to more of their company's intellectual property, such as corporate data or confidential customer information. They may also have access to company computer assets that an average employee does not, for example: laptops, USB devices, removable HD, etc. Having access to these assets may enable bad behavior by the privileged user, aiding the mentality that they are somehow “above the law,” and not subject to the security restrictions that apply to other employees.

Other factors that contribute to a privileged user's potential to cause intense damage are: they generally operate at a higher level on the network which provides them with access to enterprise information; they know how to operate around and routinely defeat standards and technical controls; they are authorized to make changes and access data at very high levels; there is often inadequate or no monitoring of privileged users; and they, as individuals, and their tools/applications/remote access/computing resources are high-value targets for attack and/or coercion.

The Ponemon Institute report found that 64 percent of respondents think it is very likely or likely that privileged users believe they are empowered to access all the information they can view, and a similar percentage (61 percent) said they believe that privileged users access sensitive or confidential data because of their curiosity. A high percentage also said they believe that privileged users are actually allowed to circumvent IT security measures.

Looking ahead, the best approach to mitigating privileged user abuse is a comprehensive, layered approach that implements best practices and involves process and technology. The following bullet points below include guidance from the CERT Insider Threat Program on how to approach this rapidly growing challenge of privileged user abuse:

  • Identify the privileged user accounts on your company's network. Reduce the number and type of privileged user accounts where possible.
  • Train employees in the proper use of elevated access privileges including logging out after doing tasks that require them.
  • Use Privileged User Monitoring and Access (PUMA) tools that monitor activity by privileged users.
  • Adopt a new mindset that protects against internal privileged users, not just external threats.
  • Baseline privileged user behavior, monitor for outliers, and define a process to audit high priority anomalies based on predefined thresholds

It is a common myth among IT management staff that auditing privileged user activity is too difficult and complicated. The truth is that privileged user auditing does not have to be a complicated technical challenge if the auditing and monitoring solution is flexible, policy-based, and provides irrefutable attribution to a particular privileged user. The knowledge that your organization uses such auditing and monitoring technology is a huge deterrent against privileged user abuse which will only continue to rise in 2014.

Share this article:
close

Next Article in 2013 Reboot Viewpoints

Book of Lists

Top 8 threats in 2013

In what seemed to be the year of the financial hack, we've compiled a list of what we believe are the top eight threats of this year.

Top 3 law enforcement actions of 2013

While it may always seem like a cat and mouse game, the cat catches up every once in a while. Here are what we believe are the top 3 law enforcement actions of the year.

Top 5 legal developments in 2013

From the introduction of "Aaron's Law" to legislation being passed to curb the threat of cyber espionage, here are the notable legal developments of 2013.

Top Products

"Best Buy" products in 2013

A collection security products that the SC Labs team labeled as the "Best Buy" solutions in 2013.

"Recommended" products in 2013

Here's a list of all of the security products that our SC Labs team recommended this year.

Reboot Poll

More in 2013 Reboot Viewpoints

Five highly unofficial IT security predictions for 2014

Five highly unofficial IT security predictions for 2014

While year-end security predictions generally fail at accurately predicting much that wasn't an already a foregone conclusion, they're really more about we know right now, and there is value in ...

DevOps: Today, tomorrow and secure

DevOps: Today, tomorrow and secure

Will 2013 be remembered as the year that DevOps accelerated into the IT mainstream or became just another trend that died in the "hype cycle"?

2014: The year that security becomes strategic to the business

2014: The year that security becomes strategic to ...

There are signs that indicate that in the year ahead, we will see more companies develop a proactive, strategic security program and supplant the traditional notion of "achieving compliance" as ...