A growing threat: Privileged user abuse
Michael Crouse, director of insider threat strategies, Raytheon Cyber Products Company
A U.S.-based global energy company employee with privileged user access was enticed by a foreign company to steal source code and other intellectual property from his employer. As a result of his theft, the company lost three quarters of its revenue, half of its workforce, and more than $1 billion in market value.
This incident caused such extensive damage one might consider it to be an anomaly, but it is not; it is an all too common example of one of the costliest risks companies face daily, that of privileged user abuse. According to a national fraud survey, $348 billion a year in corporate losses can be tied directly to privileged user fraud.
Chief information officers across the country are keenly aware of the threat not only to their intellectual property, but ultimately to their bottom line. The risk of intellectual property theft isn't limited to a certain industry, it happens across the board from the financial sector to energy and health care to the federal government. In fact, the federal government is so acutely aware of this risk they recently issued a memo renewing their efforts to thwart privileged user abuse.
The concern in the commercial market is no less than that of the government, and a global survey of 5,569 IT practitioners by the Ponemon Institute showed 42 percent of respondents believe the threat will continue to grow. Increasingly aggressive federal regulations on commercial companies are compounding the cost of governance, risk, and compliance (GRC) by levying unprecedented penalties for breaches of oversight. U.S. regulators handed out more than $22 billion in fines to the financial industry during 2012, and the impact on market values, reputations, and civil liability will take years to tally.
Because privileged users have greater access and are limited by fewer controls, they have access to more of their company's intellectual property, such as corporate data or confidential customer information. They may also have access to company computer assets that an average employee does not, for example: laptops, USB devices, removable HD, etc. Having access to these assets may enable bad behavior by the privileged user, aiding the mentality that they are somehow “above the law,” and not subject to the security restrictions that apply to other employees.
Other factors that contribute to a privileged user's potential to cause intense damage are: they generally operate at a higher level on the network which provides them with access to enterprise information; they know how to operate around and routinely defeat standards and technical controls; they are authorized to make changes and access data at very high levels; there is often inadequate or no monitoring of privileged users; and they, as individuals, and their tools/applications/remote access/computing resources are high-value targets for attack and/or coercion.
The Ponemon Institute report found that 64 percent of respondents think it is very likely or likely that privileged users believe they are empowered to access all the information they can view, and a similar percentage (61 percent) said they believe that privileged users access sensitive or confidential data because of their curiosity. A high percentage also said they believe that privileged users are actually allowed to circumvent IT security measures.
Looking ahead, the best approach to mitigating privileged user abuse is a comprehensive, layered approach that implements best practices and involves process and technology. The following bullet points below include guidance from the CERT Insider Threat Program on how to approach this rapidly growing challenge of privileged user abuse:
- Identify the privileged user accounts on your company's network. Reduce the number and type of privileged user accounts where possible.
- Train employees in the proper use of elevated access privileges including logging out after doing tasks that require them.
- Use Privileged User Monitoring and Access (PUMA) tools that monitor activity by privileged users.
- Adopt a new mindset that protects against internal privileged users, not just external threats.
- Baseline privileged user behavior, monitor for outliers, and define a process to audit high priority anomalies based on predefined thresholds
It is a common myth among IT management staff that auditing privileged user activity is too difficult and complicated. The truth is that privileged user auditing does not have to be a complicated technical challenge if the auditing and monitoring solution is flexible, policy-based, and provides irrefutable attribution to a particular privileged user. The knowledge that your organization uses such auditing and monitoring technology is a huge deterrent against privileged user abuse which will only continue to rise in 2014.