Jerome Kerviel, Terry Childs, Edward Snowden: All infamous insiders; all reviled to differing degrees for abusing their access to computer-based resources.
And likely, all of them could have been stopped if their respective employers had a better grasp on what these privileged users were doing.
New research commissioned by Raytheon Corp., asked 700 database administrators, network engineers, IT security admins and cloud computing admins about privileged user abuse. The results likely aren’t that surprising to IT managers: individuals are given more access than necessary to carry out their day-to-day duties; access is abused to view sensitive data that is not pertinent to their jobs; formal policies are lacking, and those that do exist are not properly enforced.
“One thing that gets people in trouble is if you have individuals with access to HR or IT information and they are their poking nose into financials or information about sales. Often they’re only doing it because they’re curious or feel they’re empowered,” said Michael Crouse, director of insider threat strategies at Raytheon. “Privileged users feel empowered they can view any information; ‘I can view it, I’m gonna look. If I’m given access, it must mean they want me to look at it, even though it has nothing to do with my job.’”
Half of the respondents to the survey said their respective organizations do not have policies for assigning privileged access, though for those companies that do, there are fewer ad-hoc approaches than the last time this survey was conducted, in 2011.
The problem is that insiders are trusted individuals, yet most organizations trust, but do not verify their actions. The result may not be as severe as Snowden’s surveillance revelations, Kerviel’s $7 billion in fraudulent transactions against Societe Generale SA, or the disgruntled Childs’ refusal to unlock critical systems belonging to the city of San Francisco, but can still expose companies to data or financial loss, or reputational harm.
“One thing we’re not doing well is we’re not auditing activities of individuals,” Crouse said. “People need that access and companies give it to them. But in the same sense, you have to audit and verify what they’re doing daily to make sure they’re doing their job and not outside their bounds and responsibilities. There’s not a lot of trust but verify out there.”
While most insiders violate policy out of curiosity, there are some who have malicious motives and are either working alone or with someone on the outside to steal customer or company data or sabotage systems. Perceptions have changed about this too since 2011, the survey results say. For example, 33 percent of respondents said intellectual property was at risk today, compared to 12 percent three years ago. Business financial and customer information were the types of data at most risk, respondents said.
What hasn’t changed much since 2011 is the confidence level that respondents have in their company’s ability to gain visibility into privileged insiders and determine policy compliance. Only 16 percent answered they were very confident, while 42 percent were not confident, largely because there isn’t a unified view of privileged access.
“That’s a tough number to swallow,” Crouse said. “Companies don’t have a good sense of what privileged users are accessing, or how they are able to protect that information.”
Insiders, the survey said, are also not shy about using privileged credentials of others inside a company; there was a 26 percent jump from 2011 in the likelihood of malicious insiders targeting privileged users to obtain their access rights, compared to a 15 percent jump in outsiders using social engineering to do the same.
Organizations may ultimately owe Edward Snowden a debt of gratitude for raising awareness over insider abuse; 58 percent said Snowden caused a significant increase in organizations’ level of concern over insider abuse, while another 31 percent admitted to a lesser level of concern.
“It’s a person problem, not a machine problem,” Crouse said. “Companies have to shift priorities and money to protecting against the insider threat. The quantity of breaches from insiders is lower, but the financial, reputational and confidence impact is greater from insider attacks. A lot of people are just now recognizing it.”