Thales Blog

Access Is King: A Lesson In Insider Threats

July 16, 2013

Insider ThreatFor better or for worse the recent Edward Snowden debacle has provided the international community with a long overdue wake-up call that those already safely within the company walls pose a significant risk to the security, and thus whole health, of the business.

In Wayne’s last blog, he rightly pointed out “praising or demonizing Edward Snowden misses the central issue. Instead, the issue we should be discussing is one of access rights and distribution. Data only has value when accessible, so it should only be consumable by those who truly have a ‘need to know’.”

As the corporate and government focus shifts back to looking at the trustworthiness of employees and contractors, specifically those insiders with ‘privileged user’ access rights, the question emerges: how do you continue to provision a high level of security without getting in the way of people doing their jobs?

As a first step, organizations of all sizes should determine who their privileged users are and what information they have access to. Not all insiders are a direct threat out to steal your prized resources. To the contrary, different insiders present a different level of risk and should therefore be assigned a different threat level.

For example, while some ‘privileged users’ are C-level executives, like the CEO and CFO – these users see sensitive data on a regular basis and thus present less of a risk. Working as a security engineer, Snowden had privileged access to large amounts of sensitive data and was able to abuse the wealth of access control privileges assigned to him, without anyone noticing.  Did he need that level of unrestricted access to that amount of data? We may never know. But the important less from this event is this: whether you employ system administrators, contractors, auditors or even third party outsourcing operatives, you must design access policies that align to their purpose on your network.

In addition to the risk of malicious activity from insiders, a user with no ill will could also cause a breach by simply clicking on a link in a phishing email. As the bad guys begin to target the human element, socially engineered hacking campaigns of this nature – whereby the user compromises himself / herself – are becoming increasingly common. The network access credentials of database administrators and system administrators who have regular access to documents represent a juicy target for hackers – if compromised, these credentials give cybercriminals the ability to view and steal information across the organization, unknown to anyone.

At the end of the day, the onus for comprehensive data protection responsibility lies in the hands of the host organization. Even the recent gaming company data breaches at Ubisoft, Nintendo and Konami help highlight this responsibility. Organizations handling sensitive information need to deploy security solutions that both manage the access rights of privileged users inside and outside of the database and also enable them to gather security intelligence around what is happening to that data.  This will enable them to not only monitor both real-time events and a mountain of long term data to find anomalous patterns of usage, but also alert organizations to what they might not be seeing at first glance.