Thales Blog

Privileged Users And The Insider Threat

September 26, 2013

Tina Stewart Tina Stewart | VP, Global Market Strategy More About This Author >

Insider threaAs part of our series of blogs on the ‘Insider Threat’, today we’re looking at privileged users – assessing the threat they pose to your network, and what can you do to mitigate the risks.

Privileged users exist in all organizations.  Root Users, Domain Administrators, System Administrators or other high level computer operators often have powerful, privileged, access rights.  Now, it is fair to say that these users require a high level of access to enable them to conduct the tasks that they need to perform – software installation, system configuration, user creation, networking, resource allocation and more.  However, there is a significant security issue that arises when these users also have access to data stored within computer systems, and have the ability to read documents and other files, copy or change them.

The risk posed to your business is twofold.  Firstly, a privileged user could, by accident or intentionally, abuse the privileges bestowed upon them, leaking, destroying or damaging data; the Edward Snowden’s of this world.  Additionally, privileged users also provide an alluring way in for hackers.  For example, more than 3.3 million unencrypted bank accounts and 3.8 million tax returns were stolen in an attack against the South Carolina Department of Revenue.  The attack started when a state employee responded to a phishing attack that enabled cyber criminals to use the employee’s credentials, access the state’s databases, and steal sensitive data.

Unsurprisingly, privileged accounts are a very attractive target for attackers seeking to leverage access privileges on your network for their own nefarious purposes.  Indeed, Advanced Persistent Threats (APTs) which have been dominating headlines in recent times are fundamentally based on this principal.  Why break in noisily when you can sneak in unchallenged posing as someone who is supposed to be there?

The challenge we face in seeking to mitigate the risks posed by privileged users is that the tasks they perform to maintain, repair and initiate systems are absolutely essential.  There is no option to simply revoke their network access as, if you were to do that, you could be fairly sure that the help desk would pretty quickly go into meltdown!  You also can’t be heavy handed with these users as doing so is likely to interfere with their ability to do their job to such a degree that you may as well be revoking their privileges in the first place.

What’s needed are solutions that enable these users to perform their tasks, while efficiently and effectively removing their ability to access private and confidential data.  On top of that, it’s very important to be able to match access to information by role.  By this I mean allowing database administrators only database access, for instance.  Limiting access so that administrators can’t actually read or edit the information in data files, but can still move them around as their job demands.  In taking this approach you arrive at a point where, whether by mistake or intention, sensitive information will not leave the organization in a legible state, therefore removing risk.

If you want to find out more about how other organizations view the threat from privileged users, do take a look at the results and research report announced by Vormetric earlier this week here.