There’s been a lot of discussion in the security world about insider threats, the role of administrative rights and so-called 'privileged users' who have access to the more sensitive information at an organization. Yet, a majority of corporations seem confused about just how to define a privileged user.
The Ponemon Institute report, “Privilege User Abuse & the Insider Threat,” has revealed that identifying whether an action taken by an insider is truly a threat remains a significant challenge for most companies. In fact, 69% of respondents do not believe they have the ability to identify an insider threat before it’s too late. Further, 42% of the respondents are not confident that they have the enterprise-wide visibility for privileged user access needed to determine if users are compliant with policies.
In the end, only 16% said that they are 'very confident' that they have visibility as to what’s going on in the privileged user realm.
“There is a lot of confusion when you talk about privileged users; a lot of people go right to Edward Snowden or Wikileaks and think they're just IT guys,” said Michael Crouse, director of insider threat strategies at defense contractor Raytheon, which commissioned the report. “But they're not just IT guys—a privileged-user insider threat can happen with anybody. Anybody who has access to your company’s information is a threat."
Further, it would seem that management of the issue is severely lacking: for instance, 57% believe background checks are lacking in most organizations before issuance of privileged credentials. Overall and most unfortunately, many employees are granted access to data and areas of the network not necessary for their roles and responsibilities. The report revealed that 65% of survey respondents indicated that curiosity – not job necessity – has then driven these same individuals to access sensitive or confidential data at some point or another.
Underestimating the Scale of Threat
“In my view, while organizations are now more aware of the insider threat than ever before, the majority underestimate the sheer scale of the threat to their business,” said Matt Middleton-Leal, regional director for the UK and Ireland at CyberArk, in a comment to Infosecurity.
CyberArk’s research found that 86% of large enterprises either didn’t know or had grossly underestimated the magnitude of their privileged account security problem, meaning that at least two out of every three privileged accounts in these organizations were either unknown or unmanaged.
"Good people can make mistakes and put sensitive data at risk," said Jack Harrington, vice president of Cybersecurity and Special Missions at Raytheon Intelligence Information and Services, in a statement. "Even a well-intentioned, seasoned, privileged user with wide access to a network poses great risks because they are high-value targets to corporate 'hacktivists' and persistent adversaries eager to penetrate a company's defenses."
In fact, a Cyber-Ark report from last year found that privileged accounts with insufficient security is a prime vector for targeted cyberattacks, and their compromise is becoming a key tactic in each phase of an advanced persistent threat (APT) attack cycle.
MI5 recently warned British corporate chiefs that foreign intelligence agencies are targeting IT workers within big organizations in a bid to gain privileged access to sensitive data. The act of grooming internal sources with access to highly sensitive information has been likened to the practices of Cold War spymasters, and MI5 has used the analogy to urge more companies to boost their overall IT defenses.
When it comes to those adversaries, perception of the threat is mixed: 47% surveyed in the Ponemon/Raytheon report said it would be likely that malicious insiders would use social engineering or other measures to obtain someone's access rights – this is up from 21% from a 2011 survey. Close to half (45%) say it is likely that social engineers from outside the organization will target privileged users to obtain their access rights.
Meanwhile though, awareness is up at least: 88% of organizations are concerned about the potential damage that could be caused by an insider threat. While 59% believe general business information is at risk, 49% say customer information is most at risk due to a lack of access controls over privileged users. Those same respondents also said that they believe the risk of privileged user abuse will increase or stay the same in the next 12 to 24 months.
Taken overall, while awareness continues to increase, actions to protect against the insider threat don’t seem to be keeping up.
That extends to budgets: less than half of those concerned (40%) have a dedicated budget to invest in enabling technologies to reduce insider threat. Most use existing cybersecurity tools not necessarily designed to combat insider threat; 72% stated they use authentication and identity management tools to manage privileged user abuse. This comes despite the fact that 69% surveyed said their security tools don't provide enough contextual information to determine intent behind reported incidents, and 59% stated their tools yield too many false positives.
“While Edward Snowden was a classic example of a ‘rogue insider’, the accidental or careless misuse of privileged rights can also spell disaster for a business,” said Middleton-Leal. “Privileged accounts clearly present vast and multiple vulnerabilities and must be proactively addressed within all organizations. The days of perimeter security are long gone and security strategies must now focus on locking down access to the heart of the enterprise.”