The security landscape as we know it is evolving. In what is a trying time for organizations, given the severity of threats from both insider and external attackers, the consequences of a data breach are also mounting.
While the financial repercussions of such incidents are often substantial, with organizations facing brand damage and negative customer churn, regulatory bodies have also become more heavy-handed in penalizing organizations that fail to safeguard customer data with substantial fines. With the stakes so high, enterprises are under growing pressure to re-assess security and ensure that networks are being robustly defended from all angles.
The Insider Threat
The insider threat usually pertains to the abuse of privileged accounts and passwords, which include administrative accounts, service and application accounts (hard-coded, embedded credentials) and so on. These accounts provide the most comprehensive access within an organization and are commonly shared by multiple users. They allow the ‘privileged’ user to log on anonymously and take total control of a system, with blanket access to the most sensitive data stored within. Yet, despite the enormous security implications of privileged accounts, these are all too often secured with weak or default passwords, leaving networks vulnerable.
The insider threat is often dismissed as a lesser risk to the security of an organization when compared with external attackers. Presuming this, however, is to misunderstand the full extent of the internal threat. Indeed, the insider threat can take on a number of different guises, encapsulating both bitter and rogue employees, as well as employee error or outsourced contractors entrusted with sensitive login credentials.
There are many examples of the malicious abuse of privileged access to be found within recent headlines, including the case involving Saudi Aramco – Saudi Arabia’s national oil provider. During August 2012, an individual with privileged access to the company’s computers, unleashed the Shamoon virus on the network – resulting in a devastating loss of corporate data. The attack was so serious that it was described by Leon Panetta, the former US Secretary of Defense, as a “significant escalation of the cyber threat”. This case, along with countless others, highlights the need for companies to actively manage and monitor the use of privileged access, in order to mitigate the risks and limit any potential damage.
Inside the External Threat
The threats facing organizations extend far beyond cases of vengeful, dishonest and careless employees. The use of privileged accounts in providing the ‘keys to the kingdom’ has not gone unnoticed by cybercriminals. Given the power of these access rights, it is little wonder that privileged accounts are actively targeted by cybercriminals seeking the most effective route into a network. This method can be used to steal intellectual property and other sensitive data, or even to embed malware in a network that lies dormant and is remotely activated at a later date.
The now infamous Flame virus (along with the more recently discovered variant – dubbed ‘miniFlame’) provides yet another example of attackers abusing privileged accounts in enterprise cyber attacks. Indeed, one of the ways that Flame was found to spread throughout networks was via a printer vulnerability – the same privileged access point exploited by the Stuxnet virus.
Compounding this problem is that privileged accounts are incredibly pervasive throughout an organization. The average medium-sized enterprise may have tens of thousands of these accounts that live in every application, server, operating system, and networked device – basically any device with a microprocessor.
Securing the use of, and access to, these privileged accounts is critical to the security of any enterprise.
Internal vs. External
A survey conducted by Cyber-Ark during 2012 revealed a growing awareness for external cyber-attacks, but still found that the majority of EMEA respondents (74%) believed the risk of insider threats to be greater than external ones. Reassuringly, responses indicated awareness about the importance of securing privileged accounts; however, almost half of those surveyed reported that their organization does not monitor the use of these accounts or were unsure of whether it did.
Ultimately, the survey demonstrates that organizations are moving in the right direction in understanding the implications of both insider and external threats, but it’s clear that more work must be done.
Best Practices
Businesses can take simple steps to mitigate the risks and secure privileged access:
Identify key systems, applications and databases and the privileged accounts relating to each: Privileged accounts can exist in great numbers and in all areas of an organization’s network – a point that can be forgotten or underestimated.
Compare who should have access to privileged accounts and who actually does: Businesses must be up to speed with who exactly has access rights, and if they do, should they? Do they need these rights to perform their job?
Implement clear access granting policies for privileged access to corporate resources: The options for securing access include safeguards such as dual-control, time-based access and regular and mandatory password changes.
Ensure the right security products are in place: A holistic, multi-layered approach to data security is advisable as is the assumption that an attacker is already on the inside. With this in mind, does your organization have the necessary controls in place to restrict access to its most valuable information and limit the potential damage?
Log, monitor and record all session activities: Effective privileged identity and session management systems will manage, monitor and secure networks against internal and external attackers, while also providing control and accountability – crucial for satisfying compliance regulations and audits.
At a time when data security is no longer just the concern of IT departments, the sheer scope of both insider and external threats makes them arguably the most significant security concerns facing modern businesses. With such vital information at stake, both threat types – not one or the other – must swiftly become boardroom priorities.
Udi Mokady co-founded Cyber-Ark Software in 1999 and serves as the company's president and CEO. In this role he is responsible for the management, execution, and strategic direction of the company, which focuses on securing privileged identities and highly sensitive information. Prior to Cyber-Ark, Mokady specialized in legal management and business development for international high-tech companies. He previously served as the general counsel at Tadiran Spectralink, a highly specialized producer of secure wireless communications systems.
A veteran of a Military Intelligence unit, Mokady holds a law degree (L.L.B.) from Hebrew University in Jerusalem and a master of science in management degree (MSM) from Boston University.