Privileged-Account Attacks Are Behind Every Major Cyber Crime
Blog Article Published: 01/14/2016
By Susan Richardson, Manager/Content Strategy, Code42
It’s unsettling: the people most accountable for an organization’s security are those most likely to compromise it. Privileged user accounts—IT administrators, application developers and C-suite executives—have been the cause of high-profile breaches over the past few years. Some cases involve intentional actions by the privileged users themselves, such as Edward Snowden’s NSA leaksand the South Korean Credit Bureau breach that exposed the personal information of almost half of all South Koreans. In other cases, cyber criminals steal or hack all-access credentials, as was the case with the 2013 Target and the 2014 Home Depot breaches. Regardless of the cause, studies of major breaches find that 100 percent of cyber crime attacks exploit privileged credentials.
Two factors make privileged-account attacks particularly devastating. First, the wide-ranging access granted by privileged credentials (dubbed “the keys to the kingdom” by Dell Security Executive Director John Milburn), whether acquired through insider threat or theft of credentials by an outside party, allow a perpetrator to move horizontally and often vertically through an organization’s data infrastructure, accessing sensitive information and installing malware to wreak further damage.
Secondly, privileged credential attacks make harmful activity harder to detect and address. For IT administrators and other privileged technical staff, accessing sensitive areas of a network doesn’t trigger red flags—it looks like everyday activity. Identifying suspicious action from executive accounts is also a challenge, as these individuals’ activities often fall outside the view of traditional data security.
A 2014 Ponemon Institute survey on insider threats reports that sixty-nine percent of IT security professionals feel they lack sufficient contextual information to identify suspicious activity from privileged accounts. So what can an organization do to mitigate the threat posed by privileged users?
Start by tightening and standardizing control over privileged user credentials. The Ponemon Institute’s Privileged User Abuse & The Insider Threat report found that forty-nine percent of respondents do not have officially defined policies for assigning privileged user access. This can lead to over-privileging—where users are granted greater access than is critically necessary for their job functions—and makes it extremely difficult to ensure accountability for all activity.
Carefully consider the level of access that is necessary for privileged users. If executives truly require all-access credentials, create an accurate log of which individuals possess which privileged credentials.
Make privileged user activities completely transparent to data security personnel. Enterprise-wide visibility into privileged user activities—whether on a server, in the cloud or on an endpoint device—is critical to establishing regular activity patterns, quickly identifying abnormal and suspicious activities, and determining context and intent in the event of a privileged account breach.
