Diligence against cyber security breaches is as much an issue of internal processes as external threats. In fact, the breach Home Depot so publicly suffered last year was enabled through a pfishing scheme whereby hackers first gained access to a third-party vendor that had access privileges with Home Depot.
In the recent survey “Privilege Gone Wild 2” by global cyber security company BeyondTrust, 47 percent of respondents admitted they have employees who possess elevated rights they don’t need to do their job, and more than one out of four companies indicated they have no controls in place to manage privileged access.
The 2014 Verizon Data Breach Investigations Report identifies the use of stolen credentials as the most common source of attack. Also, malicious insiders with elevated privileges may leverage the opportunity to share or steal sensitive data. And inadvertent abuse is another concern, as employees with elevated privileges may not only access sensitive data simply out of curiosity but may move data to unauthorized cloud storage or install unauthorized software such as file-sharing applications, thus putting data at risk.
However, it is important that companies enable the end-user to be productive. Privileged account management (PAM) looks at two aspects of privilege: the privileged user and the privileged account itself. Individuals tasked with managing critical systems, such as IT and application administrators, must have elevated rights and credentials to perform super-user activities. And there are devices or systems that are shared among multiple users and whose passwords, therefore, are broadly known.
“It’s important to continually scan for vulnerability in what the organization does, such as staying current with patches. And on the user side, use the principle of least privilege — reduce access to the lowest possible to allow the job to be done,” says Scott Lang, director of privileged strategies at BeyondTrust, explaining BeyondTrust provides solutions that reveal critical risks hidden within volumes of user as well as system data. This includes scanning individuals’ mobile devices connected to a network, Lang says, although noting the Verizon report confirms that mobility is not the attack surface it was once considered to be. He advises businesses to not look at a problem in a silo, but to look at the entire environment — of access to servers, desktops and systems; how many systems users have to log into; and auditing and reporting requirements.