Adam Bosnian, Cyber-Ark Software: Five Best Practices for Mitigating Insider Breaches
September 2009 by Adam Bosnian, VP Marketing Cyber-Ark Software
Mismanagement of processes involving privileged access, privileged data, or privileged users poses serious risks to organisations. Such mismanagement is also increasing enterprises’ vulnerability to internal threats that can be caused by simple human error or malicious deeds.
According to a recent Computing Technology Industry Association (CompTIA) survey, although most. respondents still consider viruses and malware the top security threat, more than half (53 percent) attributed their data breaches to human error, presenting another dimension to the rising concern about insider threats. It should serve as a wake-up call to many organisations, that inadvertent or malicious insider activity can create a security risk.
For instance, take the recent data breach that impacted the Metro Nashville Public Schools. In this case, a contractor unintentionally placed the personal information of more than 18,000 students and 6,000 parents on an unsecured Web server that was searchable via the Internet. Although this act was largely chalked up to human error and has since been corrected, anyone accessing the information when it was freely available online could create a data breach that could cause significant harm to these students and parents.
Moreover, the Identity Theft Resource Center (ITRC) recently reported that insider theft incidents more than doubled between 2007 and 2008, accounting for more than 15 percent of data breaches. According to the report, human error breaches, as well as those related to data-in-motion and accidental exposure, accounted for 35 percent of all data breaches reported, even after factoring in that the number of breaches declined slightly during this period. To significantly cut the risk of these insider breaches, enterprises must have appropriate systems and processes in place to avoid or reduce human errors caused by inadvertent data leakage, sharing of passwords, and other seemingly harmless actions.
One approach to address these challenges is digital vault technology, which is especially valuable for users with high levels of enterprise/network access as well as those handling sensitive information and/or business processes such as users with privileged access — including third-party vendors or consultants, executive-level personnel — or access to the core applications running within an organisation’s critical infrastructure.
Instead of trying to protect every facet of an enterprise network, digital vault technology creates safe havens — distinct areas for storing, protecting, and sharing the most critical business information — and provides a detailed audit trail for all activity associated within these safe havens. This encourages more secure employee behavior and significantly reduces the risk of human error.
Here are some best practices for organisations serious about preventing internal breaches, be they accidental or malicious, of any processes that involve privileged access, privileged data, or privileged users.
Best Practice #1: Establish a Safe Harbor
By establishing a safe harbor or vault for highly sensitive data (such as adminstrator account passwords, HR files, or intellectual property), build security directly into the business process, independent of the existing network infrastructure. This will protect the data from the security threats of hackers and the accidental misuse by employees.
A digital vault is set up as a dedicated, hardened server that provides a single data access channel with only one way in and one way out. It is protected with multiple layers of integrated security including a firewall, VPN, authentication, access control, and full encryption. By separating the server interfaces from the storage engine, many of the security risks associated with widespread connectivity are removed.
Best Practice #2: Automate Privileged Identities and Activities
Ensure that administrative and application identities and passwords are changed regularly, highly guarded from unauthorised use, and closely monitored, including full activity capture and recording. Monitor and report actual adherence to the defined policies. This is a critical component in safeguarding organizations and helps to simplify audit and compliance requirements, as companies are able to answer questions associated with “who” has access and “what” is being accessed.
As listed among the Consensus Audit Guidelines’ 20 critical security controls, the automated and continuous control of administrative privileges is essential to protecting against future breaches. [Editor’s note: the guidelines are available at http://www.sans.org/cag/.]
Best Practice #3: Identify All Your Privileged Accounts
The best way to start managing privileged accounts is to create a checklist of operating systems, databases, appliances, routers, servers, directories, and applications throughout the enterprise. Each target system typically has between one and five privileged accounts. Add them up and determine which area poses the greatest risk. With this data in hand, organisations can easily create a plan to secure, manage, automatically change, and log all privileged passwords.
Best Practice #4: Secure Embedded Application Accounts
Up to 80 percent of system breaches are caused by internal users, including privileged administrators and power users, who accidentally or deliberately damage IT systems or release confidential data assets, according to a recent Cyber-Ark survey.
Many times, the accounts leveraged by these users are the application identities embedded within scripts, configuration files, or an application. The identities are used to log into a target database or system and are often overlooked within a traditional security review. Even if located, the account identities are difficult to monitor and log because they appear to a monitoring system as if the application (not the person using the account) is logging in.
These privileged, application identities are being increasingly scrutinized by internal and external auditors, especially during PCI- and SOX-driven audits, and are becoming one of the key reasons that many organizations fail compliance audits. Therefore, organisations must have effective control of all privileged identities, including application identities, to ensure compliance with audit and regulatory requirements.
Best Practice #5: Avoid Bad Habits
To better protect against breaches, organisations must establish best practices for securely exchanging privileged information. For instance, employees must avoid bad habits (such as sending sensitive or highly confidential information via e-mail or writing down privileged passwords on sticky notes). IT managers must also ensure they educate employees about the need to create and set secure passwords for their computers instead of using sequential password combinations or their first names.
The lesson here is that the risk of internal data misuse and accidental leakage can be significantly mitigated by implementing effective policies and technologies. In doing so, organizations can better manage, control, and monitor the power they provide to their employees and systems and avoid the negative economic and reputational impacts caused by an insider data breach, regardless of whether it was done maliciously or by human error.