Privileged users have additional access to corporate resources and IT systems; these accounts are open to abuse, mishaps, and exploitation, and are a type of insider threat.
These additional access rights have meant that a recent Bitglass survey “Spies in the Enterprise” has identified privileged users as the biggest source of risk within an organisation.
A report from Gurucul, concurs with this, finding that 63% of organisations believe privileged IT users present the biggest insider threat.
These two reports are not the first to find that privileged users are a source of security risk and will certainly not be the last. But just why does this user group leave an organisation open to security threats and what can be done to mitigate the risk from a privileged user?
The Privileged User in the Machine
The clue to the security threats posed by privileged users is in the name – privileged.
Privileged access is given to certain role types or groups within an organisation. Individuals who hold privileged access, need additional access rights to standard users because they manage IT infrastructure, or require access to sensitive corporate resources, and so on.
But, unfortunately, once privileged access is assigned, these users have the keys to your corporate kingdom.
The problem with privilege is that it creates a double-edged sword. On the one hand, these users need extra rights to access secure and sensitive areas, but these rights have the potential to be abused, misused, or hijacked.
How to square this round is one of the most difficult areas that an IT department must deal with. Some of the issues with privileged access users include:
Privileged Access Users Are a Target for Cybercriminals
Those who hold the key to data are prime targets. Cybercriminals will focus on certain roles and groups within an organisation to take advantage of their access rights. If a cybercriminal can get hold of those access rights, they can move around an organisation, entering sensitive areas of a network, undetected.
Because of this, privileged users become targets of spear-phishing attacks. Hackers who create spear-phishing campaigns know their target well. They spend time understanding who they are and what triggers they will react to.
Departments such as accounts payable, for example, are often the victims of spear-phishing attacks, because they can potentially access financial accounts and transfer money. To put this into perspective, a 2019 report from Symantec found that spear-phishing emails were used by 65% of all known groups carrying out targeted cyber attacks.
Compliance Management and Control
Privileged users often have access to permissions and security controls. With access comes control. If a privileged user, even inadvertently, makes a change to a permission or security setting, this could move an organisation outside of compliance with regulations such as UK GDPR, DPA2018, PCI, etc.
Privilege Changes and Evolves
Privileged users often move around an organisation. As they do so, their access rights may need to change. However, making this change can be complicated if not carefully monitored.
In addition, company leavers, who have privileged access can often fall through the safety net, leaving a company whilst still holding onto privileged access rights. A report from the Hague Delta found that those leaving a company posed the greatest insider threat to data exposure. Also, the report found that 89% of leavers still had access to data after leaving the organisation.
Ways to Prevent Privileged User Abuses and Mishaps
There are several ways to de-risk the insider threats associated with privileged users. Here are some of the most effective:
There is a principle known as “least privilege” that is a fundamental tenet of control in an organisation. It goes something like this: only give your employees the permissions needed to do their job, and no more.
A way forward in making this work is to be granular in how you set permissions. So, for example, apply for permissions on a per-app basis rather than global and set up access rights based on a user rather than an entire group of users. The more rights you give to someone, the higher the risk.
Train Privileged Users About Social Engineering
Because privileged users are in the cybercriminal spotlight, they are often under attack using social engineering. Cybercriminals typically use intelligence gathering and surveillance, targeting privileged users, to prepare for an attack or scam or to inform a spear-phishing campaign.
Educate your privileged users about the heightened risk associated with their access rights and how to spot tell-tale signs of social engineering used to target privileged users.
Educate Privileged Users on Phishing Tricks and Tactics
Spear-phishing campaigns that target privileged users can be extremely difficult to spot. However, if you tailor phishing simulation templates to reflect the more subtle signs of a spear-phishing message, you can give your privileged users the tools to help identify suspicious messages.
These spear-phishing simulations should be used in combination with social engineering awareness training.
Process and Policy
Create formal policies around the issuance of privileged access accounts. These policies should be designed to enforce accountability. They should also reflect the principle of least privilege and offer guidance on how privileged account controls are determined, using formal reviews and approvals across a hierarchy of stakeholders.
Policies and processes to manage, educate, and control privileged users, should be a fundamental part of your security strategy.
Enforce a policy of robust, multi-factor, and risk-based authentication, to your overall security strategy. This helps as part of an overall strategy in the mitigation of external threats based on privileged insider account takeover.
Privileged users are a weak link in an organisation because of the access to sensitive data and IT systems. But privileged users are necessary for the smooth running of an organisation. By applying best practices to privileged users including education, processes, and policy enforcement, an organisation can de-risk this important account type.