Home » Identity & Access » Access Control

Industry View

The Enemy Inside

A realistic approach to prioritizing actions to prevent privileged user or insider security threats.

By Kristin Gallina Lovejoy

Page 3

Staggering, indeed: A small group of individuals perpetrate the maximum damage. Unfortunately, the problem with managing this threat effectively is that traditional and foundational security concepts—particularly that of the "principle of least privilege"—are ineffective. In computing, the principle of least privilege holds that a user is given the minimum possible privileges necessary to permit an action, thereby reducing the risk that excessive actions will negatively affect the system. In the real world, "operationalizing" this principle would mean that you are reducing the ability for IT administrators to do their jobs quickly and effectively.

Below, I have taken a nontraditional (a.k.a. realistic) approach to prioritizing the "things you should do" to address the privileged user/insider threat:

1. Log and Audit. Cyber-security is akin to playing the "whack-a-mole" game. Every time you identify a potential issue, another one pops up. Privileged user monitoring and audit (PUMA) solutions make it possible for an organization to continuously log and monitor how and why this class of user is using or abusing this privilege. With appropriate policies in place, it is then possible to identify and investigate inappropriate activities and process failures. As part of this process, it is critical that the organization collect and save log data for use in investigations. It's not a question of if, but when.

2. Manage Accounts. Insiders have an opportunity to circumvent traditional security controls because they have trust and physical access. It is therefore critical that those users with the most unfettered access to systems and data be made "accountable." Properly instituted account management policies and technologies make it possible to audit the individual, and not just the network noise. It is critical, as part of this program, that computer access is deactivated following termination. While this may appear to be a simplistic recommendation, it is often overlooked.

3. Defend against Remote Attacks. Most attacks by insiders are perpetrated remotely. Layered defenses, which include monitoring and logging of all remote activities, are essential to reducing the risk of insider attack.

4. Defend against Malicious Code. A common type of insider attack that can be executed by privileged users is the installation of malicious code or the use of logic bombs on the system or network.

5. Monitor for and Respond to Disruptive Behavior. Having exhibited disruptive behavior is one of the key traits of an inside attacker. Therefore, in addition to continuous monitoring of network-based actions, organizations should institute formal procedures to respond to suspicious or disruptive behavior by employees in the workplace. Effective procedures make it more likely that employees will report disruptive or suspicious behavior when they observe it in coworkers, and that management will respond effectively.