Protecting Yourself Against Your Own Users

There is a common thread among many of the major attacks that have occurred in the past couple of years—they were perpetrated either directly or indirectly by someone on the inside. While most of network and computer security is still focused on guarding against external threats, the reality is that privileged users on the inside of your network are also a very real threat.

At the 2014 RSA Security Conference, there was a session titled “Are Your Privileged Users at Risk or a Risk?” that discussed this issue. Ultimately, the answer is “yes” or “both,” but it was enlightening to hear experts talk about the risks associated with privileged users and the access they have on your network.

A couple of major data breaches have occurred in recent years that were inside jobs. Users with authorized access to sensitive or confidential data intentionally abused that trust and compromised the data they had access to.

There have also been a few major security incidents or data breaches that were outside attacks, facilitated by compromising the credentials of an authorized user. Once an attacker acquires the username and password of a trusted user with access to sensitive systems and data, they can access those systems and data as the user, and there is effectively no difference between the outside attacker and an “inside job.”

The solution is relatively straightforward. First, be discriminating about granting permission to sensitive or confidential resources. Make sure privileges are granted on a strictly “as-needed” basis.

Second, and more importantly, pay attention. Don’t assume that just because an activity seems to be from a privileged user that it must also be legitimate. You should be on the lookout for anomalous activity—users accessing more data than they normally do or poking around areas of the network they don’t normally visit.

The bottom line is that your users are also a threat—even if they don’t mean to be. Attackers have determined that it’s easier to compromise the credentials of an authorized user than to break in from the outside, so you need to be aware and keep your guard up.

No Comments