While many companies spend a lot of energy protecting their business from external threats, security events initiated by insiders can be just as costly. Malicious insiders not only have intimate knowledge of corporate systems and infrastructure, but they also have something far more powerful: legitimate privileged access.
The challenge of insider threats is pervasive, and recent events indicate it shows no signs of slowing down. Whether watershed examples like Terry Childs, a former network administrator who essentially shut down the city of San Francisco, or cases involving IP theft or fraud, privileged access abuse can take form in a couple of ways. The first is when employees are granted more access than necessary to do their jobs. The second arises when someone with valid access uses privileged accounts to purposefully go against policy and abuses their power.
Regardless of the situation, the insider threat is ultimately a human challenge. Humans are unpredictable and it’s hard to foresee motivation. We want to trust the employees we hire – especially the ones who are given access to our most sensitive information. One key for companies is to understand who has privileged access, and consistently enforce the principle of least privilege – where employees are granted appropriate access to perform their jobs…no more, no less.
In addition, technology can help identify anomalous behavior and send an alert that systems or information were being accessed outside of policy. This adds yet another critical security layer that helps organizations better detect patterns and behaviors that may signal privileged access abuse.
While insider threat stories are certainly cautionary tales on unfettered privileged access for employees – the truth is that once an attacker is in a network it doesn’t matter if they are an attacker thousands of miles away or an employee three feet away – the risks are the same.
To be in the best position to mitigate these threats, organizations need to re-evaluate how they are securing and managing privileged access – not just to protect from the external attacker exploiting weaknesses, but also the malicious insider who might be working right under their noses.