Privilege Abuse. Who Is Doing What In Your Network?

Privilege Abuse. Who is doing what in your network.jpg

By Michael Fimin

Privilege abuse traditionally tops the list of the most dangerous cyber threat patterns for a reason. Privileged accounts give users the ability to compromise an organization’s network, systems and data, but discovering such incidents can take months or years. The direct consequences of a privilege abuse, such as loss of sensitive data and system disruption, are bad enough. But companies also often incur additional expenses — for instance, costs associated with security investigations, remediation, and lawsuits from enraged customers and employees — as well as damage to their reputation and brand.

Top five threats that result from poor privilege account management

Typically, privilege abuse occurs due to lack of proper access control in the organization. Users are granted more access rights than they need to perform their duties, and the organization fails to establish strict control over critical changes and monitor what users are doing in the IT environment. As a result, the organization is vulnerable to following threats:

1. Contractors leverage legitimate access. Imagine a financial company that deals with large volumes of confidential records and has to comply with industry regulations while ensuring ongoing system availability to maintain customer loyalty. Monitoring the activity of their employees is not enough, because third-party contractors can also access their internal systems and therefore pose equal threat to sensitive information. In this case, automated video recording can be helpful, since the IT team will be able to see exactly what each user does and respond quickly to any policy violations.

2. Ex-employees leave the company with trophy. Ex-employees and temporary workers often pose threat to data integrity and may cause data breaches. This is a huge problem for all types of organizations, especially educational institutions, where high turnover of staff and students makes it easy for leaving employees to take advantage of their accounts and steal sensitive data without being noticed. Therefore, organizations need to continuously monitor user activity to spot and take action against unwanted activities like file manipulations.

3. Privileges are granted by mistake. Sometimes access rights are granted to users by mistake. This can lead to data loss or downtime if the user, either accidentally or maliciously, uses the privileges, or an intruder or malware takes over the account. For example, if a company uses SQL databases to store customer information for billing, the IT department needs to carefully monitor for critical changes related to those databases, such as someone gaining DBA rights they shouldn’t have, so they can respond immediately to protect the sensitive data.

4. Poor account provisioning results in data overexposure. When employees change roles in the organization change due to internal transfers or promotions, their privileges have to be updated right away. Regular review of user permissions and monitoring of changes to permissions and group membership can significantly reduce the risk of data overexposure and privilege abuse.

5. False allegations in case of a security breach. If you are an IT pro — especially if you’re the only one in your organization — you might have to prove that a data breach wasn’t really your fault. Proper privileged account management will provide you with evidence that all the necessary controls are in place and you did your best to prevent the security incident.

Three steps to mitigate the risk of privilege abuse

Unfortunately, there is no way to ensure 100% protection against privilege abuse. User accounts with elevated privileges will always be a tempting target for criminals, and insiders will always be one of the main threats to security, whether they misuse their privileges intentionally or by mistake. However, several practices will help you minimize these risks and simplify detection of security incidents caused by privilege abuse:

1. Continuously assess assigned privileges. Privilege provisioning should never be a one-time task. You need to review access rights whenever a user’s role changes and remove excessive permissions in accordance with least-privilege principle.

2. Enable user behavior analysis. You need to collect data across the entire IT environment — and also understand it. In particular, you need to be able to quickly spot critical information that requires your attention, and have deep insight into what users are doing to determine whether they pose a real threat to sensitive data. User behavior analysis will enable you to distinguish normal behavior from aberrant activities and detect security violations that would otherwise be unnoticed.

3. Gain visibility into your IT environment. Monitoring of critical changes and user activities is essential to being able to quickly respond to cyber threats. Visibility across all levels of the IT environment will help you keep track of any actions that could indicate privilege abuse, such as the unauthorized modification of a security group or a suspiciously high number of failed attempts to access a critical database.

About Michael Fimin

Michael Fimin is an expert in information security and CEO and co-founder of Netwrix Corporation. Michael Fimin joined Netwrix Corporation in 2007, bringing more than a decade of IT industry experience, management practices and innovation.

More About Michael