Obviously, employees who own privileged accounts become the most dangerous insiders. Among such accounts are those of the network administrators whose accounts not only give them legitimate access to sensitive information but also provide complete control over the system. That puts them in the best position to act maliciously.
In 2017 Falcongaze made a survey among its users that showed that 80 percent of customers had prevented a leak of sensitive information; and 11 percent indicated that attempts to extract such data were committed more than ten times.
A privileged user account
Emergency accounts are to solve situation that require an increased level of access.
Most users of privileged accounts are network engineers, system administrators, database operators, top-level managers, security officers, etc. They work directly with sensitive data.
In December 2011 system administrator Michael Thomas removed the "backups" and the network notification system, disconnected access to the VPN, erased internal wiki pages and external support contacts of ClickMotive. Then he left keys, his laptop, the application for dismissal and left the office. The court found him guilty of “unauthorised damages”. However, in the trial the lawyer stated that his client was authorised - that was his job duties.
The increased level of access allows such users to perform different malicious actions:
leak confidential information to sell it or just put on the Internet;
modify or delete it, that opens up opportunities for fraud;
install exploit or backdoor getting full access to the system;
break down the entire system by changing the critical settings;
make errors or unintentional actions - emailing of sensitive data to a wrong person can lead to millions of losses.
Nevertheless, what makes privileged accounts dangerous is not even the level of access, but how easy for the users to commit malicious acts and how difficult to detect them. Such actions are often indistinguishable from daily activities.
Another big problem is the security of such accounts.
At the end of 2014 a representative of Sony Pictures Entertainment stated that the anonymous cyber-group Guardians of Peace received direct access to the company's network. The attack was carried out using a stolen system administrator account. It provided unlimited access to employees' records, unreleased movies and so on.
How to overcome this vulnerability
Finally, use reliable people and appropriate monitoring tools. An effective detection tool that alerts you in case of an insider attack as well as recording user activities is the best way to prevent insider threats. Professional DLP solutions for monitoring users are able to provide the necessary transparency for each privileged session and react immediately to any incidents.
Contributed by George Piankou, head of business development department at Falcongaze.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.