What is the threat posed by privileged users?

Opinion by George Piankou

Accounts with legitimate access to not only sensitive information but also complete control over the system are put in the best position to act maliciously.

The financial and personal data companies and their customers cost a lot of money. Thus, it's a tasty morsel for intruders.To protect themselves the companies spend considerable resources. However, the real danger to an organisation might be its own employees.

Obviously, employees who own privileged accounts become the most dangerous insiders. Among such accounts are those of the network administrators whose accounts not only give them legitimate access to sensitive information but also provide complete control over the system. That puts them in the best position to act maliciously.

In 2017 Falcongaze made a survey among its users that showed that 80 percent of customers had prevented a leak of sensitive information; and 11 percent indicated that attempts to extract such data were committed more than ten times.

A privileged user account

The term itself seems to be self-explanatory but many organisations fail to recognise all the types of privileged accounts they have.

Domain administrator accounts provide access to all workstations and servers in a particular domain. The account users get the highest level of control over the system.

Local administrator accounts provide access and complete control over the server or workstation. IT specialists use them to perform system maintenance.

Application administrator accounts provide access to applications. The users can manage databases, perform configuration and maintenance operations. 

Personal privileged accounts provide high-level privileges to one particular employee. These are often created for managers or database operators.

Service accounts are for applications to communicate through the network in a secure manner.

Emergency accounts are to solve situation that require an increased level of access.

Most users of privileged accounts are network engineers, system administrators, database operators, top-level managers, security officers, etc. They work directly with sensitive data.

In December 2011 system administrator Michael Thomas removed the "backups" and the network notification system, disconnected access to the VPN, erased internal wiki pages and external support contacts of ClickMotive. Then he left keys, his laptop, the application for dismissal and left the office. The court found him guilty of “unauthorised damages”. However, in the trial the lawyer stated that his client was authorised - that was his job duties. 

The threat

The increased level of access allows such users to perform different malicious actions: 

leak confidential information to sell it or just put on the Internet; 

modify or delete it, that opens up opportunities for fraud;

install exploit or backdoor getting full access to the system;

break down the entire system by changing the critical settings;

make errors or unintentional actions - emailing of sensitive data to a wrong person can lead to millions of losses.

Nevertheless, what makes privileged accounts dangerous is not even the level of access, but how easy for the users to commit malicious acts and how difficult to detect them. Such actions are often indistinguishable from daily activities. 

Another big problem is the security of such accounts. 

At the end of 2014 a representative of Sony Pictures Entertainment stated that the anonymous cyber-group Guardians of Peace received direct access to the company's network. The attack was carried out using a stolen system administrator account. It provided unlimited access to employees' records, unreleased movies and so on.

How to overcome this vulnerability

Ultimately, effective security is to provide efficient user management, control and monitoring.

First, ensure that all privileged users are taken into account and there are no users with an excessively high access level (regulate the procedure for creating such accounts). 

Then, control the access to a privileged account on who, when and for what purpose they entered it (various forms of multi-level authentication and password management are helpful).

Finally, use reliable people and appropriate monitoring tools. An effective detection tool that alerts you in case of an insider attack as well as recording user activities is the best way to prevent insider threats. Professional DLP solutions for monitoring users are able to provide the necessary transparency for each privileged session and react immediately to any incidents.

Insider threats are difficult to eliminate and even harder to detect. Therefore, companies have no choice but to preempt the threat going from their employees. This way they can protect confidential data and enhance their information security.

Contributed by George Piankou, head of business development department at Falcongaze.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event