This lapse in security has proven dangerous for some organizations. An ''Insider Threat Survey'' conducted last year by CERT at Carnegie Mellon University in Pittsburgh found that a majority of insider security attacks - 57 percent -- were carried out by employees who at one time had privileged user status.
''A good portion of insider attacks come from privileged users or people with too much access. To truly be in compliance, you need to watch the watchers,'' says Paul Stamp, an analyst at Forrester Research in Cambridge, Mass.
Stamp recommends that companies employ monitoring and auditing tools geared toward logging privileged user activity, as well as regular user activity. That way, you can receive alerts if someone in IT is looking at payroll or financials when they shouldn't be or if someone in HR is trying to open up remote access for an attack.
Privileged user monitoring tools, which can log access and activity on servers, firewalls, routers and other network elements, are instrumental in helping companies meet the standards of compliance rules, such as those in the Sarbanes-Oxley Act and the Payment Card Industry (PCI) Data Security Standard. Most call for dual controls and separation of duties regarding sensitive information such as customer data and financials.
''Companies have to demonstrate to auditors that they're not just watching the rank and file, but also privileged users,'' Stamp says.
Erik Hart, vice president and information security officer at Cole Taylor Bank, a subsidiary of Taylor Capital Group, Inc. in Rosemont, Ill., says he knows this challenge first-hand. He's felt the dual pressure of the insider threat and the need to comply with federal regulations since taking his position two and a half years ago.
''You have to separate day-to-day IT functions from security. However, when we first implemented privileged user auditing tools, there was hesitation from the IT staff. It was seen as a monitor of everything they were doing. Now it's seen as a comfort level to the organization,'' he says.
Accountability
In one case, an IT administrator was terminated when the monitoring logs showed that he lied about his use of privileged access. ''We were able to trace the investigation back to the individual computer the request originated from,'' he says.
In another, the monitoring software saved an IT administrator who was accused of wrongdoing during an ethical hacking session run by an outside consultancy. ''We were able to run an audit and show that he wasnt the one performing the commands,'' says Hart, who uses Network Intelligence Corp.'s enVision product.
''The tool allows for accountability for what happens across the network and the organization. It's a protection for [privileged users],'' he says.
Hart himself is a practitioner of duty separation. To meet corporate, industry and federal regulations, he is administrator of logs, but not the network; and IT administers the network, but has no access to the logs. In addition, the logs are locked as soon as they are copied over to the log-auditing device. ''I can't modify them in any way. This shows the Sarbanes-Oxley auditors and other regulators that there is a separation of duties and a separation of logging,'' he says.
In addition to monitoring privileged user access, companies must evaluate who needs that level of access in the first place. When information security consultant Rick Wenban last year joined Michaels Stores, Inc., the arts and crafts retail chain based in Irving, Texas, figuring out what employees had access to what information was Job One.
Under the thumb of strict standards like PCI, Wenban wanted to narrow down the pool of people who could access sensitive information, such as credit card data. ''The PCI standard is more Draconian than Sarbanes- Oxley. They can fine you up to $500,000 for violations,'' he says.
Wenban's first step was to check what kind of controls were in place at the nationwide company and who had privileged user access. ''I can usually tell when there are too many people with access. If the shop has brittle systems, the applications go down a lot, and there are a lot of people acting autonomously, thats usually an indicator that a lot of people have privileged user access,'' he says.
Wenban installed Consul Risk Management, Inc.'s InSight software to get a clear view of who was doing what to the network and what information they were accessing. He compared this to their job functions and then began paring down access.
''I used the auditing tools to prove that certain users did not need privileged access to do their jobs,'' he says.
Knowing what functions matched what jobs helped Wenban to automate the process going forward and ensure future compliance.
He also instituted a policy where privileged users each year have to sign a form acknowledging their roles and responsibilities. ''We remind people that they can't go out and access data just because they have privileges above the norm,'' he says.
While industry experts predict that these tools will soon be available in traditional database and storage products, they say companies should buy point products now.
''The database and storage vendors are still a few years off from building this into their products. Companies can't wait that long, they need to buy best-of-breed today to meet compliance mandates and for security,'' says Eric Ogren, security analyst at Enterprise Strategy Group, a research firm in Milford, Mass.
Loading Comments...