In this series, Computerworld Australia examines some of the information security threats facing small businesses and larger enterprises today.
We've looked at third party access, hacktivism, social engineering, and internal negligence and conclude the series by speaking to security experts about the problem of internal excessive privilege.
Whether it's a system administrator with complete access to servers and data or an executive who retains excessive access rights after changing roles, these people could pose an internal threat if they turn against the company.
For example, employees could find themselves locked out of their own networks while customer data files vanish, trade secrets get stolen or company funds are siphoned out of the business.
IT admins gone wild:5 rogues to watch out for
The threat of internal excessive privilege
While organisations spend large amounts of money trying to defend their perimeters from being breached by external malicious actors, the defensive strategies put in place are not effective at protecting the organisation from within, according to IDC Australia senior market analyst, Vern Hue.
"When a rogue employee has access rights to various, and deep-lying parts of the business --most often due to employees being with the organisation for a long period of time and changing roles as they go along-- access to other parts of the system remains," he says.
According to Hue, this is because many organisations do not have the right processes in place to remove access rights to that previous role.
"This allows the employee to be in a position of siphoning precious information out and hold it against the organisation for a ransom, or to sell it in the black market," he says.
The risks of allowing staff access to certain systems can range from the employee destroying data that they should not have access to through to the entire corporate environment becoming compromised, according to Pure Hacking chief technology officer, Ty Miller. "This is a common scenario found by our security consultants where organisations are creating excessive numbers of domain administrator accounts," says Miller.
"These accounts have complete control over every Windows workstation, laptop and server throughout the corporate environment. When these accounts are compromised, the resulting impact can have devastating consequences on the organisation."
Extent of the threat
IDC's Hue warns that some well-known financial institutions have taken hits to both the bottom line and reputation as a result of rogue traders with excessive privileges. For example, French bank, Sociate Generale, was thrown into turmoil in 2008 when one of their traders, who breached five levels of controls, executed a series of fictitious transactions which resulted in US$7 billion of losses.
"That said trader was reported to have worked in the risk management office, before moving into a trading role," he says. According to Trend Micro Australia and New Zealand alliances manager, Adam Biviano, the risk is not just from intentional misuse of the company data. For example, an administrator might be in the process of repairing a server and copies a critical database to a USB drive. "Once the server is fixed and the data is no longer needed on the USB drive, is it actually deleted? Or is it thrown in the drawer as is, only to be used by someone else down the track who misplaces it in public," he says.
Addressing internal excessive privilege
Businesses need to reassess how they look at addressing internal excessive privilege by shifting away from viewing it as a compliance and government requirement to making it more about a risk management exercise, says IDC's Hue.
"The shift in mentality has to start with the C-level executives, and helping them understand the risks associated with not having proper access governance programmes," he says.
Hue adds that companies can also conduct both external penetration tests [EPT] and internal penetration tests [IPT].
"These penetration tests would be deployed in order to mimic vulnerabilities which lay outside, and within the firewall," he says.
IPT is conducted from the vantage point of an internal user and using the network access a typical users has, and from this point, the organisation is able to see how far privileges can be escalated and how much information within the network is at risk of a breach.
"This gives the team a view of their current security posture and it helps validate their security controls which are in place," says Hue.
Pure Hacking's Miller provided five key steps for organisations to address the issues surrounding excessive internal privileges.
Security policies, processes and system security guidelines should be developed to ensure that security is being implemented effectively and only the necessary privileges are provided to employees.
System configurations should also be locked down so that least privileges security is being used to minimise the risk of unnecessary privileges being abused.
Hackers perform privilege escalation attacks that are designed to gain unauthorised access to systems and data. Systems should be patched and hardened on a monthly basis to ensure that these types of attacks are not possible.
Penetration tests should be performed to identify insecure access controls, privilege levels, and privilege escalation vulnerabilities within systems and applications.
Organisations should review all users' privileges on a regular basis to ensure that accounts only have access to the functionality and data that they require access to.
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU