This week’s revelation that a Tesla employee would be sued after exfiltrating data in an attempt to blow the whistle on what he saw as inappropriate practices at the company is the latest example of how organizations don’t take the risk of insiders seriously enough. And who could blame them? After all, the latest Verizon Data Breach Investigations Report shows that only 28% of data breaches are perpetrated by insiders, right?
Wrong. Some of the most damaging data breaches have been perpetrated by insiders. In fact here are seven of them. That same Verizon report I mentioned above shows that the insider breach percentage has steadily increased in the last four years. Whatever the motivation – altruism, money, a grudge, or even just pure curiosity – the end result is the same: inappropriate access to sensitive data. Limiting privileged access to sensitive data is low hanging fruit that can be enforced without disrupting end-user workflows, and to shore up compliance. I’ll review five progressive steps you can take today to grab this low hanging fruit.
5 Steps to Avoid Becoming the Next Tesla
1) It All Starts with Discovery
You can’t manage what you can’t measure, so discovering and inventorying all privileged accounts, and auditing end-user privileges, will quickly reveal where your biggest risks are. And, since the days of having all your assets in an on-premise datacenter are long gone, make sure to extend that discovery to include cloud and container instances and libraries across physical, virtual, and cloud environments. Once a reliable discovery scan has been conducted, use collected system details from that discovery scan to categorize assets with common traits and automatically place them under management.
2) From the Discovery and Categorization Stage, Eliminate the Sharing of Discovered Privileged Accounts
Shared accounts can include anything from the domain admin account in Active Directory (AD) to developer access to source code, test servers, and production builds, as seemed to be the case in this particular case. By securely storing credentials in a password safe, requiring an adaptive workflow process to check them out, forcing their rotation, and monitoring activity on those accounts while they are checked out, you have a closed-loop system for privileged user activity monitoring. Video recordings and keystroke logs can be used to forensically investigate or even monitor activity live to prevent unwanted activity from ever getting to the point where exfiltration happens.
3) Eliminate Hard-Coded Passwords and Secrets in Embedded Scripts, Files, Code, and Application Credentials Such as Service Accounts
Consider the role of the developer as one with the highest level of risk. Why? Aside from designing and architecting software, they also write and test code, and perform code review and release management. Embedded credentials in code, and dev and test data access make this a high risk for negligence due to shared access to business-critical code, systems, and IP. Eliminate embedded credentials, implementing granular control over privileged access, and providing an audit trail of development activities adds accountability and reduces risks by closing backdoors to critical systems.
4) Enforce Least Privilege Across the Environment by Elevating Only Specific Actions and Commands
Granting unfettered access to systems goes against the principle of least privilege, which is a hallmark of nearly every best practice security framework. Consider an admin having access to some of their organization’s most secret information in a database (this is sounding familiar, no?). With least privilege, you can enable them to do their jobs without the risk by running applications related to managing databases without them having to be admins on the machines housing those databases.
Hand-in-hand with least privilege enforcement is network segmentation. Focus on keeping roles separate and segmentation isolated between organizations. This approach restricts access based on the context of the user, role, application, and data being requested, and reduces line of sight access that attackers must have into internal systems.
5) Monitor Privileged User Behavior
That line-of-site access I mentioned above extends beyond embedded credentials. It also includes correlating privileged account and user activity against asset behavior – for example connecting the dots between users and firewalls, routers or other similar systems in an attempt to bypass security controls. Having this insight allows you to act decisively and effectively prioritize active threat and risk mitigation.
At the end of the day, reducing the risk of insider privilege abuse is about three things: 1) protecting privileged accounts/credentials/passwords; 2) controlling what people are allowed to do, and 3) watching and recording everything. Regardless of the motivation behind the case at Tesla, organizations can learn a valuable lesson: Better enforcement of privileged access management can prevent unwanted leaks.