Ready to take the next step in assessing your organization’s risk of a Snowden-style crime? Download our 2016 definitive Privilege Access Benchmarking Study today.
Or should I say, we are not doing enough? It’s surprising how little has changed three years on.To understand how widespread the insider threat is, BeyondTrust has embarked on several privilege studies throughout the past few years to capture the risk of privileges by industry. For 2016, the definitive BeyondTrust Privilege Benchmark Study has revealed that the threat is still very real and that the disparity in maturity is staggering. Statistics from the survey reveal fragmentation around the potential threat they face by maturity of the vertical (low end verses high end tiers as described in the complete survey).
Why is this still the case?Highly regulated environments such as financial and healthcare fall into the high end tier but manufacturing and others just do not have the drive to solve this problem without a compelling event such as regulation, outage, or breach. What is more curious is that government entities should fall into the high end but prove that a true insider threat, with malicious intent, is still possible without the proper checks and balances, audits and reporting, and overall access accountability. Snowden proved that unmonitored access, even with his or someone else’s account, when left unchecked can cause a great deal of damage.
Where do we go from here?His insider knowledge, coupled with unmonitored security controls, allowed Snowden to have privileged access to sensitive information that he leaked. The simple facts are that he:
- Hacked his own place of employment
- Leveraged unmonitored privileged access to copy and exfiltrate sensitive information
- Used the information to cause significant damage
It is time we consider the threats from inside.Here are five quick steps to improve the maturity of your privileged access management strategy using the guidance from the best PAM practitioners:
- Be granular: Implement granular least privilege policies to elevate applications, not users.
- Know the risk: Never elevate an application’s privileges without knowing if there are known vulnerabilities.
- Augment technology with process: Reinforce enterprise password management hygiene with policy and an overall solution. As the first line of defense, establish a policy that requires regular password rotation and centralizes the credential management process.
- Take immediate action: Real-time monitoring and termination capabilities are vital to mitigating a data breach as it happens, rather than simply investigating after the incident.
- Close the gap: Integrate solutions across deployments to reduce cost and complexity, and improve results. Avoid point products that don’t scale. Look for broad solutions that span multiple environments and integrate with other security systems, leaving fewer gaps.
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.