What you need to know in keeping your privileged users in check

The inaugural Singapore International Cyber Week (SICW) will be held next week, from the 10th of October, and it's no surprise that one of the key topics during that week will be cyber security. Data breaches are happening globally, and are growing in magnitude.

As recent as last week, Yahoo announced that passwords, names, and phone numbers from more than 500 million accounts had been stolen by state-sponsored hackers in 2014, but had only recently been discovered. We also see a trend in which there is an increase in data breaches caused by both malicious and "accidental" insiders.

Users with privileged access have been found at the root of some of the most high-profile breaches in past years; one example being the South Korean Credit Bureau breach which exposed the personal information of 40% of all South Koreans, thanks to a worker with access to various databases at the company copying data onto an external drive over the course of 18 months.

Just who are these privileged users? More often than not, the typical privileged user is associated with an organisation's IT department; this can include database administrators, network engineers, IT security practitioners, and so on. However, not all privileged users sit within IT; they can also include anyone that has elevated access to data, systems, and computer assets within a company, from account managers to corporate executives.

Damage caused by privileged users is the most extensive, the hardest to mitigate, and the hardest to detect, as it is done by authorised users performing authorised activities. Ponemon Institute's 2015 Global Cost of Data Breach study found that attacks by malicious insiders took approximately 54 days to detect and resolve; in comparison, malware took less than a week to sort out, and attacks by botnets took just two days to resolve.

The same study by Ponemon also found that insider attacks cost an average of US$144,000 per incident. It's also important to note that many insider attacks go unnoticed, and are therefore unreported.

Here are some best practices that organisations can consider to handle threats by privileged users, whether intentional or otherwise:

Awareness and planning
To start, organisations should develop an IT security strategy that protects against internal privileged users, as well as external threats. A recently released 'Insecurity of Privileged Users' survey by Ponemon Institute found that 40% of respondents believe that social engineers from outside will target privileged users to obtain access rights.

Security leaders need to identify and review privileged user accounts on the network and work towards reducing the number and types of privileged accounts within the company to help reduce complexity. Similarly, a thorough vetting process should be in place to determine who receives privileged user accounts through well-defined policies controlled by business or application owners.

Remember to use extra caution with system administrators; as these users are often granted the "keys to the kingdom" in terms of access and capabilities, additional safeguards need to be implemented to adequately monitor and manage their behaviour.

Beyond recognising that privileged users can be a credible threat to an organisation, it's imperative to educate employees on security best practices for privileged users. This can be done with regular training of employees on the proper use of elevated access privileges, including logging out after performing tasks that require them.

Set clear boundaries
Where possible, consider setting limits on the use of shared privileged user accounts. For instance, only enable access to systems or data necessary to complete specific job functions. For example, human resources needn't have access to finance records.

You can also enforce separation of duties and least privilege. This means no one employee can perform all privileged actions for a system or application and they are granted only the bare minimum privileges needed to perform their jobs.

Monitor privileged users
In an age where organisations often have to contend with managing multiple endpoint solutions from numerous vendors, it can be challenging to obtain the right information and context from all the disparate data sets to be able to form an informed opinion on the overall security posture that your company currently has.

Organisations should leverage on automated or Privileged Account Management (PAM) tools to both administer and monitor privileged user accounts. Taking advantage of insider threat solutions, including a variety of logging and monitoring techniques as well as dashboards, can help present administrations with a holistic view of the users within their organisations, and enable them to flag suspicious behaviour even when it's linked to authorised privileges; for example, the finance controller copying an unusually large number of confidential financial records from the company servers to a removable flash drive.

Privileged user auditing and monitoring doesn't need to be a technical challenge, especially if the solution is flexible, policy-based, and provides irrefutable attribution to a particular privileged user. In fact, just letting your employees know that your organisation uses such auditing and monitoring technology is a huge deterrent against privileged user abuse. Keeping an eye on such insider threats will help your company move forward with ease as Singapore progresses towards the Smart Nation initiative.