One of the biggest information security holes that financial services (FS) and other organisations typically face concerns admin privileges, says Brian Chappell, director of technical services, EMEA and APAC, at BeyondTrust. Lax controls in this area often open firms up to the insider threat whereby disgruntled employees or infiltrators can leak data, target consumers for fraud attempts or otherwise engage in malfeasance, but there are preventative steps that can be taken.
Security breaches caused by internal people with admin privileges can sometimes be attributed to inadvertent mistakes, rather than employees or temporary outsiders carrying out malicious activities, but this latter ‘insider threat’ is also a clear and present danger. Whatever the intention of those breaching internal admin controls, guarding against the insider threat has to be a priority for FS and other organisations that hold sensitive data, but how to do it?
The first step you have to take when giving any internal staff admin privileges is to make them aware of the responsibility that now rests with them by providing adequate training and teaching them not to share their access details. If you don’t provide this know-how then a company’s data, customer details, source code, as in the case of the recent attack against Adobe, or other sensitive information is at risk.
Much of the information security focus this year has been on state-level security breaches, such as the US’ NSA snooping on SWIFT data, but while this may be a headline grabber often data leaks result from more mundane sources, particularly the insider threat from disgruntled employees or improperly controlled temps. The case of the Barclays bank branch in the UK whose IT system was taken over by criminals pretending to be internal IT staff is one illustration of this threat.
The insider threat has been around for a long time and it is a shame that sometimes it takes news stories like this to highlight it and get firms to act. No longer can organisations of all kinds stick their heads in the sand and ignore the very real threats that lie within. The issue is that, having ignored it for such a long time, it can be hard to know where to start in terms of implementing or reactivating policies in this area. Elevated privilege and broad admin access to data have become the cultural norm too, so suddenly denying this to staff can cause uproar and a sea of complaints.
In many organisations, giving users administrative rights over their desktops is often standard practice. And it’s understandable why this happens: it means that users can make adjustments to their IT set-up without having to call on the IT support department. Let’s face it: all those calls to the helpdesk can add up (the Gartner consultancy have previously indicated that this could cost firms $1200 per PC, per year) and the IT team would rather be focusing on other matters rather than help Miss Smith in HR download a new piece of software.
Protecting Your Organisation
The problem is that Miss Smith in HR and her peers – including many people in the IT function, by the way – haven’t really grasped the scale of the responsibility they’ve been given, let alone the implications should something go wrong. That is why training and a clear policy are necessities.
To use a parallel with a building, firms are potentially opening up all the doors if they have no such policy in place. Miss Smith has got access to the bank’s entrance lobby and the HR department, but guess what she’s also been given access to the bank’s vaults too. Why? Well, imagine that there are 10 floors in the building, with 50 offices on each floor. To give Miss Smith access to just one of these, every lock in the building (dock, desk, cabinet) is opened, so she has administrative access to the whole place.
Scary, yes? It gets worse: admin rights are something that is often not tracked, so dare I say it, many of them are probably not entirely sure who has those keys to which doors in the first place.
Moving From Implicit Policies to Explicit Ones
This is why organisations are beginning to have a mind-shift in their attitude towards privilege and admin controls and to make it clear to employees what is required of them. It’s good to see this trend as I am a firm believer that changing policies from implicit access privileges to explicit ones, where you perhaps have to log-on, is the way to go. To put it plainly, users should not be given administrative rights at any time – they should only ever have access to the rights necessary for them to be productive within their roles.
For a lot of open organisations, this is going to be a culture shock and some user resistance can be expected, but the reality is most users really don’t need as much privilege as they typically have. Sure, this could put some more work back on the shoulders of the IT team, but that would be a very small price to pay in the context of risk mitigation or the avoidance of a large regulatory fine later down the line.
Applying ‘least privilege’ rights can seem an onerous task. Having worked myself for some large organisations such as Amstrad and the BBC, each with tens of thousands of employees, I can appreciate how daunting managing privileged access programme can seem, but it is really not that bad. Even in mega-large organisations, there are probably only a couple of thousand applications in general use and the need to apply privileged access controls only applies to a relatively small number of these apps and even smaller numbers of people. Suddenly, the scale of the task is a lot more manageable if you know what people to include or exclude as you develop your policy. Doing the work to develop a policy will save tears later on down the line.
The key tip is to focus on the privilege associated with the application (and only afterwards on the user and who has access to the app). Operationally, it makes a lot of sense, because the privileges associated with an application, process or installer, are likely to remain fairly constant, whereas users’ application requirements are constantly going to vary, especially as they change jobs and responsibilities, causing a headache for the programme controller. The impact on the IT department of introducing an access control and admin rights policy can be minimised in this way.
There are also a wide variety of ‘least privilege’ management tools available. They enable organisations to automate much of the process, right down to enabling users to install specific software, add printers and relevant drivers to the system, if they are greenlighted.
Of course, the whole topic of administration rights and user privileges is just one aspect of security that a financial services company should be looking at. One of my personal missions is to get companies to start thinking about building more solid security foundations in the first place and to then start applying all the tools needed (least privilege, vulnerability management, firewalls, anti-virus software and so on). But that’s another story. For now, I’ll leave readers with this one thought: privilege management is one area of IT security where companies can make an immediate and positive impact on their risk strategies, for a relatively low investment and effort. For that reason alone, financial institutions need to take heed of recent news and protect themselves.