Counting the cost of insider privilege abuse

Arguably the most notorious insider threat example was that of Edward Snowden. When he was working as a systems administrator for the NSA in 2013, Snowden decided to leak classified details of a government electronic surveillance program.

The cost of this data breach is still being counted but is reckoned to be at least $35 billion as well as causing lasting damage to the reputation of the US authorities. In a 2017 study of more than 235 publicly disclosed breaches the average cost for each lost or stolen record containing sensitive and confidential information was $141. Every breach averaged in excess of 24,000 records in size.

Unauthorised access

Unauthorised access of network accounts by insiders can happen for several reasons. Each one leaves its own distinctive digital trace and with the right systems in place they are relatively easy to spot and mitigate. So why does it keep happening? Well, for one thing insiders tend to be trusted.

>See also: Insider and third-party access rank as the ‘top cyber threats’

Ongoing scrutiny of their network activities is at best a low priority. Other activities such as improving defences against external threats and managing strategic projects take precedence.

The insider with permission

One of the most common privilege abuse scenarios is when an insider uses legitimate permissions for malicious purposes. The recent breach at health insurers Anthem is a case in point.

In July 2017, Anthem’s third-party consulting firm LaunchPoint Ventures reported that twelve months previously one of its employees sent a file containing the personal health records of 18,500 Anthem customers to his personal email.

>See also: Why insider threats are the next big security challenge

Additionally, the employee allegedly committed identity theft and misused non-Anthem data. To protect against this kind of thing IT admins need tools that automatically monitor and record the activity of employees and contractors. Furthermore, everyone should be told their actions are being watched. Often this is all it takes to make sure people stick within their boundaries.

The insider without permission

Another type of insider abuse – one that without the right tools is particularly difficult to detect and investigate – is the unauthorised use of another user’s account. This can happen by design, for example by stealing their credentials, or by mistake.

As an illustration, Jason Needham, an employee at engineering firm Allen & Hoshall, was due to leave to start his own business. Before leaving, he copied the email credentials of a colleague and used them over the next two years to steal marketing proposals and client correspondence. He also took password credentials to the firm’s FTP server, enabling him to download schematics, staff emails, budget plans and other sensitive data. This kind of thing can be prevented through rigorous implementation of a user termination policy.

>See also: Insider threat denial: who is in the driving seat?

The policy should include actions such as immediately disabling the employee’s account, terminating VPN and Remote Desktop access, and changing all shared account passwords.

Human error

Finally there is human error. A recent example occurred at Vanderbilt University Medical Center (VUMC) where two employees were granted access to 3,000 patient medical records that were not needed for their job. Mistakes like this can cause a lot of damage if not caught quickly.

In this instance the unauthorised access continued for 19 months before being discovered during a routine audit of access logs, although VUMC claimed there was no misuse of data during that time the data breach was a violation of compliance standards and the individuals involved were disciplined for their actions.

To keep this from happening security best-practice encourages organisations to enforce what’s called the least-privilege principle. The process ensures all employee access rights are tightly restricted. If VUMC had adhered to the least-privilege principle staff would only be able to access network content that is strictly relevant to their work.

From the evidence presented in Netwrix Corporation’s 2017 IT Risks Report this lack of insight is all too common.

>See also: Insider threat: most security incidents come from the extended enterprise

It is clear from the examples above that IT admins need systems that give them far better awareness of what insiders are doing on the network. Every user on the network leaves traces of their day-to-day activity on the network. All it takes is a system that analyses network data to detect any deviations from standard patterns of behavior and sends the IT team an early warning.

In summary, organisations need to adopt processes that protect them from the risk of costly data breaches arising from trusted insiders’ abuse of privileges. The solution lies partly in IT pros adopting the principle of least-privilege so users can only access parts of the network they need to perform their duties. The other part involves some form of automation to monitor user activity across all levels of IT infrastructure to be able to quickly spot any deviations from the norm.


Sourced by Matt Middleton-Leal, GM, EMEA of Netwrix Corporation

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Data Breach
Insider Threats