Overprivileged, Well-Meaning, And Dangerous

Nonmalicious insiders add a lot of risk when IT gives them too much access and not enough education

Lets face it: Everybody makes dumb mistakes at work. But these days, employee ignorance about the impact of certain IT technologies, a lack of controls around critical infrastructure and data, and a legion of employees armed with way too many system privileges are drowning enterprises in a potent cocktail of risk factors.
According to security experts, the only way that organizations can reduce the risk of that combination is to be pragmatic. Rather than trying to completely eradicate stupid behavior -- an impossible feat -- enterprises need to find ways to minimize the risk around the mistakes nonmalicious insiders make.
Its not realistic to eliminate the user behavior nor identify all the vulnerabilities or attacks in advance, says Brian Hanrahan, senior systems consultant at Avecto. You have to start from the assumption that any user through willing, or unwilling, involvement may become the nexus of your next infiltration.
Whether its digging spearphishing messages out of the junk mailbox to click infected links, sending out inappropriate email messages on powerful communications systems they shouldnt have access to, or fat-fingering configuration files to bring down broad swaths of IT infrastructure, well-meaning users can wreak plenty of havoc within IT operations. In some cases, purely dumb behavior can directly result in embarrassment to the organization, breached data, or information assurance problems.
[What about malicious insiders? See
5 Lessons From The FBI Insider Threat Program
.]
Mike Murray, managing partner for consulting firm MAD Security, says he has seen his fair share of insider incidents that were more than a little boneheaded. For example, earlier in his career, he came across an incident where an employee accidentally sent pornographic images to an entire 5,000-person organization.
It wasnt an internal attack, but it was definitely stupid, he says. I had another one more recently [where] one of the developers working on one of our systems made a stupid Unix mistake and caused our system to be down for almost a week. Ive seen something like that happen more times than I can even count.
Not only are there direct security ramifications from that class of scatterbrained mistake, but they also can eat up valuable incident response time that could be better used elsewhere.
At the bureau, about 24 percent of our incidents that we track on a yearly basis have to do with just accidental insiders -- people being a knucklehead -- and we do spend about 35 percent of our incident response time [on them], says Patrick Reidy, CISO for the FBI.
Plus, the reputation damage factor cant be underestimated -- particularly when some simple controls could have mitigated the situation. Take, for instance, a recent case in the city of Washington, Pa., where a city councilman used a citywide email emergency system to add the offensively prankish term Brian is gay to a test email sent out to city denizens.
[That] is a great example of why organizations implement approval processes for privileged operations, Hanrahan says. Its important that privileged access is dispensed after review and monitored carefully to detect risky behavior.
However, he says that while lapses in judgments and silly errors can certainly cause harm, nonmalicious insiders pose other more latent risks for organizations. More commonly, these insiders act as an unwitting lever for malicious actors who take advantage of the insiders normal behavior to compromise that users endpoint and take advantage of that insiders wide-reaching access to other systems on the network, Hanrahan says.
The reality is that most attacks result not from boneheaded moves, but normal activity plus privileged access, Hanrahan says. The vulnerabilities used to infiltrate corporate environments today rely on normal user behavior to gain a foothold. Web browsers, media plug-ins, Java exploits, and removable media are the common vectors of introduction.
As he puts it, the name of the game is in effective containment.
Containment requires limiting the resources immediately available to the attacker and thwarting propagation within the organization, both of which are nearly impossible when the attack runs with elevated privileges, he says.
Murray agrees, saying that the reason why phishing and advanced persistent threats succeed is that at most organizations, once the attacker has compromised an employees system inside, that person has free rein in the environment. Murray says that organizations need to address the nonmalicious insider problem by looking more closely at their control architecture.
The key is actually in the control architecture. I still see organizations that take the philosophy of hard external, soft chewy inside when designing their security strategy, he says. The control around assets needs to be close to the assets in order to detect threats from both outside and inside.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Overprivileged, Well-Meaning, And Dangerous