With shutdown, can agencies manage insider threats?
Well, they’ve done it; Congress has shut down the federal government. On the bright side, it means less traffic on the streets and highways for Washington-area workers who do have to go into the office. But managing traffic on networks with a skeleton staff could be more of a challenge, especially if your organization has let the number of accounts with elevated access privileges get out of hand.
The insider threat has received a lot of attention in the wake of leaks of embarrassing information from the State Department and the National Security Agency. Following disclosures of classified information by contractor Edward Snowden, NSA Director Gen. Keith Alexander announced that the agency was reducing the number of its systems administrators by 90 percent from around 1,000. A reasonable move, if maybe a little late. But it raises the question, why did NSA have 1,000 administrators in the first place?
“Everyone in the world has the same problem,” said John Worrall, chief marketing officer for CyberArk, which sells tools to help manage privileged accounts. “It’s not just the NSA.”
Privileged accounts tend to accrete over time. Expanded access is granted and never revoked. People leave and accounts remain. Over time it is not impossible for organizations to find that they have a one-to-one ratio of users to elevated accounts.
“It’s a huge challenge,” said Eric Noonan, chief executive officer of CyberSheath Service International. Often it results from a desire by administrators to be helpful. “A lot of times it is easier to provided elevated access to end users,” to allow them to fix their own problems, he said.
“It creates a multiplicity of accounts you didn’t know you had, and each one becomes an attack vector,” Worrall said.
Any account can be an attack vector, of course, but privileged or administrative accounts create more risk because they give users the ability to make fundamental changes in the configuration of network and enterprise elements. This kind of access is necessary for administrators to keep systems up and running, but they also can abuse the access by opening and closing doors, installing and removing software, accessing and exporting data and then covering up tracks afterwards.
People with these accounts now are being sent home, most likely with their accounts and privileges intact. There will be a skeleton staff on duty at most IT shops to provide support for exempted workers who remain on the job, and a minimum level of staffing is required for security monitoring and incident response. But it will be a tough job for them to monitor and lock down all of the accounts that could be open to abuse.
The solution is to begin managing the proliferation of accounts before there is a crisis. The most direct way to do this is what Noonan calls the brute force method: Eliminate all elevated access, and give the privileges back one at a time only as they are needed. “It’s painful,” he said. “A lot shy away from the problem.” But if the issue becomes serious enough, organizations can be compelled to use brute force.
A more managed way is to first discover all of the accounts and audit them for need. To do this, agencies need a comprehensive policy defining what privileges are to be granted under what conditions. But policy without an enforcement mechanism is meaningless. Controls must be put in place and activity monitored -- not only to enforce policy, but to investigate incidents after the fact. Tools for discovering, monitoring and managing accounts are available (CyberArk is just one vendor; there are others as well).
Access control, like all good security practices, is an ongoing process. If management is confined to discovering and cleaning, it is inevitable that the number of accounts with elevated privileges will creep back up.
This is not much help for anyone babysitting a network with reduced staff now. But it is one more thing for the to-do list when things return to normal.
Posted by William Jackson on Oct 01, 2013 at 1:12 PM