Recent high-profile leaks from the US National Security Agency show that organisations need to look at internal security procedures as well as external threats, warns Matt Middleton-Leal.
The recent US National Security Agency leak has shocked the world, sparking an international debate on cyber spying practices and opening up world powers to new criticisms. The whistleblower behind what has sensationally been described as "one of the most significant leaks in US political history" was revealed as American citizen Edward Snowden, who has caused an outpouring of both outrage and support with his revelations. Yet it strikes me that a key factor in what is fundamentally a monumental data breach has been somewhat overlooked – how Snowden came to be in a position to leak this information in the first place.
The answer lies in the various IT roles that Snowden held – as a former systems engineer and systems administrator for the NSA and senior advisor for the CIA – due to the privileged user access that enabled him to view and leak the highly sensitive information he was privy to.
Whether you are a Snowden sympathiser or not, the fact remains that the case should provide a stark warning when it comes to the level of access granted to employees. There is also a sense of déjà vu with the NSA breach, as just six months previously intelligence agencies in the US and UK were warned that secret information on counter-terrorism shared by foreign governments may have been stolen by a senior IT technician for Switzerland's intelligence service.
Snowden's revelations regarding the astonishing level of control and access that he held within various technical positions are by no means restricted to IT. Privileged accounts and credentials, which include administrative logins, enable a 'super-user' to log on to a corporate network – often anonymously – and take total control, with full access to the most sensitive data. These access points commonly outnumber an organisation's headcount, often by three to four times, and can be found in any device with a microprocessor – including PCs, databases and networked devices including photocopiers.
While malicious insider breaches are not common, it's important to keep in mind that the insider threat encompasses simple human error and the exploitation of unmanaged, poorly secured or even shared privileged passwords and credentials by external hackers in advanced cyber attacks. Organisations looking to mitigate the risks would be wise to focus on securing from within. Implementing systems to control and monitor privileged account access and activity, with the ability to instantly revoke user privileges if suspicious activity occurs, is now vital.
An effective defence will also ensure that individuals only have access to the information and applications they need. This means that administrators should be able to work without direct access to the systems they support or maintain.
Furthermore, sensitive information should be stored in a secure repository, restricting insiders such as Snowden from viewing and distributing such highly sensitive information.
As is often the case with high-profile data breaches, they also serve a positive purpose, providing a call to action. In this instance, unfettered privileged account access has had serious global repercussions and has dented international trust and relations. While this is a severe example, data breaches of any sort can and do cause significant damage, whether in financial losses or reputational harm.
The NSA leak is a stark reminder of the power of privilege and should be a wake-up call across the board. If a member of your team were responsible for a malicious leak, do you have the tools in place to monitor their activity, identify any suspicious behaviour and intervene? As employees are entrusted with these hugely powerful credentials in each and every organisation, it raises a crucial question for all enterprise decision makers – are you doing enough to secure the 'keys to your kingdom'?
Matt Middleton-Leal is regional director for UK & Ireland with information security company Cyber-Ark (www.cyber-ark.com)