In several previous articles, this blog has focused on the importance of the relationship between privileges and Active Directory group management. The two go hand-in-hand: if groups aren’t properly managed, permissions tend to get out of control. Given the importance of this relationship, let’s examine the current state of what users are able to do with their privileges and how this access may be inappropriate. Such an examination should underscore the fact that your permissions — and therefore, your groups — may need some additional management focus.
The recent release of the Verizon 2016 Data Breach Investigations report gives us an opportunity to dig into the data and review relevant findings concerning insiders and privilege misuse. Here are the top five findings regarding such misuse.
- It’s Mostly Your Employees: Of all the data breaches involving privilege misuse (which included external attackers, partners, insiders, and collusion), 77% of the incidents were simply insiders acting on their own.
- It’s Your Everyday Knowledge Workers: When classifying the roles of those involved in incidents, only 28% of the roles were either in leadership (e.g. executives and management) or in IT. Conversely, this means that 72% were just “regular” staff who have access to data as part of their job function.
- Money is Still a Motivator: The number one reason cited for why these breaches occur (representing 34% of the incidents) is the potential for financial gain. Also, even though they have only a minimal representation in the survey, it’s interesting to note that motivators such as “grudges” and “fun” are both on the rise.
- Privilege Abuse is Rampant: Of the 11 incident categories listed in the report, privilege abuse was overwhelmingly the number one most frequent, with 53% of the incidents. (The next most frequent incident category, data mishandling, represented only 10%.)
- It Takes (Lots of) Time to Detect: With only 31% of incidents being discovered within hours, days, or weeks, it’s evident that detect these incidents can be difficult. Looking at the flip side of this data, the huge majority of incidents (69% to be exact) typically take months or even years to be detected.
When you think about this data, it just makes sense. Discovering insider privilege abuse can be difficult because this abuse is often being committed by employees you’ve chosen to trust, and because they’re using the privileges that you gave them. (In a previous article, we discussed a strongly related issue: whether Insider Threats are IT’s fault.)
The ramifications of this run deep: If you can’t detect misuse, you need to proactively take steps to ensure that you’ve minimized the privileges users have.
In fact, one of the recommendations from Verizon itself is to “be careful who you give privileges to and to what degree.” Accordingly, in order to ensure that you have assigned the proper privileges, managing these privileges starts with properly managing groups, their permissions, and memberships.