In a previous blog post, “Privilege Abuse: Threat Alert,” we provided an overview of what privilege abuse is and why this threat is so serious. In today’s post, we will look at the problem from a different angle. We’ll examine four notorious data breaches caused by privileged account abuse to find answers to the following questions: how privilege abuse actually happens, why organizations are vulnerable to this threat pattern and what lessons we can learn from these breaches to strengthen our privileged account security.
Privileged account abuse tops the list of the most dangerous threat patterns. It is relatively easy for insiders to steal sensitive data, but it can take organizations months or even years to detect and investigate such incidents. The damage can be devastating: according to the 2017 IBM Cost of Data Breach Study, organizations lost at least $3.62 million on forensic and investigative activities, remediation, and legal expenditures associated with security incidents in 2016.
Most common scenarios
Whether the threat actor is a disgruntled ex-employee or a staffer looking for financial gain, privilege abuse that leads to security breaches tends to conform to just a few patterns. By analyzing security incidents that made headlines over the past few years, we identified the four most common scenarios of how insiders can actually gain access to sensitive data:
- Privilege escalation — An insider deliberately raises his or her level of access to get more access rights.
- Unauthorized access — An insider gains access to another user’s account, either by stealing it or by mistake.
- Privilege abuse — An insider uses legitimate access to systems and data to perform malicious activities.
- Human mistake — An insider unintentionally or deliberately uses access rights that were granted by mistake or out of negligence.
Scenario #1 – Privilege escalation
Edward Snowden: A whistleblower is on the run after exposing NSA spy program (2013).
Although we hear about plenty of high-profile breaches, none has created more headlines than the National Security Agency (NSA) data leak in 2013. Edward Snowden, a contractor who worked as a systems administrator for the NSA, leaked classified details of a top-secret NSA electronic surveillance program to The Washington Post and The Guardian. The stories about NSA spying on world leaders, foreign governments and the U.S. citizens, as well as its attempts to undermine internet security, became public and put the agency in the center of the worst scandal they could imagine.
The full story of how Snowden could possibly grab 1.7 million highly classified documents, however, may never become public. The most likely version of what actually happened is that the agency had poor visibility into user activity and little awareness of the keys and certificates in the IT environment, so Snowden was able to fabricate digital keys that helped him bypass authentication mechanisms and gave him privileged access to areas way above his clearance. He also reportedly convinced several NSA staffers to provide him with their usernames and passwords under the pretext that he needed them for his job — a practice that can never lead to a good outcome.
Lesson learned:
Organizations need to be able to strictly control access to systems that house confidential information, as well as a complete key and certificate inventory.
Financially motivated ex-staffer walks away with employer’s trade secrets (2013).
Jason Needham worked at engineering firm Allen & Hoshall until 2013, when he decided to set up his own competitive company. But, unbeknownst to Allen & Hoshall, shortly before quitting his job, Needham gained access to credentials of a former colleague — credentials he used over the next two years to steal sensitive data, including schematics, staff emails, budget plans and marketing documents.
Needham admitted that he snooped on his former employer and stole its intellectual property for the sake of his own career development. But exactly how Needham gained access to his colleague’s account is still unknown. There are two possible explanations: either the Allen & Hoshall employee left his credentials in the visible location or else shared them with Needham.
This case is a perfect illustration of how departing employees can steal your data. Obviously, Allen & Hoshall had no idea of what was going on with their systems, since they couldn’t explain to regulatory bodies how Needham had access to sensitive data for two years after leaving the company.
Lesson learned:
Organizations should compile a thorough user termination checklist and use it whenever an employee quits or is terminated. It should include best practices such as immediately disabling the employee’s account, terminating VPN and Remote Desktop access, and changing all shared account passwords.
Scenario #3 – Privilege misuse
Anthem is at the center of another cyber-security scandal (2017).
In July 2017, just one month after leading U.S. health insurance provider Anthem agreed to settle litigation over the famous hacking incident back in 2015, the company was notifying its clients about a new breach. Anthem’s third-party consulting firm reported that in July 2016, one of its employees sent a file containing the PHI of 18,500 Anthem customers to his personal email. He was also allegedly involved in identity theft activities and misused non-Anthem data as well.
It took almost a year for a contractor to detect and report the breach, so chances are that the scope of this incident is bigger than reported. The investigation is not yet complete: we don’t know how the attack started, what the motives behind it were, and what the employee did with the stolen data. Although the 2017 breach wasn’t directly Anthem’s fault, the company will likely face the same consequences as the contractor, including fees for non-compliance, bad publicity and additional lawsuits from enraged customers.
Lesson learned:
Organizations must implement regular privileged user monitoring. This not only gives you better control over your IT environment, but also deters misbehavior by users who know they’re being watched and leads contractors to keep a closer eye on their employees.
Scenario #4 – Human mistake
A classic tale of malicious workers and excessive permissions (2017).
Although employees are often granted more access privileges than they actually need, we seldom hear about breaches resulting from this over-provisioning. One recent case that made the news occurred at Vanderbilt University Medical Center (VUMC) in 2017, when two employees were accused of inappropriate accessing the medical records of 3,000 patients. Their unauthorized access to PHI continued for 19 months, until it was discovered during a routine audit of access logs, which is a standard procedure for organizations preparing for HIPAA audits.
These employees worked as patient transporters — a position that mainly requires staffers to provide emergency transport services and take care of low-risk patients. However, the audit revealed that employees had viewed far more information than was necessary to perform their work duties, such as patients’ Social Security numbers and medical record numbers. Therefore, VUMC should really ask itself whether these employees had permissions they didn’t need and how they were granted. In addition, VUMC should look into why it couldn’t detect an insider breach for more than a year.
Lesson learned:
Organizations should strictly enforce the principle of least privilege to minimize the data employees can access, and closely monitor user behavior to detect suspicious actions and patterns.
Key Take-Away
All the breaches listed above have one thing in common: organizations had limited understanding of what’s was going on with their critical systems and data. The 2017 Netwrix IT Risks Report suggests this problem is all too common. Organizations need to remember one simple rule: Treat every user account as a potential threat to data integrity, no matter whether it belongs to an ordinary employee or a super-user with both read and write privileges. To mitigate these threats, IT pros need to ensure that users have only the access permissions they need, and perform user activity monitoring across all critical systems.
Learn more about how you can mitigate the risk of employee data theft in your organization.
