BeyondTrust

Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

Securing the Perimeter One Privileged User at a Time

Post by Peter McCalister July 14, 2011

You’ve heard it said before: “To some degree, you just have to trust your employees.”

Ideally, yes. Trust between employee and employer is important, even necessary. But when this statement is made in the context of an employee’s access to a company’s most critical IT assets, the risk that accompanies it is simply too great for any employer to take.

This isn’t to say that employees inherently foster evil intentions when it comes to their company’s critical data. The fact is, good people do bad things – and often those bad things are completely unintentional. After all, one of the most widely quoted data points from the Verizon 2010 Data Breach Investigation Report is that 48% of all data breaches that year involved privilege misuse. Chances are, carelessness, not intent, accounted for a hefty portion of those occurrences.

But the question of whether the privilege misuse that resulted in so many breaches last year was intentional or not does not change the painful end result: critical data was lost or stolen, and companies – and their customers – paid the price. The people and organizations whose responsibility it is to secure the IT infrastructure cannot ignore this fact. This makes it all the more perplexing why so many companies still insist on directing a disproportionate amount of their security budgets to protecting against the external threat at the expense of the internal threat.

A 1000+ person survey was recently conducted by McAfee, with assistance from SAIC and international research firm Vanson Bourrne, that estimates that businesses lost more than $1 trillion in 2008 as a result of data leaks. According to the report, outward-facing security mechanisms primarily intended to prevent malicious hackers, viruses and worms are the most popular methods of protecting sensitive data: anti-virus, firewalls, and intrusion detection/prevention systems. Surveys from the CSI/FBI research team also show that most organizations believe the majority of their security risks are from external threats, yet actual analysis of real breaches shows that internal threats outweigh external ones. And that points directly to – you guessed it – the misuse of privilege.

The good news is, controlling what privileged users can and can’t do is neither an insurmountable task nor one that has to result in employee productivity loss. By providing the necessary guardrails to prevent employees from using their privileges in insecure or nefarious ways, you can confidently maintain a productive workforce while minimizing risk to your organization. And trusting in that will put any security professional’s mind at ease.

Leave a Reply

Additional articles

BI-Qualys-Connector-IMG1

Getting More Value from QualysGuard Vulnerability Data with BeyondInsight v5.1

If your vulnerability assessment scans can’t produce meaningful and actionable reports, performing a scan does no good for anyone. If you’ve read my other blog posts, you know I have no qualms about stating that BeyondTrust provides the best vulnerability reporting in the industry. Ask your favorite analyst and they’ll tend to agree. Of course,…

Post by Morey Haber April 18, 2014
Tags:
, , , , , , , ,
insider-threat-fed

Mitigating Inside Threats to U.S. Federal IT Environments

Recent high-profile cases have increased the perceived risks that go along with disclosure and usage of confidential information. One of the most difficult security threats to mitigate is an attack from the inside. When an over-privileged user, such as an unhappy current or former employee, contractor, or consultant, begins navigating your network, how will you…

Post by BeyondTrust Software April 17, 2014
Tags:
, , , , ,

Are you a Target? Investigating Security Breaches with Kevin Johnson

Last week, over 1,000 IT security professionals watched as Kevin Johnson, CEO of Secure Ideas, presented his expert opinion on lessons learned from recent, high-profile retail breaches. Here’s a summary of key takeaways from the webcast plus an on-demand recording of the full, 60-minute presentation. Understanding the “why” behind attacks According to Kevin, the primary…

Post by Chris Burd April 17, 2014
Tags:
, , , , ,