Just as in the “X-Men” movie, the all-powerful person may become dangerous when motivated by the wrong priorities. When your security administrator decides the situation merits drastic actions, you may find yourself in the scene where Magneto moves the Golden Gate Bridge to get to Alcatraz. But unlike the visual effects we see in the movie, your security administrator may be completely invisible to others because he’s the only person who looks at the logs.
The regulations tell you to implement change management procedures, apply separation of authorities, provide reporting of all actions of privileged users, etc. But when cost-savings have forced you to rely on a small team to get the job done, how can you make sure they did the right thing? When it’s impractical to limit administrator authority and privileges, a simple alternative is to monitor their activity and make sure all parties are aware of it. Psychological research has shown that a closed-circuit camera does wonders to keep people honest.
Monitoring users isn’t only a good scare tactic for keeping employees from doing bad things, it also can be used to support the technical staff. With the right technology supporting privileged user monitoring initiatives, an administrator can show exactly what controls they’ve implemented and changed, proving they’ve completed their job to their best ability. Privileged user monitoring ensures that executives can be confident their power users aren’t manipulating reports and conducting activity detrimental to the company.
In one example, a freight-handling agency dealt with shipping manifests of many publicly traded companies. The manifests could be used to deduce the production volumes of the company and predict their revenue. With such information, one could predict the stock price, opening the door to violations of Securities and Exchange Commission (SEC) rules. In the company’s SOX compliance project, the agent requested that access to these files be limited to financial staff, but implementing changes in storage management and security infrastructure proved impractical.
The technical teams pointed out that they would be unable to live up to the Service Level Agreement (SLA) when such changes were made. As an alternative measure, real-time alerts were used to notify the data security team when systems programmers used their privileges to read confidential data. With this measure and others, the agency met its regulatory requirements and proved to customers that confidential information would be appropriately handled.
Figure 1 shows a chart of best practices for organizations to implement to address a privileged user threat without hindering productivity.
Privileged users are an unavoidable factor in running an IT system, and usually, they benefit the business. Cost pressures mean that one person often has several roles; these same pressures mean implementing all the controls you’d like isn’t affordable. When business priorities prevent a thorough redesign of the security definitions, monitoring of log files or real-time alerts can be used as an effective and low-impact alternative to keep your privileged users honest—and ensure none of that power is abused. Z
- U.S. Secret Service and CERT, Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors, May 2005 www.cert.org/insider_threat/insidercross.html
- CSI/FBI Computer Crime and Security Survey 2006, July 2006, www.gocsi.com/.