Within your IT department, assuming you have one, somebody has access to everything. All the emails. All the financial systems. All the document stores. All the contracts. All the suppliers details. All the HR records. All the passwords. Do you know who that is? And do you know exactly what access they have? And when did they last use that access? And for what reason? This individual, or individuals are referred too as privileged users and according to CESG (the information assurance arm of GCHQ) they are one of the top 10 cyber risks to your business.
You have seen the movie, where a good guy goes rogue. They had access to privileged information, usually of national importance and through set of circumstances uses this information against their former colleagues to obtain some from of gain – financial or otherwise. Now depending on what side you are on this can be a good thing or a bad, but for the sake of argument we will stick with it being a bad thing to happen. You don’t have to look far for real world examples of this occurring, does the name Edward Snowden mean anything to you? Of course it does, he had access to information and then used it against his former employers. Was his access privileges checked? I’m guessing not.
Sometimes we can be so busy watching others, that you forget to watch the watchers! Are you keeping an eye on your own IT team as to what they are doing? As somebody who used to oversee an IT help desk that supported the technology needs of over 1000 people, I was one of those privileged users. Should I need too I had access to everything, root privileges to all servers, administrator access to all desktops and never once was I ever asked by the senior management for any form of audit as to what I, or any member of the IT Helpdesk team, had access too. Good governance ensured that within the department access was tightly controlled, but that wasn’t always the case. When I took on this role it was quickly obvious that such governance was not in place. This was swiftly resolved. However during this ‘reeling in of access’ a case of misuse was uncovered, that led to a serious staff disciplinary. The perpetrator was compromising privacy of others ‘for fun’ and was unaware of the seriousness of his actions. Thankfully he was not attempting to obtain any form of reward for his actions, just a self appointed badge of honor for his own technical prowess.
At that time that situation was not labelled as a ‘cyber incident’ more a failure due to a historic lack of process, policy and governance. Today that would definitely have cyber written all over it.
To draw up a plan of access, to determine who should be entrusted with the role of privileged user, a company would be well placed to form a small internal audit committee. Comprising a senior member of staff responsible for operations, one from finance, one from HR and one from IT. They can then decide who has access to what based on their roles and responsibilities. They can determine who within the IT department has privileged user status and how that status can be used. For example should root level access to key systems be approved in advance? Or can the IT Manager / Director do this at his discretion, as long as a comprehensive record is kept? Although this may sound onerous, it ensures that even the most privileged of users does not abuse that privilege.
Complementing the internal set of privileged users an additional log of third party contractors, that many companies use, should also be kept. You may have outsourced key elements of your IT infrastructure to a trusted third party in a managed service style arrangement, but do you know what remote access they may have and what process is in place for them to exercise this access?
Monitoring access, checking privileges, processes in place for when privileged users get to utilise their authority all may sound like a dream job for somebody with acute OCD, but it’s not. It’s simple good practise and if put in place, and reviewed on a regular basis, or when staffing situations change then it can ensure that one of the ’10 steps to cyber security’ from CESG has been ticked. Of course that does mean that there is another 9 to go.