CERT-SEI
CERT Insider Threat Blog

Common Sense Guide to Mitigating Insider Threats - Best Practice 10 (of 19)

By CERT Insider Threat Center on 01/23/2013 | Permalink

Hello, this is Marcus Smith, a graduate assistant for the CERT Program, with the tenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats.

The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, as well as case studies of organizations that failed to do so. The tenth of the 19 best practices follow.

Practice 10: Institute stringent access controls and monitoring policies on privileged users.

This best practice focuses on system administrators and technical or privileged users. These individuals often have the technical ability, access, and oversight-related capabilities necessary to commit and conceal malicious activity. System administrators and privileged users have greater access to systems, networks, or applications than other users, thus posing an increased risk.

According to our research, a majority of insiders who commit sabotage and more than half of those who steal confidential or proprietary information hold technical positions at the victim organizations. Examples of technically sophisticated methods of carrying out and concealing malicious activity have included:

  • creating backdoor accounts
  • installing remote system administration tools
  • modifying system logs

Separating duties and requiring actions by multiple users address the need for stringent access controls and monitoring policies on privileged users. An organization must employ at least two system administrators to enforce separation of duties, which may be difficult for small organizations. A privileged user can be prevented from maliciously altering the system if he or she is not permitted or technically able to release changes to the production environment without action by at least one other user.

Organizations should consider having privileged users sign a privileged user agreement or rules of behavior that outlines what is required of them. In addition, organizations must be especially careful to disable system access to former system administrators and technical or privileged users. Many of the malicious insiders documented in the CERT insider threat database were former employees of the victim organizations.

Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threat for a comprehensive understanding of the issues and recommendations mentioned.

Check back in a few days to read about best practice 11, Institutionalize system change controls, or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.

If you have questions or want to share experiences you've had with insider threats, send email to insider-threat-feedback@cert.org.

Topics: Best Practices , Insider Threat