2014 was a terrible year for corporate data breaches. If there is to be any silver lining, information security professionals must draw lessons from the carnage. A good place to start is to identify common denominators.
Several of the most damaging incidents started with phishing emails into office (or contractor) networks. Social engineering has gotten so sophisticated and targeted, we can hardly blame the employees (sometimes high-level executives) for clicking on legitimate-looking links. Once an attacker establishes his credentials as the compromised employee, he potentially can gain access to whatever that employee uses. One attacker got in through a corporate software development network that was not sufficiently segregated from other critical networks. In other cases, disgruntled employees with access to valuable customer data were involved.
Clearly, employee access controls are critical. If we can improve these systems, we will go a long way toward securing our networks. This is not as easy as it sounds, however. When information security teams restrict access or revoke privileges, they get pushback. They become obstructionists, bad cops, bureaucrats. To be fair, we really do run the risk of strangling teamwork, erecting stovepipes, and throttling collaboration. How do we construct robust user access controls without being the bad guys?
First, let’s think about why we grant so much access to so many people. The reasons are familiar. Let’s call them the Seven Deadly Sins of User Access Controls:
- Sloth: Over time, we allow employees to accumulate access to numerous servers, databases, and other privileged information, without shutting down old privileges, simply out of benign neglect. We don’t bother to set up rigorous password-expiration regimes, or require employees to use different passwords for different sensitive servers.
- Necessity: Employees may legitimately need broad accesses to get their jobs done. We have no choice but to grant it to them.
- Guilt: If we don’t give access to the team in Oklahoma, but we do give access to the team in Ohio, will we be accused of discrimination? We don’t want the Oklahoman team to think that we don’t trust them as much as Ohioans.
- Hubris: We think our access controls are better than they actually are. And anyway, we’re too smart to spend our days on that kind of thankless drudge work, right?
- Avarice: We give way to the employee who claims she needs access because her rival already has access, or to the empire-building manager who wants her entire team to use that shiny new database.
- Wimpiness: We don’t push back when employees and their managers make passionate or even bullying arguments. We abdicate responsibility.
- Carelessness: We’re under tight deadlines, we’re understaffed, so we don’t take the time or devote the resources to figuring out the taxonomy of the corporate network.
How do we overcome these understandable human traps? In a companion blog post out tomorrow, my colleague Evelyn De Souza will take up the hard work of providing solutions. In the meantime, being aware of these motivations may help us to resist them.