Raytheon Privileged User Abuse FINAL1.docx. › sites › default › files › ...NSA employee Edward Snowden have heightened both awareness and concern about the insider threat caused

Privileged User Abuse & The Insider Threat

Ponemon Institute© Research Report

Commissioned by Raytheon Company Independently conducted by Ponemon Institute LLC Publication Date: May 2014


1

1

Privileged User Abuse & The Insider Threat Ponemon Institute, May 2014

Part 1. Introduction Ponemon Institute is pleased to present the findings of Privileged User Abuse & The Insider Threat, commissioned by Raytheon Company. Ponemon Institute first studied this issue in 2011. Since then well-publicized disclosures of highly sensitive information by wiki leaks and former NSA employee Edward Snowden have heightened both awareness and concern about the insider threat caused by privileged users. In fact, 88 percent of participants in this research believe the risk of privileged user abuse will increase or stay the same in the next 12 to 24 months. This finding is virtually unchanged since 2011 when we conducted the first study on the insecurity of privileged users. For purposes of this research, privileged users include database administrators, network engineers, IT security practitioners and cloud custodians. According to the findings of this study, these individuals often use their rights inappropriately and put their organizations’ sensitive information at risk. For example, the majority of respondents say privileged users feel empowered to access all the information they can view and although not necessary will look at an organization’s most confidential information out of curiosity. To ensure that the 693 respondents we surveyed have an in-depth knowledge of how their organizations are managing privileged users, we asked them to indicate their level of access to their organizations’ IT networks, enterprise systems, applications and information assets. If they had only limited end user access rights to IT resources, they were not included in the final sample of respondents. According to 75 percent of respondents, privileged access rights are required to complete their current job assignment. Of the 25 percent who say they do not need privilege access to do their job but have it anyway cited two primary reasons. First, everyone at their level has privileged access rights for no apparent reason (38 percent of respondents). Second, the organization failed to revoke these rights when they changed their role and no longer needed access privileges (36 percent of respondents). Key takeaways from this research: Despite the risks posed by insiders, 49 percent of respondents do not have policies for assigning privileged user access. However, slightly more organizations do use well-defined policies that are centrally controlled by corporate IT (35 percent in 2014 vs. 31 percent in 2011). There was a slight decrease in an ad-hoc approach to assigning privileged user access. While the establishment of privileged user access policies is lacking, processes are improving. The findings show a significant increase in the use of commercial off-the-shelf automated solutions from 35 percent of respondents in 2011 to 57 percent in 2014 in granting user access privilege. The use of manual processes such as by phone or email also increased from 22 percent of respondents in 2011 to 40 percent of respondents in 2014. Business unit managers are gaining influence in granting privileged user access and conducting privileged user role certification. Fifty-one percent of respondents say it is the business unit manager who most often handles granting access. This is an increase from 43 percent in 2011. Is it really an insider threat? Companies often have difficulty in actually knowing if an action taken by an insider is truly a threat. The biggest challenges are having enough contextual information provided by security tools (69 percent of respondents) and security tools yield too many false positives (56 percent of respondents).


2

2

Part 2. Key Findings Following is an analysis of the key findings. To understand trends in organizations’ ability to manage privileged user access, we have included questions from the research conducted in 2011. Whenever possible we compare the findings from the 2011 study to this year’s research. We have organized the findings according to the following topics: § Current practices in assigning privilege user access § The detection of insider privilege abuse § Solutions for mitigating the risk § Budgets and investment in reducing the risk of insider threats Current practices in assigning privilege user access Policies for assigning privilege user access to IT resources are often ad hoc. Despite concerns about insider threats caused by privileged users, almost half (49 percent) describe their organization’s policies to assigning privileged user access as ad hoc, as shown in Figure 1. However, there is a slight increase from 2011 in the use of well-defined policies that are centrally controlled by corporate IT (35 percent in 2014 vs. 31 percent in 2011). Figure 1. The process for assigning privileged user access to IT resources

2%

16%

31%

51%

1%

15%

35%

49%

0% 10% 20% 30% 40% 50% 60%

Unsure

Determined by well-defined policies that are controlled by business or application owners

Determined by well-defined policies that are centrally controlled by corporate IT

An “ad hoc” process

FY 2014 FY 2011


3

3

While the establishment of policies lags, processes for privileged user access are improving. There is a significant increase in the use of commercial off-the-shelf automated solutions from 35 percent of respondents in 2011 to 57 percent in 2014, according to Figure 2. The use of manual processes such as by phone or email also increased from 22 percent of respondents in 2011 to 40 percent of respondents in 2014. The third most widely used process is the IT help desk, which increased from 20 percent to 36 percent. Figure 2. Processes used for granting privileged user access to IT resources Two choices permitted

More organizations are using manual processes such as email and spreadsheets to review and certify privileged user access. As revealed in Figure 3, this has increased from 23 percent to 46 percent and use of commercial off-the-shelf access certification system increased from 31 percent to 44 percent. Figure 3. Processes used to review and certify privileged user access Two choices permitted

6%

1%

16%

20%

22%

35%

5%

0%

17%

36%

40%

57%

0% 10% 20% 30% 40% 50% 60%

Other

Unsure

Homegrown access request systems

IT Help Desk

Manual process

Commercial off-the-shelf automated solutions

FY 2014 FY 2011

9%

3%

16%

18%

31%

23%

7%

8%

10%

17%

44%

46%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

Other

IT Help Desk

Unsure

Homegrown access certification system

Commercial off-the-shelf access certification system

Manual process

FY 2014 FY 2011


4

4

Business unit managers are gaining influence in granting privileged user access and conducting privileged user role certification. As shown in Figure 4, 51 percent of respondents say it is the business unit manager who most often handles granting access. This is an increase from 43 percent in 2011. Thirty-five percent of respondents say application owners are responsible and this is a decrease from 38 percent in 2011. Only 10 percent say it is the information security department that is responsible for granting access rights. Figure 4. Most responsible for granting privileged-user access to information resources Two choices permitted

Figure 5 reveals that 36 percent of respondents say business unit managers are most responsible for conducting privileged user role certification and this is an increase from 32 percent in 2011. Twenty-four percent of respondents say their IT security department handles role certification. Figure 5. Most responsible for conducting privileged user role certification

6%

11%

16%

25%

38%

40%

43%

7%

10%

17%

21%

35%

40%

51%

0% 10% 20% 30% 40% 50% 60%

Unsure

Information security department

Compliance department

Human resource department

Application owners

Information technology operations

Business unit managers

FY 2014 FY 2011

24%

3%

4%

5%

9%

23%

32%

11%

2%

5%

7%

15%

24%

36%

0% 5% 10% 15% 20% 25% 30% 35% 40%

Other

Quality assurance

Audit

Data center management

Compliance

IT security

Business units

FY 2014 FY 2011


5

5

Critical success factors for governing, managing and controlling privileged user access across the enterprise is consistent from the previous study. Budget continues to be critical as well as identity and access management technologies, SIEM and network intelligence technologies and senior level executive support, as shown in Figure 6. Not considered as critical is the existence of clearly defined privileged user access policies and procedures. This is consistent with the earlier finding that 49 percent of respondents say their policies are ad hoc and not clearly defined. Figure 6. Success factors for governing, managing and controlling privileged user access Very important and important response combined

27%

45%

53%

45%

48%

56%

63%

61%

66%

78%

87%

90%

36%

44%

51%

52%

56%

61%

61%

63%

65%

75%

86%

88%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Audits by an independent third-party

Clearly defined privileged user access policies and procedures

Accountability for governing user access owned by the business

Compliance controls consistently applied across the enterprise

Background checks before granting privileged access rights

Ability to automatically remediate privileged user access policy violations

Monitor access inactivity to determine if access should be revoked

Privileged access rights assigned based on job function

Senior level executive support

SIEM and network intelligence technologies

Identity and access management technologies

Ample budget

FY 2014 FY 2011


6

6

Organizations struggle with delivering and enforcing privileged user access rights. The biggest problem is still keeping pace with the number of access change requests that come in on a regular basis (an increase from 53 percent to 62 percent). However, two problems have increased significantly. These are the burdensome process for dealing with business users requesting access (from 23 percent to 35 percent of respondents) and it takes too long to deliver access to privileged users (32 percent to 44 percent), as shown in Figure 7. Figure 7. Main problems faced in delivering and enforcing privileged user access rights Three choices permitted

2%

5%

8%

23%

27%

35%

38%

23%

32%

52%

53%

0%

4%

5%

16%

22%

29%

30%

35%

44%

45%

62%

0% 10% 20% 30% 40% 50% 60% 70%

Other

No common language exists that will work for both IT and the business

Delivery of access to privileged users is staggered

Too much staff required to monitor and control all privileged users

Cannot apply access policy controls at point of change request

Difficult to audit and validate privileged user access changes

Too expensive to monitor and control all privileged users

Burdensome process for business users requesting access

Takes too long to deliver access to privileged users

Lack of a consistent approval process for access and a way to handle exceptions

Cannot keep pace with the number of access change requests that come in

FY 2014 FY 2011


7

7

The detection of insider privilege abuse Concern grows about insider threats. Figure 8 reveals that 89 percent of respondents (58 percent + 31 percent) either say wiki leaks and Edward Snowden have either caused a significant or some increase in the organization’s level of concern about insider threats within their organization. A similar percentage (88 percent) believes the risk of privileged user abuse will increase or stay the same over the next 12 to 24 months. Figure 8. Have recent publicized incidents such as wiki leaks and Edward Snowden increased the level of concern about insider threats?

Is it really an insider threat? Companies often have difficulty in actually knowing if an action taken by an insider is truly a threat. According to Figure 9, the biggest challenges are having enough contextual information provided by security tools (69 percent of respondents) and security tools yield too many false positives (56 percent of respondents). Figure 9. Challenges in establishing whether an event is an insider threat More than one choice permitted

3%

8%

31%

58%

0% 10% 20% 30% 40% 50% 60% 70%

Unable to determine

No impact in our level of concern

Caused some increase in our level of concern

Caused a significant increase in our level of concern

28%

45%

56%

69%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Behavior involved in the incident is consistent with the individual’s role and responsibilities

Security tools yield more data then can be reviewed in a timely fashion

Security tools yield too many false positives

Not enough contextual information provided by security tools


8

8

To determine if a malicious insider is involved in the incident, companies are most likely to monitor and review log files (63 percent of respondents), conduct manual oversight by supervisors and managers (51 percent of respondents) and deploy SIEM and other network intelligence tools (40 percent of respondents), as shown in Figure 10. More sophisticated tools such as endpoint monitoring and big data analytics are not as widely used according to 34 percent and 16 percent of respondents, respectively. Figure 10. What best describes your role in the organization’s IT department? More than one choice permitted

Increasingly, malicious insiders target privileged users to obtain their access rights. In 2011, only 21 percent said it would be likely that malicious insiders would use social engineering or other measures to obtain someone’s access rights. This has increased significantly to 47 percent of respondents. In addition, more respondents say it is likely that social engineers outside the organization target privileged users to obtain their access rights (45 percent in 2014 and 30 percent in 2011). Figure 11. How likely would it be for the following events to occur? Very likely and likely response combined

2%

16%

33%

34%

40%

51%

63%

0% 10% 20% 30% 40% 50% 60% 70%

Other

Utilize big data analytics to identify suspicious insider activities

Deploy next generation security technologies

Endpoint monitoring

Deploy SIEM and/or other network intelligence tools

Conduct manual oversight by supervisors and managers

Monitor and review log files

30%

21%

45%

47%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

Social engineers outside the organization target privileged users to obtain their access rights

Malicious insiders target privileged users to obtain their access rights

FY 2014 FY 2011


9

9

Risks created by the human factor in privilege user access abuse continue. The most common scenarios that create the insider threat have not changed since 2011. Figure 12 reveals that 73 percent say privileged users believe they are empowered to access all the information they can view, 65 percent say privileged users access sensitive or confidential data because of curiosity and 54 percent say the organization assigns privileged access rights that go beyond the individual’s role or responsibility. Figure 12. Likelihood of scenario occurring Very likely and likely response combined

According to Figure 13, two other insider threats that increased are: allowing privileged users working from a home office to have administrative or root level access rights (an increase from 35 percent to 41 percent) and not properly vetting or checking backgrounds prior to receiving access rights. Figure 13. Likelihood of insider threats occurring Very likely and likely response combined

55%

68%

71%

54%

65%

73%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Assigned privileged access rights go beyond the individual’s role or responsibilities

Privileged users access sensitive or confidential data because of their curiosity

Privileged users believe they are empowered to access all the information they can view

FY 2014 FY 2011

16%

28%

34%

35%

15%

27%

38%

41%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Privileged users who leave continue to have access rights for a period of time after their

discharge

Privileged users become disgruntled and leak data or damage equipment

Privileged users are not properly vetted prior to receiving their access rights

Privileged users working from a home office have administrative or root level access rights

FY 2014 FY 2011


10

10

Respondents are less likely to believe that access rights follow privilege users when they leave the company (15 percent of respondents) and that disgruntled employees will leak data or damage equipment (Figure 13). What’s most at risk? While respondents believe general business and customer information is most at risk in their organizations due to the lack of proper access controls over privileged users (56 percent and 49 percent), fears about abuse to corporate intellectual property increased dramatically from 12 percent of respondents to 33 percent of respondents, as shown in Figure 14. Figure 14. Types of data most at risk when there is a lack of proper access controls Two choices permitted

13%

19%

12%

35%

54%

51%

15%

26%

29%

33%

35%

49%

56%

0% 10% 20% 30% 40% 50% 60%

Financial information

Consumer information

Classified information*

Corporate intellectual property

Employee information

Customer information

General business information

* This choice was not available in FY 2011

FY 2014 FY 2011


11

11

According to Figure 15, mobile applications are considered to be most at risk in their organizations due to the lack of proper access governance and control. This is followed by social media applications (which actually declined from 51 percent to 39 percent) and cloud-based applications at 38 percent, an increase from 35 percent in 2011. Figure 15. Type of applications considered most at risk due to the lack of proper access governance and control Three choices permitted

12%

13%

15%

21%

20%

25%

31%

34%

35%

51%

41%

5%

10%

13%

16%

17%

20%

21%

33%

34%

38%

39%

48%

0% 10% 20% 30% 40% 50% 60%

Revenue generating applications

Finance/ERP applications

Supply chain management applications

Productivity applications

CRM applications

Human resource applications

Knowledge applications

Business unit specific applications

Peer-to-peer database*

Cloud-based applications

Social media applications

Mobile applications

* This choice was not available in FY 2011

FY 2014 FY 2011


12

12

Solutions for mitigating the risk Companies rely on training programs. By far, most organizations conduct regular privileged user training programs as part of their efforts to protect the organization from privileged user abuse, as shown in Figure 16. However, most respondents rate the ability of their training programs to reduce the insider threat as only average. Fifty-seven percent say their organization performs background checks before issuance of privileged credentials and 51 percent say they rely on oversight by supervisors and managers. Figure 16. How do you protect your organization from privileged user abuse? More than one choice permitted

The majority of respondents believe they are agile in responding to changes in the insider threat environment. Thirty-four percent of respondents rate their organizations as very high or high in being agile in responding to insider threats. It is interesting that culture is viewed as a serious barrier to being agile followed by dispersed workforce, as shown in Figure 17. Figure 17. The biggest barrier to achieving the necessary agility to respond to changes in the insider threat environment

3%

18%

36%

50%

51%

57%

62%

0% 10% 20% 30% 40% 50% 60% 70%

Other

Review and act upon threat intelligence

Deploy IAM policy monitoring tools

Monitor and review provisioning systems

Conduct manual oversight by supervisors and managers

Perform thorough background checks before issuance of privileged credentials

Conduct regular privileged user training programs

1%

10%

15%

16%

27%

31%

0% 5% 10% 15% 20% 25% 30% 35%

Other

IT infrastructure

Expertise

Cost

Dispersed workforce

Culture


13

13

Authentication and identity management tools are still number one. Seventy-two percent use authentication and identity management tools to manage privileged user access abuse, as shown in Figure 18. Other tools mostly used are log and configuration management (an increase from 56 percent to 64 percent) and user provisioning systems (a decrease from 63 percent to 60 percent). Technologies that have increased significantly in use are privileged user management and SIEM. Figure 18. Twelve enabling security technologies that are currently in use More than one choice permitted

31%

32%

32%

38%

43%

43%

48%

63%

56%

68%

17%

28%

35%

36%

38%

42%

49%

50%

54%

60%

64%

72%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Host-based auditing*

Access review and certification system

Access policy automation

Access policy automation for the cloud

Access request system

Enterprise role lifecycle management

Endpoint monitoring*

Privileged user management

Security information and event management

User provisioning systems

Log and configuration management

Authentication and identity management

* This choice ws not available for FY 2011

FY 2014 FY 2011


14

14

More companies are using technology-based identity and access controls. According to Figure 19, one-third of respondents say their organizations use identity and access control technologies to detect the sharing of system administration access rights or root level access rights by privileged users. This is an increase from 20 percent in 2011. A combination of technology and manually-based identity and access controls is also used by one-third of organizations represented in this research but actually declined from 36 percent in 2011. Only 9 percent say access to sensitive or confidential information is not really controlled. An indication that this is getting better is that in the last study 13 percent said this was the case. Also, only 7 percent say they are unable to detect sharing of access rights. Figure 19. How does your organization detect the sharing of system administration access rights by privileged users?

12%

6%

13%

13%

20%

36%

6%

7%

9%

12%

33%

33%

0% 5% 10% 15% 20% 25% 30% 35% 40%

Unsure

We are unable to detect sharing of access rights

Access to sensitive or confidential information is not really controlled

Manually-based identity and access controls

Technology-based identity and access controls

A combination of technology and manually-based identity and access controls

FY 2014 FY 2011


15

15

In some areas, companies are getting better at enforcing privilege user access policies. The findings indicate that respondents are more positive about the ability to conduct certain activities. Figure 20 reveals these as: providing evidence of compliance with regulations and industry mandates and enforcing segregation of duties requirements. Fewer respondents believe they are excellent or good at understanding privileged user entitlements that violate policy and enforcing access policies in a consistent fashion across all information resources. Figure 20. How well does your organization ensure privileged user access policies are strictly enforced? Excellent and good response combined

23%

28%

35%

34%

45%

39%

40%

51%

67%

26%

30%

36%

37%

41%

41%

42%

55%

70%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Enforcing access policies in a consistent fashion across all information resources

Understanding privileged user entitlements that violate policy

Understanding privileged user entitlements that are out of scope for a particular role

Monitoring privileged users’ access when entering administrative root level access areas

Changing privileged access rights when an employee’s job changes or they are terminated

Vetting privileged users through background security checks before granting access rights

Assigning access based on job function or responsibilities

Enforcing segregation of duties requirements

Providing evidence of compliance with regulations and industry mandates

FY 2014 FY 2011


16

16

Lack of visibility hinders the ability to determine if users are complying with policies. Figure 21 reveals that 42 percent of respondents are not confident that they have the enterprise-wide visibility for privileged user access and can determine if users are compliant with policies. Only 16 percent are very confident that they have this visibility. Figure 21. How confident are you that your organization has enterprise-wide visibility and can determine if these users are compliant with policies?

Reasons for not being confident is the inability to create a unified view of privileged user access across the enterprise and this has increased from 44 percent to 51 percent of respondents in 2014, as shown in Figure 22. Another problem is keeping up with changes occurring in their organization’s IT resources (on-boarding, off-boarding and outsourcing for management), according to 30 percent of respondents. Figure 22. Main reasons for not being confident

16% 18% 22%

42%

2%

15% 15%

23%

45%

2%

0% 5%

10% 15% 20% 25% 30% 35% 40% 45% 50%

Very confident Confident Somewhat confident

Not confident Unsure

FY 2014 FY 2011

12%

15%

29%

44%

9%

10%

30%

51%

0% 10% 20% 30% 40% 50% 60%

Privileged user account information is visible but not entitlement information

Can’t apply controls that need to span across information resources

Can’t keep up with the changes occurring to IT resources

Can’t create a unified view of privileged user access across the enterprise

FY 2014 FY 2011


17

17

Budgets and investment in reducing the risk of insider threats How are companies allocating resources to reduce insider threat? Figure 23 reveals that 40 percent of respondents say they have a budget specifically allocated for investment in enabling technologies to reduce the insider threat but a similar percentage (43 percent) say their organizations do not have one. Fifty-one percent of respondents say they allocate between 5 and 8 percent of their organizations’ overall IT budget to insider threat technology. Figure 23. Is the budget allocated for investment in technologies to reduce the insider threat?

Technologies and personnel receive the most resources to stop insider threats. When asked to allocate their organization’s efforts to reduce the insider threat, 43 percent say it is dedicated to technologies and 38 percent to personnel, according to Figure 24. While organizations rely on training programs (as discussed above), only 11 percent are allocated to training. Figure 24. How does your organization allocate resources to mitigate insider threats?

40%

17%

43%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

It is part of the overall IT budget It is not part of the IT budget No

43%

38%

11% 7%

1% 0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

Technologies Personnel Training Governance Other


18

18

New tools to reduce the risk are considered important. When it comes to technology, 41 percent say they are more likely to buy new tools specifically for mitigating insider threats or more likely to make existing tools work (33 percent), as shown in Figure 25. Figure 25. Investing in insider threat mitigation technologies versus making existing tools work

5%

21%

33%

41%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Cannot determine

Equally likely to buy new tools or make existing tools work

More likely to make existing tools work

More likely to buy new tools built specifically for mitigating insider threats


19

19

Part 3. Methods A random sampling frame of 18,821 privileged users, including database administrators, network engineers, IT security practitioners and cloud custodians located in the United States were selected as participants to this survey. As shown in Table 1, 779 respondents completed the survey. Screening and failed reliability checks removed 86 surveys. The final sample was 693 surveys (or a 3.7 percent response rate). Table 1. Sample response Freq. Pct%

Total sampling frame 18,821 100.0%

Total returns 779 4.1%

Rejected and screened surveys 86 0.5%

Final sample 693 3.7% Pie Chart 1 reports the respondent’s organizational level within participating organizations. By design, 58 percent of respondents are at or above the supervisory levels. Pie Chart 1. What organizational level best describes your current position?

3%

16%

23%

16%

33%

4% 5%

Senior Executive/VP

Director

Manager

Supervisor

Technician

Staff

Contractor


20

20

Pie Chart 2 reports the respondent’s direct reporting channel. Fifty-six percent of respondents report to the CIO and 16 percent report to the CISO. Pie Chart 2. What best describes your direct reporting channel?

As shown in pie chart 3, 66 percent of respondents are from organizations with a worldwide headcount of 1,000 or more employees.

Pie chart 3. Worldwide headcount of the organization

56%

16%

9%

9%

7% 2% 1%

Chief Information Officer

Chief Information Security Officer

Chief Technology Officer

Chief Risk Officer

Compliance Officer

Chief Financial Officer

Chief Security Officer

15%

19%

31%

19%

9%

7%

< 500

500 to 1,000

1,001 to 5,000

5,001 to 25,000

25,001 to 75,000

> 75,000


21

21

Pie Chart 4 reports the industry segments of respondents’ organizations. This chart identifies financial services (18 percent) as the largest segment, followed by state or local government (12 percent) and federal government (11 percent). Pie Chart 4. Industry distribution of respondents’ organizations

Part 4. Caveats

There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys.

Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are privileged users, database administrators, network engineers, IT security practitioners or cloud custodians. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response.

18%

12%

11%

8% 8% 6%

6%

6%

5%

4%

3% 3%

3% 2% 2% 3%

Financial services State or local government Federal government Health & pharmaceutical Services Consumer Retail Technology & software Industrial Energy & utilities Communications Entertainment & media Hospitality Defense & aerospace Transportation Other


22

22

Appendix: Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in April 2014.

Sample response FY 2014 FY 2011 Sampling frame 18,821 16,579 Total returns 779 622 Rejected & screened surveys 86 64 Final sample 693 558 Response rate 3.7% 3.4% Part 1. Background

Q1. What best describes your level of access to your organization’s IT networks, enterprise systems, applications and information assets? Please select only one choice. FY 2014 FY 2011 Limited (ordinary) end user access rights to IT resources (Stop) 0% 6% Expanded access rights to IT resources, but not overly broad 13% 12% Broad access rights to IT resources 53% 43% Root level access rights to IT resources 34% 33% None of the above (Stop) 0% 6% Total 100% 100% Q2. Have recent well-publicized incidents such as wiki leaks and Edward Snowden increased the level of concern about insider threats within your organization FY 2014 Yes, caused a significant increase in our level of concern 58% Yes, caused some increase in our level of concern 31% No impact in our level of concern 8% Unable to determine 3% Total 100% *Data not available in FY2011 Q3a. Is privileged access required in order for you to complete your current job assignments or functions within the organization? FY 2014 FY 2011 Yes 75% 78% No 25% 22% Total 100% 100% Q3b. If you said no, what is the primary reason you still have privileged access rights? Please select only one choice. FY 2014 FY 2011 I needed privileged access in a previous position and it was not revoked after my role changed 36% 35% Everyone at my level has privileged access even if it is not required to perform a job assignment 38% 41% The organization assigned privileged access rights for no apparent reason 17% 15% I don’t know 9% 9% Total 100% 100% Q4. Do you believe this risk will increase, decrease or stay the same over the next 12 to 24 months? FY 2014 FY 2011 Increase 45% 44% Stay the same 43% 42% Decrease 12% 14% Total 100% 100%


23

23

Q5. What best describes your role in the organization’s IT department or related functions? Please check all that apply. FY 2014 FY 2011 Database administrator 32% 33% Systems administrator 36% 35% Network engineer 24% 21% IT security practitioner 31% 26% IT audit practitioner 11% 12% Data center manager 44% 41% Application developer 19% 15% Cloud custodian 24% 18% Other (please specify) 1% 2% Total 222% 203% Q6. How do you determine if an action taken by an insider is truly a threat? Select all that apply. FY 2014 Monitor and review log files 63% Conduct manual oversight by supervisors and managers 51% Deploy SIEM and/or other network intelligence tools 40% Utilize big data analytics to identify suspicious insider activities 16% Deploy next generation security technologies 33% Endpoint monitoring 34% Other (please specify) 2% Total 239% *Data not available in FY2011 Q7. How do you protect your organization from privileged user abuse? Select all that apply. FY 2014 Perform thorough background checks before issuance of privileged credentials 57% Conduct manual oversight by supervisors and managers 51% Monitor and review provisioning systems 50% Review and act upon threat intelligence 18% Deploy IAM policy monitoring tools 36% Conduct regular privileged user training programs 62% Other (please specify) 3% Total 277% *Data not available in FY2011 Q8. What are the biggest challenges your organization faces in establishing whether an event or incident is an insider threat? Select all that apply. FY 2014 Not enough contextual information provided by security tools 69% Security tools yield too many false positives 56% Behavior involved in the incident is consistent with the individual’s role and responsibilities 28% Security tools yield more data then can be reviewed in a timely fashion 45% Total 198% *Data not available in FY2011


24

24

Q9. Please rate your organization’s level of agility in responding to changes in the insider threat environment? FY 2014 Very high 14% High 20% Moderate 35% Low 22% Very low 9% Total 100% *Data not available in FY2011 Q10. What is the biggest barrier to achieving the necessary agility to respond to changes in the insider threat environment? Select only one. FY 2014 Cost 16% Expertise 15% Culture 31% IT infrastructure 10% Dispersed workforce 27% Other (please specify) 1% Total 100% *Data not available in FY2011 Q11. Using the following 10-point scale, please rate the ability of your training programs to reduce the insider threat risk. 1 = Low to 10 = High FY 2014 1 to 2 15% 3 to 4 31% 5 to 6 30% 7 to 8 16% 9 to 10 8% Total 100% *Data not available in FY2011 Q12. How does your organization allocate resources to mitigate or curtail insider threats? Please allocate 100 points to each category presented below FY 2014 Training 11 Technologies 43 Personnel 38 Governance 7 Other (please specify) 1 Total 100 *Data not available in FY2011 Q13a. Do you have a budget specifically allocated for investment in enabling technologies to reduce the insider threat? FY 2014 Yes, it is part of the overall IT budget 40% Yes, it is not part of the IT budget 17% No 43% Total 100% *Data not available in FY2011


25

25

Q13b. If part of the overall IT budget, what is the percentage allocated to insider threat technology investments? FY 2014 < 1% 2% 1% to 2% 5% 3% to 4% 8% 5% to 6% 21% 7% to 8% 30% 9% to 10% 15% 11% to 15% 11% 16% to 20% 5% > 20% 3% Total 100% *Data not available in FY2011 Q14. What one statement best describes your organization’s preference for investing in insider threat mitigation technologies versus making existing tools work? FY 2014 We are more likely to buy new tools built specifically for mitigating insider threats 41% We are more likely to make existing tools work 33% We are equally likely to buy new tools or make existing tools work 21% Cannot determine 5% Total 100% *Data not available in FY2011 Part 2. Scenarios: How likely would it be for the following events to occur within your organization? Very likely & likely response combined FY 2014 FY 2011 Q15. The organization assigns privileged access rights that go beyond the individual’s role or responsibilities. 54% 55% Q16. Privileged users are pressured to share their access rights with others in the organization. 40% 41% Q17. Social engineers outside the organization target privileged users to obtain their access rights. 45% 30% Q18. Malicious insiders target privileged users to obtain their access rights. 47% 21% Q19. Privileged users are not properly vetted or have their backgrounds checked prior to receiving their access rights. 38% 34% Q20. Privileged users become disgruntled and leak data or damage equipment. 27% 28% Q21. Privileged users access sensitive or confidential data because of their curiosity. 65% 68% Q22. Privileged users believe they are empowered to access all the information they can view. 73% 71% Q23. Privileged users who leave the organization continue to have access rights for a period of time after their discharge. 15% 16% Q24. Privileged users working from a home office have administrative or root level access rights. 41% 35% Average 45% 41%


26

26

Part 3. Privileged user access governance Q25. Please check all 12 of the enabling security technologies below that are used by your organization. FY 2014 FY 2011 Enterprise role lifecycle management 42% 43% Access request system 38% 38% Access policy automation 35% 32% Access review and certification system 28% 31% Privileged user management 50% 43% Security information and event management (SIEM) 54% 48% Access policy automation for the cloud 36% 32% Log and configuration management 64% 56% User provisioning systems 60% 63% Authentication and identity management 72% 68% Host-based auditing* 17% Endpoint monitoring* 49% Average 45% 45% Q26. What types of data do you consider to be most at risk in your organization due to the lack of proper access controls over privileged users? Top two choices. FY 2014 FY 2011 Customer information 49% 54% Consumer information 26% 19% Employee information 35% 35% Financial information 15% 13% General business information 56% 51% Corporate intellectual property 33% 12% Classified information* 29% Total 35% 184% Q27. What type of applications do you consider to be most at risk in your organization due to the lack of proper access governance and control? Please select the top three. FY 2014 FY 2011 Finance/ERP applications 10% 13% CRM applications 17% 20% Supply chain management applications 13% 15% Revenue generating applications 5% 12% Business unit specific applications 33% 34% Human resource applications 20% 25% Productivity applications 16% 21% Knowledge applications 21% 31% Cloud-based applications 38% 35% Social media applications 39% 51% Peer-to-peer database* 34% Mobile applications 48% 41% Total 294% 298% Q28. What best describes the process for assigning privileged user access to IT resources in your organization today? Please select one best choice. FY 2014 FY 2011 An “ad hoc” process 49% 51% Determined by well-defined policies that are centrally controlled by corporate IT 35% 31% Determined by well-defined policies that are controlled by business or application owners 15% 16% Unsure 1% 2% Total 100% 100%


27

27

Q29. Who in your organization is most responsible for granting privileged-user access to information resources? Top two choices. FY 2014 FY 2011 Information technology operations 40% 40% Information security department 10% 11% Compliance department 17% 16% Business unit managers 51% 43% Application owners 35% 38% Human resource department 21% 25% Unsure 7% 6% Total 181% 179% Q30. What processes are used for granting privileged user access to IT resources: Please select the top two. FY 2014 FY 2011 Manual process (i.e. email or phone) 40% 22% Homegrown access request systems 17% 16% Commercial off- the-shelf automated solutions 57% 35% IT Help Desk 36% 20% Unsure 0% 1% Other 5% 6% Total 155% 100% Q31. What processes are used to review and certify privileged user access? Please select the top two. FY 2014 FY 2011 Manual process (i.e. email, spreadsheets) 46% 23% Homegrown access certification system 17% 18% Commercial off-the-shelf access certification system 44% 31% IT Help Desk 8% 3% Unsure 10% 16% Other 7% 9% Total 132% 100% Q32. Who within your organization is most responsible for conducting privileged user role certification? FY 2014 FY 2011 IT security 24% 23% Business units 36% 32% Audit 5% 4% Compliance 15% 9% Quality assurance 2% 3% Data center management 7% 5% Other 11% 24% Total 100% 100% Q33. How does your organization detect the sharing of system administration access rights or root level access rights by privileged users? Please select the top two. FY 2014 FY 2011 Technology-based identity and access controls 33% 20% Manually-based identity and access controls 12% 13% A combination of technology and manually-based identity and access controls 33% 36% Access to sensitive or confidential information is not really controlled 9% 13% We are unable to detect sharing of access rights 7% 6% Unsure 6% 12% Total 100% 100%


28

28

Q34. How well does your organization ensure privileged user access policies for the following tasks are strictly enforced? Combined excellent and good response. FY 2014 FY 2011 Assigning access based on job function or responsibilities 42% 40% Revoking or changing privileged access rights as needed when an employee’s job or function changes or their relationship with the organization is terminated 41% 45% Enforcing access policies in a consistent fashion across all information resources in the organization 26% 23% Monitoring privileged users’ access when entering administrative root level access areas 37% 34% Enforcing segregation of duties requirements 55% 51% Providing evidence of compliance with regulations and industry mandates 70% 67% Understanding privileged user entitlements that are out of scope for a particular role 36% 35% Understanding privileged user entitlements that violate policy 30% 28% Vetting privileged users through background security checks before granting access rights 41% 39% Average 42% 40%

Q35a. How confident are you that your organization has enterprise-wide visibility for privileged user access and can determine if these users are compliant with policies? FY 2014 FY 2011 Very confident 16% 15% Confident 18% 15% Somewhat confident 22% 23% Not confident 42% 45% Unsure 2% 2% Total 100% 100% Q35b. If “not confident,” please select one main reason. FY 2014 FY 2011 We can’t create a unified view of privileged user access across the enterprise 51% 44% We only have visibility into privileged user account information but not entitlement information 9% 12% We can’t apply controls that need to span across information resources 10% 15% We can’t keep up with the changes occurring to our organization’s IT resources (on-boarding, off- boarding and outsourcing for management) 30% 29% Total 100% 100% Q36. What are the critical success factors for governing, managing and controlling privileged user access across the enterprise? Very important and important response combined. FY 2014 FY 2011 Senior level executive support 65% 66% Ample budget 88% 90% Identity and access management technologies 86% 87% SIEM and network intelligence technologies 75% 78% Clearly defined privileged user access policies and procedures 44% 45% Accountability for governing user access owned by the business 51% 53% Privileged access rights assigned based on job function and responsibilities 63% 61% Compliance controls consistently applied across the enterprise 52% 45% Ability to automatically remediate privileged user access policy violations 61% 56% Monitor access inactivity to determine if access should be revoked 61% 63% Audits by an independent third-party 36% 27% Background checks before granting privileged access rights 56% 48% Average 62% 60%


29

29

Q37. What are the main problems your organization faces in delivering and enforcing privileged user access rights? Please select only your top three choices. FY 2014 FY 2011 Takes too long to deliver access to privileged users (not meeting our SLAs with the business) 44% 32% Too expensive to monitor and control all privileged users 30% 38% Too much staff required to monitor and control all privileged users 16% 23% Cannot apply access policy controls at point of change request 22% 27% Delivery of access to privileged users is staggered (not delivered at the same time) 5% 8% Cannot keep pace with the number of access change requests that come in on a regular basis 62% 53% Lack of a consistent approval process for access and a way to handle exceptions 45% 52% Difficult to audit and validate privileged user access changes 29% 35% Burdensome process for business users requesting access 35% 23% No common language exists for how access is requested that will work for both IT and the business 4% 5% Other (please specify) 0% 2% Total 292% 298% Part 4. More scenarios. In your opinion, how will each of the following situations affect your organization’s access governance process, especially concerning privileged users? Please use the scale from very significant impact to no affect. FY 2014 FY 2011 Q38. Increasing number of regulations or industry mandates 62% 60% Q39. Adoption of cloud-based applications enables the business or end-users to circumvent existing access policies 71% 65% Q40. Outsourcing of applications and data for management 36% 45% Q41. The constant turnover (ebb and flow) of employees, contractors, consultants and partners 41% 43% Q42. Availability of SIEM and other network intelligence technologies 56% 57% Q43. Constant changes to the organization as a result of corporate reorganizations, downsizing and financial distress 27% 32% Q44. Adoption of virtualization technologies 48% 56% Q45. Expanded use of mobile devices in the workplace 76% 48% Q46. Change in the nature and scope of cyber crime 71% 65% Q47. The level of risk caused by privileged users abuse or misuse of IT resources 26% 19% Average 51% 49% Part 5. Your role D1. What organizational level best describes your current position? FY 2014 Senior Executive/VP 3% Director 16% Manager 23% Supervisor 16% Technician 33% Staff 4% Contractor 5% Other 0% Total 100%


30

30

D2. Check the Primary Person you or your IT security leader reports to within the organization. FY 2014 CEO/Executive Committee 0% Chief Financial Officer 2% General Counsel 0% Chief Information Officer 56% Chief Technology Officer 9% Compliance Officer 7% Human Resources VP 0% Chief Security Officer 1% Chief Information Security Officer 16% Chief Risk Officer 9% Other 0% Total 100% D3. What is the worldwide headcount of your organization? FY 2014 < 500 15% 500 to 1,000 19% 1,001 to 5,000 31% 5,001 to 25,000 19% 25,001 to 75,000 9% > 75,000 7% Total 100% D4. What industry best describes your organization’s industry focus? FY 2014 Agriculture & food services 0% Communications 3% Consumer 6% Defense & aerospace 2% Education & research 1% Energy & utilities 4% Entertainment & media 3% Federal government 11% Financial services 18% Health & pharmaceutical 8% Hospitality 3% Industrial 5% Retail 6% Services 8% State or local government 12% Technology & software 6% Transportation 2% Other 2% Total 100%


31

31

About Raytheon Raytheon Company, with 2013 sales of $24 billion and 63,000 employees worldwide, is a technology and innovation leader specializing in defense, security and civil markets throughout the world. With a history of innovation spanning 92 years, Raytheon provides state-of-the-art electronics, mission systems integration and other capabilities in the areas of sensing; effects; and command, control, communications and intelligence systems, as well as cyber security and a broad range of mission support services. Raytheon is headquartered in Waltham, Mass. For more about Raytheon, visit us at www.raytheon.com and follow us on Twitter @Raytheon.

Ponemon Institute Advancing Responsible Information Management

Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations.

As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or organization identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.

Documents

Raytheon Privileged User Abuse FINAL1.docx. › sites › default › files › ...NSA employee Edward Snowden have heightened both awareness and concern about the insider threat caused