Trust, Risk, and Mooncakes: A Privileged User Case Study
By Dan Velez, Senior Manager of Insider Threat Operations
Recently I saw a story about Alibaba firing some of its employees after they “hacked into the internal sales system” to order more than their fair share of some highly-prized mooncakes made available only to employees.
It would appear an internal user threat monitoring program exists within Alibaba because one of the employees was allegedly asked to leave a scant two hours after the fraudulent activity was discovered. News of these swift dismissals is being debated online and not everyone agrees the punishment fits the transgressions.
The employees worked in the cybersecurity department. If a group of users in the Alibaba human resources department, instead of cybersecurity, had figured out how to trick the internal sales system into allowing them to order dozens of cookies through fraudulent means, would we have heard about this story? I doubt it; this story is important because it involves privileged users.
Employees in the cybersecurity department likely have the greatest understanding of the strengths and weaknesses of any information enterprise. It’s fair to assume that some of the Alibaba employees mentioned might have configured and maintained the underlying systems that enforce the required security controls. According to NIST a privileged user is a user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform. Alibaba privileged users appear to have betrayed that trust since Wang Shuai, Alibaba's top PR official said the actions taken stand to remind employees that "everything has a bottom line."
In Carnegie Mellon’s Common Sense Guide to Mitigating Insider Threats, Best Practice 10 suggests organizations should “institute stringent access controls and monitoring policies on privileged users” since privileged users pose a greater risk to organizations due to the elevated access they have to information systems and the data they contain. In our 2016 Study on the Insecurity of Privileged Users more than 33 percent of commercial and federal IT practitioners said privileged users are not properly vetted — or don’t even have their backgrounds checked — prior to receiving access rights. The US Marine Corps reiterates this approach, emphatically stating in a Policy Letter that organizations must “thoroughly vet each privileged user to determine if this [user] should be placed in such a high position of trust…”
I’d argue privileged users also warrant a higher level of professional conduct standards in exercising their responsibilities. Let’s put this another way: Would you want one of these cyber security experts managing the cloud services security systems that are protecting your data, information systems, and intellectual property? Though “everything has a bottom line”, circumstances determine where that line is drawn and how high or low it may be; this applies to privileged users.
The fact that members of the cybersecurity department were unaware of Alibaba’s monitoring of the internal sales system is also consistent with our 2016 Survey finding that information security departments are rarely responsible for insider threat programs. What problems might exist there if the same individuals also ran the auditing and monitoring program?
Privileged users: select them carefully, require they maintain a high standard of professional conduct, and monitor their activity.