在组织能够解决特权用户内部威胁并实现正确的监视和缓解最佳实践之前, 它必须首先定义特权用户. 通常, it’s an employee with the authority to access sensitive company data. Often they have the approval to execute administrative tasks on the organization’s network. 公司需要特权用户来处理源代码, maintain file systems and implement network upgrades or address other technical changes.

Most privileged users will maintain the integrity of their organization’s assets. However, 他们可以轻松地绕过通常受到限制的控制，这使得这些资产变得脆弱. 另外, there’s occasional abuse of temporary access privileges necessary to perform tasks. There are two methods to determine privileged user access:

1. 考虑用户可以物理访问的内容
2. Consider what the user can access digitally with their credentials

With greater access and fewer controls come increased security challenges. When an organization lacks a good security program or doesn’t consistently enforce it, 这使得知识产权——比如敏感的产品数据或员工信息——容易受到特权用户的威胁.

事实上， 注册欺诈审查员协会 (ACFE)指出，由于员工的欺诈行为，每家公司平均每年损失5%的收入. 通常, it’s committed by those in an organization’s IT department, since they have greater technical knowledge that other employees lack. However, it’s important to remember that the offender might not always be a privileged user. 可能是组织外部的某个人通过网络钓鱼获得了It员工的凭证.

波耐蒙研究所的报告，“特权用户滥用 & 内部威胁,发现，大多数组织在识别与内部人员行为相关的可信威胁方面存在困难. Among them, 69% revealed that they’d be unable to identify such a threat prior to a breach. 此外, 报告发现，42%的受访者不相信他们能够辨别他们的特权用户是否符合政策，只有16%的人对这些领域非常有信心.

特权用户威胁的危险信号可能很微妙. 其他的更明显. 下面是一些例子:

• Attempting to access one area that isn’t approved for entry.
• Using credentials in a way they are not normally used (e.g. 网络登录).
• Taking advantage of permission creep, which usually occur among transferred and former employees.

那么一个组织如何保护自己呢? Determine the context and intent of the privileged user – by monitoring human behavior. 通过实施正确的策略，可以通过纵深防御方法实现监控, 控制和技术. If security monitoring is in place and enforced consistently, the enterprise will know quickly if there is an incident that requires action.

一旦定义了特权用户并确定了环境的潜在威胁签名, 你应该实现控制, 降低风险的策略和技术. 考虑以下几点:

1. 将公司内的特权用户帐户限制为只有那些在其职位上需要特权用户帐户的用户-包括共享特权用户帐户和本地管理员权限. This step requires regular monitoring to track the nature of the authentication attempts.
2. 让关键人员同意所有权限. Ideally, 批准应该来自员工的命令链中被要求访问的人.g. 直接主管). Formally document the request for access in the ticketing system. 访问的请求提交以及访问的业务理由应该是必需的.
3. Give employees a clear blueprint that guides them through the security process, 因此，没有任何误解或滥用的余地. 过程应包括:a)沟通和执行严格的帐户管理和密码策略, b)确保他们在完成每个任务后正确地退出特权用户帐户，并且只访问与其工作相关的区域. 令人惊讶的是, 波耐蒙的报告还发现，65%的受访者曾出于好奇而非工作需要深入研究敏感或机密数据. 另外, 所有员工，不论是否享有特权用户，都应接受培训，并定期提醒他们避免将敏感资料转发至个人电邮.
4. Invest in the right technologies to protect your organization and take a multi-layered approach. A single technology won’t protect your organization fully. 考虑实现以下一些功能:特权帐户管理(PAM)——它使企业能够控制特权共享帐户的使用，例如root/Administrator帐户. PAM permits granular, context-driven, or time-limited superuser privileges. It also monitors shared account use and superuser privileges in greater detail. 如果配置和监控正确，安全信息和事件管理(SIEM)系统可以通知组织未经授权的数据访问. 它可以为行为设定基线并记录偏差(例如.e. accessing one area that the privileged user hasn’t accessed in the past). Bear in mind, that SIEM won’t prevent an actual breach though. 数据治理解决方案能够确定用户当前的访问权限，并在强制执行最小权限的情况下，就用户的实际访问权限给出智能建议. 数据治理解决方案还可以分析文件系统权限，并在当前定义为具有访问权限的用户和组没有访问文件资源时，就删除对文件资源的访问提出额外的智能建议.
5. 争取人力资源来支持你的努力. Steps can be taken to enhance privileged user access security. They include non-disclosure agreements, non-compete agreements and background checks. 上述报告发现，57%的受访者表示，在发放特权账户凭证之前没有进行背景调查. 主动进行这些检查可以很容易地减少威胁范围，并符合支付卡行业数据安全标准(PCI-DSS)的双重目的。, Federal Information Security Management Act (FISMA) and Sarbanes Oxley (SOX) regulations. Taken a step further, a more thorough interview process with job candidates (i.e.-actually calling references, asking more specific questions, etc.)可以进一步减少潜在的威胁.
6. 对特权用户内部事件立即采取行动.  当一个人被识别, an incident tracking ticket should be opened with the relevant information (applicable logs, 例如). It should be assigned to the help desk or the security team to investigate further. 甚至可能发现特权用户以外的其他人通过黑客技术访问了他或她的登录凭据.

Although most organizations have policies and procedures in place, 许多人并没有定期坚持下去. At a minimum, there should be a yearly review of privileged user access. 审查可以确定是否授予不需要访问权限的用户访问权限，以及是否应该因滥用或更改工作角色而撤销访问权限.

上面强调了几种可以减少特权内部威胁的技术和流程. However, many organizations don’t assign value to such technologies and processes. 不幸的是，只有不到一半的国家有专门用于减少此类威胁的技术的预算. 经常, 管理层甚至没有看到确保权限严格的价值——当前的安全体系结构可能无法解决这些安全措施.

此外, 一些有互联网业务的组织选择购买网络保险，以防受到威胁. However, 保险公司很少要求这些组织在实施技术和流程以防止公共伤害/其他违规行为方面承担责任. Many simply don’t view it as important enough to enforce or implement.

It drives home the point that complacency leads to problems. Although technology can’t solve all problems or mitigate all threats, 它可以在很大程度上减少其中的许多, particularly if the technology is implemented thoughtfully and monitored consistently.

As a starting point, conducting a risk assessment is strongly encouraged for all organizations. The risk assessment will help to ascertain privileged user insider threats, as well as give a clearer picture of what controls are missing or policies need to be refined.

一旦完成, you’ll be better equipped to create a security plan that covers all areas (people, 过程和技术). 制定相应的计划，争取管理层的支持. 然后实施适当的技术和过程，如果它将风险降低到组织可接受的水平.

We’d all like to think that our employees would never compromise our organization’s security, 但它确实发生了. And even if your privileged users access the network with integrity, there are others out there just waiting and hoping that your privileged users will slip up, 这样他们就可以溜进去了.