Privileged User Abuse & The Insider Threat

Transcription

1 Privileged User Abuse & The Insider Threat Commissioned by Raytheon Company Independently conducted by Ponemon Institute LLC Publication Date: May 2014

2 1 Privileged User Abuse & The Insider Threat Ponemon Institute, May 2014 Part 1. Introduction Ponemon Institute is pleased to present the findings of Privileged User Abuse & The Insider Threat, commissioned by Raytheon Company. Ponemon Institute first studied this issue in Since then well-publicized disclosures of highly sensitive information by wiki leaks and former NSA employee Edward Snowden have heightened both awareness and concern about the insider threat caused by privileged users. In fact, 88 percent of participants in this research believe the risk of privileged user abuse will increase or stay the same in the next 12 to 24 months. This finding is virtually unchanged since 2011 when we conducted the first study on the insecurity of privileged users. For purposes of this research, privileged users include database administrators, network engineers, IT security practitioners and cloud custodians. According to the findings of this study, these individuals often use their rights inappropriately and put their organizations sensitive information at risk. For example, the majority of respondents say privileged users feel empowered to access all the information they can view and although not necessary will look at an organization s most confidential information out of curiosity. To ensure that the 693 respondents we surveyed have an in-depth knowledge of how their organizations are managing privileged users, we asked them to indicate their level of access to their organizations IT networks, enterprise systems, applications and information assets. If they had only limited end user access rights to IT resources, they were not included in the final sample of respondents. According to 75 percent of respondents, privileged access rights are required to complete their current job assignment. Of the 25 percent who say they do not need privilege access to do their job but have it anyway cited two primary reasons. First, everyone at their level has privileged access rights for no apparent reason (38 percent of respondents). Second, the organization failed to revoke these rights when they changed their role and no longer needed access privileges (36 percent of respondents). Key takeaways from this research: Despite the risks posed by insiders, 49 percent of respondents do not have policies for assigning privileged user access. However, slightly more organizations do use well-defined policies that are centrally controlled by corporate IT (35 percent in 2014 vs. 31 percent in 2011). There was a slight decrease in an ad-hoc approach to assigning privileged user access. While the establishment of privileged user access policies is lacking, processes are improving. The findings show a significant increase in the use of commercial off-the-shelf automated solutions from 35 percent of respondents in 2011 to 57 percent in 2014 in granting user access privilege. The use of manual processes such as by phone or also increased from 22 percent of respondents in 2011 to 40 percent of respondents in Business unit managers are gaining influence in granting privileged user access and conducting privileged user role certification. Fifty-one percent of respondents say it is the business unit manager who most often handles granting access. This is an increase from 43 percent in Is it really an insider threat? Companies often have difficulty in actually knowing if an action taken by an insider is truly a threat. The biggest challenges are having enough contextual information provided by security tools (69 percent of respondents) and security tools yield too many false positives (56 percent of respondents). 1

3 2 Part 2. Key Findings Following is an analysis of the key findings. To understand trends in organizations ability to manage privileged user access, we have included questions from the research conducted in Whenever possible we compare the findings from the 2011 study to this year s research. We have organized the findings according to the following topics: Current practices in assigning privilege user access The detection of insider privilege abuse Solutions for mitigating the risk Budgets and investment in reducing the risk of insider threats Current practices in assigning privilege user access Policies for assigning privilege user access to IT resources are often ad hoc. Despite concerns about insider threats caused by privileged users, almost half (49 percent) describe their organization s policies to assigning privileged user access as ad hoc, as shown in Figure 1. However, there is a slight increase from 2011 in the use of well-defined policies that are centrally controlled by corporate IT (35 percent in 2014 vs. 31 percent in 2011). Figure 1. The process for assigning privileged user access to IT resources An ad hoc process 49% 51% Determined by well-defined policies that are centrally controlled by corporate IT 31% 35% Determined by well-defined policies that are controlled by business or application owners 15% 16% Unsure 1% 2% 0% 10% 20% 30% 40% 50% 60% 2

4 3 While the establishment of policies lags, processes for privileged user access are improving. There is a significant increase in the use of commercial off-the-shelf automated solutions from 35 percent of respondents in 2011 to 57 percent in 2014, according to Figure 2. The use of manual processes such as by phone or also increased from 22 percent of respondents in 2011 to 40 percent of respondents in The third most widely used process is the IT help desk, which increased from 20 percent to 36 percent. Figure 2. Processes used for granting privileged user access to IT resources Two choices permitted Commercial off-the-shelf automated solutions Manual process IT Help Desk Homegrown access request systems Unsure Other 0% 1% 5% 6% 22% 20% 17% 16% 35% 36% 40% 57% 0% 10% 20% 30% 40% 50% 60% More organizations are using manual processes such as and spreadsheets to review and certify privileged user access. As revealed in Figure 3, this has increased from 23 percent to 46 percent and use of commercial off-the-shelf access certification system increased from 31 percent to 44 percent. Figure 3. Processes used to review and certify privileged user access Two choices permitted Manual process Commercial off-the-shelf access certification system Homegrown access certification system Unsure IT Help Desk Other 3% 10% 8% 7% 9% 17% 18% 16% 23% 31% 46% 44% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 3

5 4 Business unit managers are gaining influence in granting privileged user access and conducting privileged user role certification. As shown in Figure 4, 51 percent of respondents say it is the business unit manager who most often handles granting access. This is an increase from 43 percent in Thirty-five percent of respondents say application owners are responsible and this is a decrease from 38 percent in Only 10 percent say it is the information security department that is responsible for granting access rights. Figure 4. Most responsible for granting privileged-user access to information resources Two choices permitted Business unit managers Information technology operations Application owners Human resource department Compliance department Information security department Unsure 10% 11% 7% 6% 21% 25% 17% 16% 43% 40% 40% 35% 38% 51% 0% 10% 20% 30% 40% 50% 60% Figure 5 reveals that 36 percent of respondents say business unit managers are most responsible for conducting privileged user role certification and this is an increase from 32 percent in Twenty-four percent of respondents say their IT security department handles role certification. Figure 5. Most responsible for conducting privileged user role certification Business units IT security Compliance Data center management Audit Quality assurance Other 9% 7% 5% 5% 4% 2% 3% 11% 15% 24% 23% 24% 32% 36% 0% 5% 10% 15% 20% 25% 30% 35% 40% 4

6 5 Critical success factors for governing, managing and controlling privileged user access across the enterprise is consistent from the previous study. Budget continues to be critical as well as identity and access management technologies, SIEM and network intelligence technologies and senior level executive support, as shown in Figure 6. Not considered as critical is the existence of clearly defined privileged user access policies and procedures. This is consistent with the earlier finding that 49 percent of respondents say their policies are ad hoc and not clearly defined. Figure 6. Success factors for governing, managing and controlling privileged user access Very important and important response combined Ample budget Identity and access management technologies SIEM and network intelligence technologies 88% 90% 86% 87% 75% 78% Senior level executive support Privileged access rights assigned based on job function Monitor access inactivity to determine if access should be revoked Ability to automatically remediate privileged user access policy violations Background checks before granting privileged access rights Compliance controls consistently applied across the enterprise Accountability for governing user access owned by the business Clearly defined privileged user access policies and procedures Audits by an independent third-party 65% 66% 63% 61% 61% 63% 61% 56% 56% 48% 52% 45% 51% 53% 44% 45% 36% 27% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 5

7 6 Organizations struggle with delivering and enforcing privileged user access rights. The biggest problem is still keeping pace with the number of access change requests that come in on a regular basis (an increase from 53 percent to 62 percent). However, two problems have increased significantly. These are the burdensome process for dealing with business users requesting access (from 23 percent to 35 percent of respondents) and it takes too long to deliver access to privileged users (32 percent to 44 percent), as shown in Figure 7. Figure 7. Main problems faced in delivering and enforcing privileged user access rights Three choices permitted Cannot keep pace with the number of access change requests that come in Lack of a consistent approval process for access and a way to handle exceptions 53% 45% 52% 62% Takes too long to deliver access to privileged users 32% 44% Burdensome process for business users requesting access 23% 35% Too expensive to monitor and control all privileged users 30% 38% Difficult to audit and validate privileged user access changes Cannot apply access policy controls at point of change request Too much staff required to monitor and control all privileged users 29% 35% 22% 27% 16% 23% Delivery of access to privileged users is staggered No common language exists that will work for both IT and the business Other 5% 8% 4% 5% 0% 2% 0% 10% 20% 30% 40% 50% 60% 70% 6

8 7 The detection of insider privilege abuse Concern grows about insider threats. Figure 8 reveals that 89 percent of respondents (58 percent + 31 percent) either say wiki leaks and Edward Snowden have either caused a significant or some increase in the organization s level of concern about insider threats within their organization. A similar percentage (88 percent) believes the risk of privileged user abuse will increase or stay the same over the next 12 to 24 months. Figure 8. Have recent publicized incidents such as wiki leaks and Edward Snowden increased the level of concern about insider threats? Caused a significant increase in our level of concern 58% Caused some increase in our level of concern 31% No impact in our level of concern 8% Unable to determine 3% 0% 10% 20% 30% 40% 50% 60% 70% Is it really an insider threat? Companies often have difficulty in actually knowing if an action taken by an insider is truly a threat. According to Figure 9, the biggest challenges are having enough contextual information provided by security tools (69 percent of respondents) and security tools yield too many false positives (56 percent of respondents). Figure 9. Challenges in establishing whether an event is an insider threat More than one choice permitted Not enough contextual information provided by security tools 69% Security tools yield too many false positives 56% Security tools yield more data then can be reviewed in a timely fashion 45% Behavior involved in the incident is consistent with the individual s role and responsibilities 28% 0% 10% 20% 30% 40% 50% 60% 70% 80% 7

9 8 To determine if a malicious insider is involved in the incident, companies are most likely to monitor and review log files (63 percent of respondents), conduct manual oversight by supervisors and managers (51 percent of respondents) and deploy SIEM and other network intelligence tools (40 percent of respondents), as shown in Figure 10. More sophisticated tools such as endpoint monitoring and big data analytics are not as widely used according to 34 percent and 16 percent of respondents, respectively. Figure 10. What best describes your role in the organization s IT department? More than one choice permitted Monitor and review log files 63% Conduct manual oversight by supervisors and managers Deploy SIEM and/or other network intelligence tools 40% 51% Endpoint monitoring Deploy next generation security technologies 34% 33% Utilize big data analytics to identify suspicious insider activities 16% Other 2% 0% 10% 20% 30% 40% 50% 60% 70% Increasingly, malicious insiders target privileged users to obtain their access rights. In 2011, only 21 percent said it would be likely that malicious insiders would use social engineering or other measures to obtain someone s access rights. This has increased significantly to 47 percent of respondents. In addition, more respondents say it is likely that social engineers outside the organization target privileged users to obtain their access rights (45 percent in 2014 and 30 percent in 2011). Figure 11. How likely would it be for the following events to occur? Very likely and likely response combined Malicious insiders target privileged users to obtain their access rights 21% 47% Social engineers outside the organization target privileged users to obtain their access rights 30% 45% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 8

10 9 Risks created by the human factor in privilege user access abuse continue. The most common scenarios that create the insider threat have not changed since Figure 12 reveals that 73 percent say privileged users believe they are empowered to access all the information they can view, 65 percent say privileged users access sensitive or confidential data because of curiosity and 54 percent say the organization assigns privileged access rights that go beyond the individual s role or responsibility. Figure 12. Likelihood of scenario occurring Very likely and likely response combined Privileged users believe they are empowered to access all the information they can view 73% 71% Privileged users access sensitive or confidential data because of their curiosity 65% 68% Assigned privileged access rights go beyond the individual s role or responsibilities 54% 55% According to Figure 13, two other insider threats that increased are: allowing privileged users working from a home office to have administrative or root level access rights (an increase from 35 percent to 41 percent) and not properly vetting or checking backgrounds prior to receiving access rights. Figure 13. Likelihood of insider threats occurring Very likely and likely response combined 0% 10% 20% 30% 40% 50% 60% 70% 80% Privileged users working from a home office have administrative or root level access rights 35% 41% Privileged users are not properly vetted prior to receiving their access rights 34% 38% Privileged users become disgruntled and leak data or damage equipment 27% 28% Privileged users who leave continue to have access rights for a period of time after their discharge 15% 16% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 9

11 10 Respondents are less likely to believe that access rights follow privilege users when they leave the company (15 percent of respondents) and that disgruntled employees will leak data or damage equipment (Figure 13). What s most at risk? While respondents believe general business and customer information is most at risk in their organizations due to the lack of proper access controls over privileged users (56 percent and 49 percent), fears about abuse to corporate intellectual property increased dramatically from 12 percent of respondents to 33 percent of respondents, as shown in Figure 14. Figure 14. Types of data most at risk when there is a lack of proper access controls Two choices permitted General business information Customer information Employee information Corporate intellectual property Classified information* Consumer information Financial information 12% 19% 15% 13% 35% 35% 33% 29% 26% 56% 51% 49% 54% 0% 10% 20% 30% 40% 50% 60% * This choice was not available in FY

12 11 According to Figure 15, mobile applications are considered to be most at risk in their organizations due to the lack of proper access governance and control. This is followed by social media applications (which actually declined from 51 percent to 39 percent) and cloud-based applications at 38 percent, an increase from 35 percent in Figure 15. Type of applications considered most at risk due to the lack of proper access governance and control Three choices permitted Mobile applications Social media applications Cloud-based applications Peer-to-peer database* 41% 39% 38% 35% 34% 48% 51% Business unit specific applications Knowledge applications Human resource applications CRM applications Productivity applications Supply chain management applications Finance/ERP applications Revenue generating applications 5% 21% 20% 25% 17% 20% 16% 21% 13% 15% 10% 13% 12% 33% 34% 31% 0% 10% 20% 30% 40% 50% 60% * This choice was not available in FY

13 12 Solutions for mitigating the risk Companies rely on training programs. By far, most organizations conduct regular privileged user training programs as part of their efforts to protect the organization from privileged user abuse, as shown in Figure 16. However, most respondents rate the ability of their training programs to reduce the insider threat as only average. Fifty-seven percent say their organization performs background checks before issuance of privileged credentials and 51 percent say they rely on oversight by supervisors and managers. Figure 16. How do you protect your organization from privileged user abuse? More than one choice permitted Conduct regular privileged user training programs Perform thorough background checks before issuance of privileged credentials Conduct manual oversight by supervisors and managers Monitor and review provisioning systems 62% 57% 51% 50% Deploy IAM policy monitoring tools 36% Review and act upon threat intelligence 18% Other 3% 0% 10% 20% 30% 40% 50% 60% 70% The majority of respondents believe they are agile in responding to changes in the insider threat environment. Thirty-four percent of respondents rate their organizations as very high or high in being agile in responding to insider threats. It is interesting that culture is viewed as a serious barrier to being agile followed by dispersed workforce, as shown in Figure 17. Figure 17. The biggest barrier to achieving the necessary agility to respond to changes in the insider threat environment Culture 31% Dispersed workforce 27% Cost 16% Expertise 15% IT infrastructure 10% Other 1% 0% 5% 10% 15% 20% 25% 30% 35% 12

14 13 Authentication and identity management tools are still number one. Seventy-two percent use authentication and identity management tools to manage privileged user access abuse, as shown in Figure 18. Other tools mostly used are log and configuration management (an increase from 56 percent to 64 percent) and user provisioning systems (a decrease from 63 percent to 60 percent). Technologies that have increased significantly in use are privileged user management and SIEM. Figure 18. Twelve enabling security technologies that are currently in use More than one choice permitted Authentication and identity management Log and configuration management User provisioning systems Security information and event management Privileged user management Endpoint monitoring* Enterprise role lifecycle management Access request system Access policy automation for the cloud Access policy automation Access review and certification system Host-based auditing* 17% 72% 68% 64% 56% 60% 63% 54% 48% 50% 43% 49% 42% 43% 38% 38% 36% 32% 35% 32% 28% 31% 0% 10% 20% 30% 40% 50% 60% 70% 80% * This choice ws not available for FY

15 14 More companies are using technology-based identity and access controls. According to Figure 19, one-third of respondents say their organizations use identity and access control technologies to detect the sharing of system administration access rights or root level access rights by privileged users. This is an increase from 20 percent in A combination of technology and manually-based identity and access controls is also used by one-third of organizations represented in this research but actually declined from 36 percent in Only 9 percent say access to sensitive or confidential information is not really controlled. An indication that this is getting better is that in the last study 13 percent said this was the case. Also, only 7 percent say they are unable to detect sharing of access rights. Figure 19. How does your organization detect the sharing of system administration access rights by privileged users? A combination of technology and manually-based identity and access controls Technology-based identity and access controls 20% 33% 36% 33% Manually-based identity and access controls Access to sensitive or confidential information is not really controlled We are unable to detect sharing of access rights Unsure 7% 6% 6% 9% 12% 13% 13% 12% 0% 5% 10% 15% 20% 25% 30% 35% 40% 14

16 15 In some areas, companies are getting better at enforcing privilege user access policies. The findings indicate that respondents are more positive about the ability to conduct certain activities. Figure 20 reveals these as: providing evidence of compliance with regulations and industry mandates and enforcing segregation of duties requirements. Fewer respondents believe they are excellent or good at understanding privileged user entitlements that violate policy and enforcing access policies in a consistent fashion across all information resources. Figure 20. How well does your organization ensure privileged user access policies are strictly enforced? Excellent and good response combined Providing evidence of compliance with regulations and industry mandates 70% 67% Enforcing segregation of duties requirements 55% 51% Assigning access based on job function or responsibilities Vetting privileged users through background security checks before granting access rights Changing privileged access rights when an employee s job changes or they are terminated Monitoring privileged users access when entering administrative root level access areas Understanding privileged user entitlements that are out of scope for a particular role Understanding privileged user entitlements that violate policy Enforcing access policies in a consistent fashion across all information resources 42% 40% 41% 39% 41% 45% 37% 34% 36% 35% 30% 28% 26% 23% 0% 10% 20% 30% 40% 50% 60% 70% 80% 15

17 16 Lack of visibility hinders the ability to determine if users are complying with policies. Figure 21 reveals that 42 percent of respondents are not confident that they have the enterprisewide visibility for privileged user access and can determine if users are compliant with policies. Only 16 percent are very confident that they have this visibility. Figure 21. How confident are you that your organization has enterprise-wide visibility and can determine if these users are compliant with policies? 50% 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 16% 18% 15% 15% 22% 23% Very confident Confident Somewhat confident 42% 45% Not confident 2% 2% Unsure Reasons for not being confident is the inability to create a unified view of privileged user access across the enterprise and this has increased from 44 percent to 51 percent of respondents in 2014, as shown in Figure 22. Another problem is keeping up with changes occurring in their organization s IT resources (on-boarding, off-boarding and outsourcing for management), according to 30 percent of respondents. Figure 22. Main reasons for not being confident Can t create a unified view of privileged user access across the enterprise 44% 51% Can t keep up with the changes occurring to IT resources 30% 29% Can t apply controls that need to span across information resources Privileged user account information is visible but not entitlement information 10% 15% 9% 12% 0% 10% 20% 30% 40% 50% 60% 16

18 17 Budgets and investment in reducing the risk of insider threats How are companies allocating resources to reduce insider threat? Figure 23 reveals that 40 percent of respondents say they have a budget specifically allocated for investment in enabling technologies to reduce the insider threat but a similar percentage (43 percent) say their organizations do not have one. Fifty-one percent of respondents say they allocate between 5 and 8 percent of their organizations overall IT budget to insider threat technology. Figure 23. Is the budget allocated for investment in technologies to reduce the insider threat? 50% 45% 40% 35% 30% 25% 40% 43% 20% 17% 15% 10% 5% 0% It is part of the overall IT budget It is not part of the IT budget No Technologies and personnel receive the most resources to stop insider threats. When asked to allocate their organization s efforts to reduce the insider threat, 43 percent say it is dedicated to technologies and 38 percent to personnel, according to Figure 24. While organizations rely on training programs (as discussed above), only 11 percent are allocated to training. Figure 24. How does your organization allocate resources to mitigate insider threats? 50% 45% 40% 35% 30% 25% 20% 43% 38% 15% 10% 11% 7% 5% 0% Technologies Personnel Training Governance Other 1% 17

19 18 New tools to reduce the risk are considered important. When it comes to technology, 41 percent say they are more likely to buy new tools specifically for mitigating insider threats or more likely to make existing tools work (33 percent), as shown in Figure 25. Figure 25. Investing in insider threat mitigation technologies versus making existing tools work More likely to buy new tools built specifically for mitigating insider threats 41% More likely to make existing tools work 33% Equally likely to buy new tools or make existing tools work 21% Cannot determine 5% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 18

20 19 Part 3. Methods A random sampling frame of 18,821 privileged users, including database administrators, network engineers, IT security practitioners and cloud custodians located in the United States were selected as participants to this survey. As shown in Table 1, 779 respondents completed the survey. Screening and failed reliability checks removed 86 surveys. The final sample was 693 surveys (or a 3.7 percent response rate). Table 1. Sample response Freq. Pct% Total sampling frame 18, % Total returns % Rejected and screened surveys % Final sample % Pie Chart 1 reports the respondent s organizational level within participating organizations. By design, 58 percent of respondents are at or above the supervisory levels. Pie Chart 1. What organizational level best describes your current position? 4% 5% 3% 16% Senior Executive/VP Director Manager 33% Supervisor 23% Technician Staff Contractor 16% 19

21 20 Pie Chart 2 reports the respondent s direct reporting channel. Fifty-six percent of respondents report to the CIO and 16 percent report to the CISO. Pie Chart 2. What best describes your direct reporting channel? 7% 2% 1% 9% Chief Information Officer Chief Information Security Officer 9% Chief Technology Officer 56% Chief Risk Officer Compliance Officer 16% Chief Financial Officer Chief Security Officer As shown in pie chart 3, 66 percent of respondents are from organizations with a worldwide headcount of 1,000 or more employees. Pie chart 3. Worldwide headcount of the organization 9% 7% 15% < to 1,000 19% 19% 1,001 to 5,000 5,001 to 25,000 25,001 to 75,000 > 75,000 31% 20

22 21 Pie Chart 4 reports the industry segments of respondents organizations. This chart identifies financial services (18 percent) as the largest segment, followed by state or local government (12 percent) and federal government (11 percent). Pie Chart 4. Industry distribution of respondents organizations 4% 3% 3% 2% 2% 3% 3% 18% Financial services State or local government Federal government Health & pharmaceutical 5% 6% 12% Services Consumer Retail Technology & software Industrial 6% 11% Energy & utilities Communications 6% 8% 8% Entertainment & media Hospitality Defense & aerospace Transportation Other Part 4. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are privileged users, database administrators, network engineers, IT security practitioners or cloud custodians. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response. 21

23 22 Appendix: Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in April Sample response Sampling frame 18,821 16,579 Total returns Rejected & screened surveys Final sample Response rate 3.7% 3.4% Part 1. Background Q1. What best describes your level of access to your organization s IT networks, enterprise systems, applications and information assets? Please select only one choice. Limited (ordinary) end user access rights to IT resources (Stop) 0% 6% Expanded access rights to IT resources, but not overly broad 13% 12% Broad access rights to IT resources 53% 43% Root level access rights to IT resources 34% 33% None of the above (Stop) 0% 6% Total 100% 100% Q2. Have recent well-publicized incidents such as wiki leaks and Edward Snowden increased the level of concern about insider threats within your organization FY 2014 Yes, caused a significant increase in our level of concern 58% Yes, caused some increase in our level of concern 31% No impact in our level of concern 8% Unable to determine 3% Total 100% *Data not available in FY2011 Q3a. Is privileged access required in order for you to complete your current job assignments or functions within the organization? Yes 75% 78% No 25% 22% Total 100% 100% Q3b. If you said no, what is the primary reason you still have privileged access rights? Please select only one choice. I needed privileged access in a previous position and it was not revoked after my role changed 36% 35% Everyone at my level has privileged access even if it is not required to perform a job assignment 38% 41% The organization assigned privileged access rights for no apparent reason 17% 15% I don t know 9% 9% Total 100% 100% Q4. Do you believe this risk will increase, decrease or stay the same over the next 12 to 24 months? Increase 45% 44% Stay the same 43% 42% Decrease 12% 14% Total 100% 100% 22

24 23 Q5. What best describes your role in the organization s IT department or related functions? Please check all that apply. Database administrator 32% 33% Systems administrator 36% 35% Network engineer 24% 21% IT security practitioner 31% 26% IT audit practitioner 11% 12% Data center manager 44% 41% Application developer 19% 15% Cloud custodian 24% 18% Other (please specify) 1% 2% Total 222% 203% Q6. How do you determine if an action taken by an insider is truly a threat? Select all that apply. FY 2014 Monitor and review log files 63% Conduct manual oversight by supervisors and managers 51% Deploy SIEM and/or other network intelligence tools 40% Utilize big data analytics to identify suspicious insider activities 16% Deploy next generation security technologies 33% Endpoint monitoring 34% Other (please specify) 2% Total 239% *Data not available in FY2011 Q7. How do you protect your organization from privileged user abuse? Select all that apply. FY 2014 Perform thorough background checks before issuance of privileged credentials 57% Conduct manual oversight by supervisors and managers 51% Monitor and review provisioning systems 50% Review and act upon threat intelligence 18% Deploy IAM policy monitoring tools 36% Conduct regular privileged user training programs 62% Other (please specify) 3% Total 277% *Data not available in FY2011 Q8. What are the biggest challenges your organization faces in establishing whether an event or incident is an insider threat? Select all that apply. FY 2014 Not enough contextual information provided by security tools 69% Security tools yield too many false positives 56% Behavior involved in the incident is consistent with the individual s role and responsibilities 28% Security tools yield more data then can be reviewed in a timely fashion 45% Total 198% *Data not available in FY

25 24 Q9. Please rate your organization s level of agility in responding to changes in the insider threat environment? FY 2014 Very high 14% High 20% Moderate 35% Low 22% Very low 9% Total 100% *Data not available in FY2011 Q10. What is the biggest barrier to achieving the necessary agility to respond to changes in the insider threat environment? Select only one. FY 2014 Cost 16% Expertise 15% Culture 31% IT infrastructure 10% Dispersed workforce 27% Other (please specify) 1% Total 100% *Data not available in FY2011 Q11. Using the following 10-point scale, please rate the ability of your training programs to reduce the insider threat risk. 1 = Low to 10 = High FY to 2 15% 3 to 4 31% 5 to 6 30% 7 to 8 16% 9 to 10 8% Total 100% *Data not available in FY2011 Q12. How does your organization allocate resources to mitigate or curtail insider threats? Please allocate 100 points to each category presented below FY 2014 Training 11 Technologies 43 Personnel 38 Governance 7 Other (please specify) 1 Total 100 *Data not available in FY2011 Q13a. Do you have a budget specifically allocated for investment in enabling technologies to reduce the insider threat? FY 2014 Yes, it is part of the overall IT budget 40% Yes, it is not part of the IT budget 17% No 43% Total 100% *Data not available in FY

26 25 Q13b. If part of the overall IT budget, what is the percentage allocated to insider threat technology investments? FY 2014 < 1% 2% 1% to 2% 5% 3% to 4% 8% 5% to 6% 21% 7% to 8% 30% 9% to 10% 15% 11% to 15% 11% 16% to 20% 5% > 20% 3% Total 100% *Data not available in FY2011 Q14. What one statement best describes your organization s preference for investing in insider threat mitigation technologies versus making existing tools work? FY 2014 We are more likely to buy new tools built specifically for mitigating insider threats 41% We are more likely to make existing tools work 33% We are equally likely to buy new tools or make existing tools work 21% Cannot determine 5% Total 100% *Data not available in FY2011 Part 2. Scenarios: How likely would it be for the following events to occur within your organization? Very likely & likely response combined Q15. The organization assigns privileged access rights that go beyond the individual s role or responsibilities. 54% 55% Q16. Privileged users are pressured to share their access rights with others in the organization. 40% 41% Q17. Social engineers outside the organization target privileged users to obtain their access rights. 45% 30% Q18. Malicious insiders target privileged users to obtain their access rights. 47% 21% Q19. Privileged users are not properly vetted or have their backgrounds checked prior to receiving their access rights. 38% 34% Q20. Privileged users become disgruntled and leak data or damage equipment. 27% 28% Q21. Privileged users access sensitive or confidential data because of their curiosity. 65% 68% Q22. Privileged users believe they are empowered to access all the information they can view. 73% 71% Q23. Privileged users who leave the organization continue to have access rights for a period of time after their discharge. 15% 16% Q24. Privileged users working from a home office have administrative or root level access rights. 41% 35% Average 45% 41% 25

27 26 Part 3. Privileged user access governance Q25. Please check all 12 of the enabling security technologies below that are used by your organization. Enterprise role lifecycle management 42% 43% Access request system 38% 38% Access policy automation 35% 32% Access review and certification system 28% 31% Privileged user management 50% 43% Security information and event management (SIEM) 54% 48% Access policy automation for the cloud 36% 32% Log and configuration management 64% 56% User provisioning systems 60% 63% Authentication and identity management 72% 68% Host-based auditing* 17% Endpoint monitoring* 49% Average 45% 45% Q26. What types of data do you consider to be most at risk in your organization due to the lack of proper access controls over privileged users? Top two choices. Customer information 49% 54% Consumer information 26% 19% Employee information 35% 35% Financial information 15% 13% General business information 56% 51% Corporate intellectual property 33% 12% Classified information* 29% Total 35% 184% Q27. What type of applications do you consider to be most at risk in your organization due to the lack of proper access governance and control? Please select the top three. Finance/ERP applications 10% 13% CRM applications 17% 20% Supply chain management applications 13% 15% Revenue generating applications 5% 12% Business unit specific applications 33% 34% Human resource applications 20% 25% Productivity applications 16% 21% Knowledge applications 21% 31% Cloud-based applications 38% 35% Social media applications 39% 51% Peer-to-peer database* 34% Mobile applications 48% 41% Total 294% 298% Q28. What best describes the process for assigning privileged user access to IT resources in your organization today? Please select one best choice. An ad hoc process 49% 51% Determined by well-defined policies that are centrally controlled by corporate IT 35% 31% Determined by well-defined policies that are controlled by business or application owners 15% 16% Unsure 1% 2% Total 100% 100% 26

28 27 Q29. Who in your organization is most responsible for granting privilegeduser access to information resources? Top two choices. Information technology operations 40% 40% Information security department 10% 11% Compliance department 17% 16% Business unit managers 51% 43% Application owners 35% 38% Human resource department 21% 25% Unsure 7% 6% Total 181% 179% Q30. What processes are used for granting privileged user access to IT resources: Please select the top two. Manual process (i.e. or phone) 40% 22% Homegrown access request systems 17% 16% Commercial off- the-shelf automated solutions 57% 35% IT Help Desk 36% 20% Unsure 0% 1% Other 5% 6% Total 155% 100% Q31. What processes are used to review and certify privileged user access? Please select the top two. Manual process (i.e. , spreadsheets) 46% 23% Homegrown access certification system 17% 18% Commercial off-the-shelf access certification system 44% 31% IT Help Desk 8% 3% Unsure 10% 16% Other 7% 9% Total 132% 100% Q32. Who within your organization is most responsible for conducting privileged user role certification? IT security 24% 23% Business units 36% 32% Audit 5% 4% Compliance 15% 9% Quality assurance 2% 3% Data center management 7% 5% Other 11% 24% Total 100% 100% Q33. How does your organization detect the sharing of system administration access rights or root level access rights by privileged users? Please select the top two. Technology-based identity and access controls 33% 20% Manually-based identity and access controls 12% 13% A combination of technology and manually-based identity and access controls 33% 36% Access to sensitive or confidential information is not really controlled 9% 13% We are unable to detect sharing of access rights 7% 6% Unsure 6% 12% Total 100% 100% 27

29 28 Q34. How well does your organization ensure privileged user access policies for the following tasks are strictly enforced? Combined excellent and good response. Assigning access based on job function or responsibilities 42% 40% Revoking or changing privileged access rights as needed when an employee s job or function changes or their relationship with the organization is terminated 41% 45% Enforcing access policies in a consistent fashion across all information resources in the organization 26% 23% Monitoring privileged users access when entering administrative root level access areas 37% 34% Enforcing segregation of duties requirements 55% 51% Providing evidence of compliance with regulations and industry mandates 70% 67% Understanding privileged user entitlements that are out of scope for a particular role 36% 35% Understanding privileged user entitlements that violate policy 30% 28% Vetting privileged users through background security checks before granting access rights 41% 39% Average 42% 40% Q35a. How confident are you that your organization has enterprise-wide visibility for privileged user access and can determine if these users are compliant with policies? Very confident 16% 15% Confident 18% 15% Somewhat confident 22% 23% Not confident 42% 45% Unsure 2% 2% Total 100% 100% Q35b. If not confident, please select one main reason. We can t create a unified view of privileged user access across the enterprise 51% 44% We only have visibility into privileged user account information but not entitlement information 9% 12% We can t apply controls that need to span across information resources 10% 15% We can t keep up with the changes occurring to our organization s IT resources (on-boarding, off- boarding and outsourcing for management) 30% 29% Total 100% 100% Q36. What are the critical success factors for governing, managing and controlling privileged user access across the enterprise? Very important and important response combined. Senior level executive support 65% 66% Ample budget 88% 90% Identity and access management technologies 86% 87% SIEM and network intelligence technologies 75% 78% Clearly defined privileged user access policies and procedures 44% 45% Accountability for governing user access owned by the business 51% 53% Privileged access rights assigned based on job function and responsibilities 63% 61% Compliance controls consistently applied across the enterprise 52% 45% Ability to automatically remediate privileged user access policy violations 61% 56% Monitor access inactivity to determine if access should be revoked 61% 63% Audits by an independent third-party 36% 27% Background checks before granting privileged access rights 56% 48% Average 62% 60% 28

30 29 Q37. What are the main problems your organization faces in delivering and enforcing privileged user access rights? Please select only your top three choices. Takes too long to deliver access to privileged users (not meeting our SLAs with the business) 44% 32% Too expensive to monitor and control all privileged users 30% 38% Too much staff required to monitor and control all privileged users 16% 23% Cannot apply access policy controls at point of change request 22% 27% Delivery of access to privileged users is staggered (not delivered at the same time) 5% 8% Cannot keep pace with the number of access change requests that come in on a regular basis 62% 53% Lack of a consistent approval process for access and a way to handle exceptions 45% 52% Difficult to audit and validate privileged user access changes 29% 35% Burdensome process for business users requesting access 35% 23% No common language exists for how access is requested that will work for both IT and the business 4% 5% Other (please specify) 0% 2% Total 292% 298% Part 4. More scenarios. In your opinion, how will each of the following situations affect your organization s access governance process, especially concerning privileged users? Please use the scale from very significant impact to no affect. Q38. Increasing number of regulations or industry mandates 62% 60% Q39. Adoption of cloud-based applications enables the business or endusers to circumvent existing access policies 71% 65% Q40. Outsourcing of applications and data for management 36% 45% Q41. The constant turnover (ebb and flow) of employees, contractors, consultants and partners 41% 43% Q42. Availability of SIEM and other network intelligence technologies 56% 57% Q43. Constant changes to the organization as a result of corporate reorganizations, downsizing and financial distress 27% 32% Q44. Adoption of virtualization technologies 48% 56% Q45. Expanded use of mobile devices in the workplace 76% 48% Q46. Change in the nature and scope of cyber crime 71% 65% Q47. The level of risk caused by privileged users abuse or misuse of IT resources 26% 19% Average 51% 49% Part 5. Your role D1. What organizational level best describes your current position? FY 2014 Senior Executive/VP 3% Director 16% Manager 23% Supervisor 16% Technician 33% Staff 4% Contractor 5% Other 0% Total 100% 29

31 30 D2. Check the Primary Person you or your IT security leader reports to within the organization. FY 2014 CEO/Executive Committee 0% Chief Financial Officer 2% General Counsel 0% Chief Information Officer 56% Chief Technology Officer 9% Compliance Officer 7% Human Resources VP 0% Chief Security Officer 1% Chief Information Security Officer 16% Chief Risk Officer 9% Other 0% Total 100% D3. What is the worldwide headcount of your organization? FY 2014 < % 500 to 1,000 19% 1,001 to 5,000 31% 5,001 to 25,000 19% 25,001 to 75,000 9% > 75,000 7% Total 100% D4. What industry best describes your organization s industry focus? FY 2014 Agriculture & food services 0% Communications 3% Consumer 6% Defense & aerospace 2% Education & research 1% Energy & utilities 4% Entertainment & media 3% Federal government 11% Financial services 18% Health & pharmaceutical 8% Hospitality 3% Industrial 5% Retail 6% Services 8% State or local government 12% Technology & software 6% Transportation 2% Other 2% Total 100% 30

32 31 About Raytheon Raytheon Company, with 2013 sales of $24 billion and 63,000 employees worldwide, is a technology and innovation leader specializing in defense, security and civil markets throughout the world. With a history of innovation spanning 92 years, Raytheon provides state-of-the-art electronics, mission systems integration and other capabilities in the areas of sensing; effects; and command, control, communications and intelligence systems, as well as cyber security and a broad range of mission support services. Raytheon is headquartered in Waltham, Mass. For more about Raytheon, visit us at and follow us on Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or organization identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. 31