Privileged User Abuse & The Insider Threat - Raytheon Cyber

8 downloads 144 Views 3MB Size Report
their organizations' IT networks, enterprise systems, applications and information ..... tools. Conduct manual oversight
Privileged User Abuse & The Insider Threat

Commissioned by Raytheon Company Independently conducted by Ponemon Institute LLC Publication Date: May 2014

Ponemon Institute© Research Report

1 Privileged User Abuse & The Insider Threat Ponemon Institute, May 2014 Part 1. Introduction Ponemon Institute is pleased to present the findings of Privileged User Abuse & The Insider Threat, commissioned by Raytheon Company. Ponemon Institute first studied this issue in 2011. Since then well-publicized disclosures of highly sensitive information by wiki leaks and former NSA employee Edward Snowden have heightened both awareness and concern about the insider threat caused by privileged users. In fact, 88 percent of participants in this research believe the risk of privileged user abuse will increase or stay the same in the next 12 to 24 months. This finding is virtually unchanged since 2011 when we conducted the first study on the insecurity of privileged users. For purposes of this research, privileged users include database administrators, network engineers, IT security practitioners and cloud custodians. According to the findings of this study, these individuals often use their rights inappropriately and put their organizations’ sensitive information at risk. For example, the majority of respondents say privileged users feel empowered to access all the information they can view and although not necessary will look at an organization’s most confidential information out of curiosity. To ensure that the 693 respondents we surveyed have an in-depth knowledge of how their organizations are managing privileged users, we asked them to indicate their level of access to their organizations’ IT networks, enterprise systems, applications and information assets. If they had only limited end user access rights to IT resources, they were not included in the final sample of respondents. According to 75 percent of respondents, privileged access rights are required to complete their current job assignment. Of the 25 percent who say they do not need privilege access to do their job but have it anyway cited two primary reasons. First, everyone at their level has privileged access rights for no apparent reason (38 percent of respondents). Second, the organization failed to revoke these rights when they changed their role and no longer needed access privileges (36 percent of respondents). Key takeaways from this research: Despite the risks posed by insiders, 49 percent of respondents do not have policies for assigning privileged user access. However, slightly more organizations do use well-defined policies that are centrally controlled by corporate IT (35 percent in 2014 vs. 31 percent in 2011). There was a slight decrease in an ad-hoc approach to assigning privileged user access. While the establishment of privileged user access policies is lacking, processes are improving. The findings show a significant increase in the use of commercial off-the-shelf automated solutions from 35 percent of respondents in 2011 to 57 percent in 2014 in granting user access privilege. The use of manual processes such as by phone or email also increased from 22 percent of respondents in 2011 to 40 percent of respondents in 2014. Business unit managers are gaining influence in granting privileged user access and conducting privileged user role certification. Fifty-one percent of respondents say it is the business unit manager who most often handles granting access. This is an increase from 43 percent in 2011. Is it really an insider threat? Companies often have difficulty in actually knowing if an action taken by an insider is truly a threat. The biggest challenges are having enough contextual information provided by security tools (69 percent of respondents) and security tools yield too many false positives (56 percent of respondents).

Ponemon Institute© Research Report

1

2 Part 2. Key Findings Following is an analysis of the key findings. To understand trends in organizations’ ability to manage privileged user access, we have included questions from the research conducted in 2011. Whenever possible we compare the findings from the 2011 study to this year’s research. We have organized the findings according to the following topics: § § § §

Current practices in assigning privilege user access The detection of insider privilege abuse Solutions for mitigating the risk Budgets and investment in reducing the risk of insider threats

Current practices in assigning privilege user access Policies for assigning privilege user access to IT resources are often ad hoc. Despite concerns about insider threats caused by privileged users, almost half (49 percent) describe their organization’s policies to assigning privileged user access as ad hoc, as shown in Figure 1. However, there is a slight increase from 2011 in the use of well-defined policies that are centrally controlled by corporate IT (35 percent in 2014 vs. 31 percent in 2011). Figure 1. The process for assigning privileged user access to IT resources 49% 51%

An “ad hoc” process 35% 31%

Determined by well-defined policies that are centrally controlled by corporate IT 15% 16%

Determined by well-defined policies that are controlled by business or application owners 1% 2%

Unsure 0%

FY 2014

Ponemon Institute© Research Report

10%

20%

30%

40%

50%

60%

FY 2011

2

3 While the establishment of policies lags, processes for privileged user access are improving. There is a significant increase in the use of commercial off-the-shelf automated solutions from 35 percent of respondents in 2011 to 57 percent in 2014, according to Figure 2. The use of manual processes such as by phone or email also increased from 22 percent of respondents in 2011 to 40 percent of respondents in 2014. The third most widely used process is the IT help desk, which increased from 20 percent to 36 percent. Figure 2. Processes used for granting privileged user access to IT resources Two choices permitted

Commercial off-the-shelf automated solutions

57%

35%

Manual process

22%

IT Help Desk

40% 36%

20% 17% 16%

Homegrown access request systems 0% 1%

Unsure

5% 6%

Other 0%

10%

FY 2014

20%

30%

40%

50%

60%

FY 2011

More organizations are using manual processes such as email and spreadsheets to review and certify privileged user access. As revealed in Figure 3, this has increased from 23 percent to 46 percent and use of commercial off-the-shelf access certification system increased from 31 percent to 44 percent. Figure 3. Processes used to review and certify privileged user access Two choices permitted

Manual process Commercial off-the-shelf access certification system

31%

44%

17% 18%

Homegrown access certification system 10%

Unsure IT Help Desk

46%

23%

3%

16%

8% 7% 9%

Other

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% FY 2014

Ponemon Institute© Research Report

FY 2011

3

4 Business unit managers are gaining influence in granting privileged user access and conducting privileged user role certification. As shown in Figure 4, 51 percent of respondents say it is the business unit manager who most often handles granting access. This is an increase from 43 percent in 2011. Thirty-five percent of respondents say application owners are responsible and this is a decrease from 38 percent in 2011. Only 10 percent say it is the information security department that is responsible for granting access rights. Figure 4. Most responsible for granting privileged-user access to information resources Two choices permitted

Business unit managers

51%

43% 40% 40%

Information technology operations

35% 38%

Application owners 21% 25%

Human resource department

17% 16%

Compliance department 10% 11%

Information security department

7% 6%

Unsure 0%

10%

20%

FY 2014

30%

40%

50%

60%

FY 2011

Figure 5 reveals that 36 percent of respondents say business unit managers are most responsible for conducting privileged user role certification and this is an increase from 32 percent in 2011. Twenty-four percent of respondents say their IT security department handles role certification. Figure 5. Most responsible for conducting privileged user role certification Business units

32%

36%

24% 23%

IT security Compliance

15%

9%

Data center management

5%

Audit

5% 4%

7%

2% 3%

Quality assurance

11%

Other 0%

5%

10% FY 2014

Ponemon Institute© Research Report

24%

15%

20%

25%

30%

35%

40%

FY 2011

4

5 Critical success factors for governing, managing and controlling privileged user access across the enterprise is consistent from the previous study. Budget continues to be critical as well as identity and access management technologies, SIEM and network intelligence technologies and senior level executive support, as shown in Figure 6. Not considered as critical is the existence of clearly defined privileged user access policies and procedures. This is consistent with the earlier finding that 49 percent of respondents say their policies are ad hoc and not clearly defined. Figure 6. Success factors for governing, managing and controlling privileged user access Very important and important response combined

88% 90%

Ample budget

86% 87%

Identity and access management technologies

75% 78%

SIEM and network intelligence technologies 65% 66%

Senior level executive support Privileged access rights assigned based on job function

63% 61%

Monitor access inactivity to determine if access should be revoked

61% 63%

Ability to automatically remediate privileged user access policy violations

61% 56%

Background checks before granting privileged access rights

56% 48%

Compliance controls consistently applied across the enterprise

52% 45%

Accountability for governing user access owned by the business

51% 53%

Clearly defined privileged user access policies and procedures

44% 45%

Audits by an independent third-party

27%

36%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%100% FY 2014

Ponemon Institute© Research Report

FY 2011

5

6 Organizations struggle with delivering and enforcing privileged user access rights. The biggest problem is still keeping pace with the number of access change requests that come in on a regular basis (an increase from 53 percent to 62 percent). However, two problems have increased significantly. These are the burdensome process for dealing with business users requesting access (from 23 percent to 35 percent of respondents) and it takes too long to deliver access to privileged users (32 percent to 44 percent), as shown in Figure 7. Figure 7. Main problems faced in delivering and enforcing privileged user access rights Three choices permitted

Cannot keep pace with the number of access change requests that come in

53%

Lack of a consistent approval process for access and a way to handle exceptions

45%

Takes too long to deliver access to privileged users

32%

Burdensome process for business users requesting access

30%

Difficult to audit and validate privileged user access changes

44%

38%

29% 35%

Cannot apply access policy controls at point of change request

22% 27%

Too much staff required to monitor and control all privileged users

16%

Delivery of access to privileged users is staggered

23%

5% 8%

No common language exists that will work for both IT and the business

4% 5% 0% 2%

Other 0% FY 2014

Ponemon Institute© Research Report

52%

35%

23%

Too expensive to monitor and control all privileged users

62%

10%

20%

30%

40%

50%

60%

70%

FY 2011

6

7 The detection of insider privilege abuse Concern grows about insider threats. Figure 8 reveals that 89 percent of respondents (58 percent + 31 percent) either say wiki leaks and Edward Snowden have either caused a significant or some increase in the organization’s level of concern about insider threats within their organization. A similar percentage (88 percent) believes the risk of privileged user abuse will increase or stay the same over the next 12 to 24 months. Figure 8. Have recent publicized incidents such as wiki leaks and Edward Snowden increased the level of concern about insider threats?

Caused a significant increase in our level of concern

58%

Caused some increase in our level of concern

31%

No impact in our level of concern

8%

Unable to determine

3%

0%

10%

20%

30%

40%

50%

60%

70%

Is it really an insider threat? Companies often have difficulty in actually knowing if an action taken by an insider is truly a threat. According to Figure 9, the biggest challenges are having enough contextual information provided by security tools (69 percent of respondents) and security tools yield too many false positives (56 percent of respondents). Figure 9. Challenges in establishing whether an event is an insider threat More than one choice permitted

Not enough contextual information provided by security tools

69%

Security tools yield too many false positives

56%

Security tools yield more data then can be reviewed in a timely fashion

45%

Behavior involved in the incident is consistent with the individual’s role and responsibilities

28%

0%

Ponemon Institute© Research Report

10% 20% 30% 40% 50% 60% 70% 80%

7

8 To determine if a malicious insider is involved in the incident, companies are most likely to monitor and review log files (63 percent of respondents), conduct manual oversight by supervisors and managers (51 percent of respondents) and deploy SIEM and other network intelligence tools (40 percent of respondents), as shown in Figure 10. More sophisticated tools such as endpoint monitoring and big data analytics are not as widely used according to 34 percent and 16 percent of respondents, respectively. Figure 10. What best describes your role in the organization’s IT department? More than one choice permitted

Monitor and review log files

63%

Conduct manual oversight by supervisors and managers

51%

Deploy SIEM and/or other network intelligence tools

40%

Endpoint monitoring

34%

Deploy next generation security technologies

33%

Utilize big data analytics to identify suspicious insider activities

16%

Other

2% 0%

10%

20%

30%

40%

50%

60%

70%

Increasingly, malicious insiders target privileged users to obtain their access rights. In 2011, only 21 percent said it would be likely that malicious insiders would use social engineering or other measures to obtain someone’s access rights. This has increased significantly to 47 percent of respondents. In addition, more respondents say it is likely that social engineers outside the organization target privileged users to obtain their access rights (45 percent in 2014 and 30 percent in 2011). Figure 11. How likely would it be for the following events to occur? Very likely and likely response combined

47%

Malicious insiders target privileged users to obtain their access rights

21%

45%

Social engineers outside the organization target privileged users to obtain their access rights

30%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% FY 2014

Ponemon Institute© Research Report

FY 2011

8

9 Risks created by the human factor in privilege user access abuse continue. The most common scenarios that create the insider threat have not changed since 2011. Figure 12 reveals that 73 percent say privileged users believe they are empowered to access all the information they can view, 65 percent say privileged users access sensitive or confidential data because of curiosity and 54 percent say the organization assigns privileged access rights that go beyond the individual’s role or responsibility. Figure 12. Likelihood of scenario occurring Very likely and likely response combined

73%

Privileged users believe they are empowered to access all the information they can view

71%

65%

Privileged users access sensitive or confidential data because of their curiosity

68%

54%

Assigned privileged access rights go beyond the individual’s role or responsibilities

55% 0%

FY 2014

10% 20% 30% 40% 50% 60% 70% 80% FY 2011

According to Figure 13, two other insider threats that increased are: allowing privileged users working from a home office to have administrative or root level access rights (an increase from 35 percent to 41 percent) and not properly vetting or checking backgrounds prior to receiving access rights. Figure 13. Likelihood of insider threats occurring Very likely and likely response combined

41%

Privileged users working from a home office have administrative or root level access rights

35% 38%

Privileged users are not properly vetted prior to receiving their access rights

34% 27% 28%

Privileged users become disgruntled and leak data or damage equipment Privileged users who leave continue to have access rights for a period of time after their discharge

15% 16% 0%

FY 2014

Ponemon Institute© Research Report

5% 10% 15% 20% 25% 30% 35% 40% 45% FY 2011

9

10 Respondents are less likely to believe that access rights follow privilege users when they leave the company (15 percent of respondents) and that disgruntled employees will leak data or damage equipment (Figure 13). What’s most at risk? While respondents believe general business and customer information is most at risk in their organizations due to the lack of proper access controls over privileged users (56 percent and 49 percent), fears about abuse to corporate intellectual property increased dramatically from 12 percent of respondents to 33 percent of respondents, as shown in Figure 14. Figure 14. Types of data most at risk when there is a lack of proper access controls Two choices permitted

General business information

51% 49%

Customer information

56%

54%

35% 35%

Employee information Corporate intellectual property

33%

12% 29%

Classified information* Consumer information

19%

26%

15% 13%

Financial information 0%

10% 20% 30% FY 2014 FY 2011

40%

50%

60%

* This choice was not available in FY 2011

Ponemon Institute© Research Report

10

11 According to Figure 15, mobile applications are considered to be most at risk in their organizations due to the lack of proper access governance and control. This is followed by social media applications (which actually declined from 51 percent to 39 percent) and cloud-based applications at 38 percent, an increase from 35 percent in 2011. Figure 15. Type of applications considered most at risk due to the lack of proper access governance and control Three choices permitted

Mobile applications

41%

Social media applications

39%

Cloud-based applications

38% 35%

Peer-to-peer database*

34%

Business unit specific applications

33% 34% 21%

Knowledge applications Human resource applications

20%

CRM applications

17% 20% 16%

Productivity applications

48% 51%

31%

25%

21%

13% 15%

Supply chain management applications

10% 13%

Finance/ERP applications 5%

Revenue generating applications 0%

10% FY 2014

12% 20%

30%

40%

50%

60%

FY 2011

* This choice was not available in FY 2011

Ponemon Institute© Research Report

11

12 Solutions for mitigating the risk Companies rely on training programs. By far, most organizations conduct regular privileged user training programs as part of their efforts to protect the organization from privileged user abuse, as shown in Figure 16. However, most respondents rate the ability of their training programs to reduce the insider threat as only average. Fifty-seven percent say their organization performs background checks before issuance of privileged credentials and 51 percent say they rely on oversight by supervisors and managers. Figure 16. How do you protect your organization from privileged user abuse? More than one choice permitted

Conduct regular privileged user training programs

62%

Perform thorough background checks before issuance of privileged credentials

57%

Conduct manual oversight by supervisors and managers

51%

Monitor and review provisioning systems

50%

Deploy IAM policy monitoring tools

36%

Review and act upon threat intelligence

18%

Other

3% 0%

10%

20%

30%

40%

50%

60%

70%

The majority of respondents believe they are agile in responding to changes in the insider threat environment. Thirty-four percent of respondents rate their organizations as very high or high in being agile in responding to insider threats. It is interesting that culture is viewed as a serious barrier to being agile followed by dispersed workforce, as shown in Figure 17. Figure 17. The biggest barrier to achieving the necessary agility to respond to changes in the insider threat environment 31%

Culture Dispersed workforce

27% 16%

Cost

15%

Expertise IT infrastructure

10% 1%

Other 0%

5%

Ponemon Institute© Research Report

10%

15%

20%

25%

30%

35%

12

13 Authentication and identity management tools are still number one. Seventy-two percent use authentication and identity management tools to manage privileged user access abuse, as shown in Figure 18. Other tools mostly used are log and configuration management (an increase from 56 percent to 64 percent) and user provisioning systems (a decrease from 63 percent to 60 percent). Technologies that have increased significantly in use are privileged user management and SIEM. Figure 18. Twelve enabling security technologies that are currently in use More than one choice permitted

72% 68%

Authentication and identity management Log and configuration management

56%

64%

60% 63%

User provisioning systems

54% 48%

Security information and event management Privileged user management

43%

50%

49%

Endpoint monitoring*

42% 43%

Enterprise role lifecycle management

38% 38%

Access request system

36% 32%

Access policy automation for the cloud

35% 32%

Access policy automation

28% 31%

Access review and certification system 17%

Host-based auditing* 0%

10%

FY 2014

20%

30%

40%

50%

60%

70%

80%

FY 2011

* This choice ws not available for FY 2011

Ponemon Institute© Research Report

13

14 More companies are using technology-based identity and access controls. According to Figure 19, one-third of respondents say their organizations use identity and access control technologies to detect the sharing of system administration access rights or root level access rights by privileged users. This is an increase from 20 percent in 2011. A combination of technology and manually-based identity and access controls is also used by one-third of organizations represented in this research but actually declined from 36 percent in 2011. Only 9 percent say access to sensitive or confidential information is not really controlled. An indication that this is getting better is that in the last study 13 percent said this was the case. Also, only 7 percent say they are unable to detect sharing of access rights. Figure 19. How does your organization detect the sharing of system administration access rights by privileged users? 33% 36%

A combination of technology and manually-based identity and access controls

33%

Technology-based identity and access controls

20% 12% 13%

Manually-based identity and access controls 9%

Access to sensitive or confidential information is not really controlled

13% 7% 6%

We are unable to detect sharing of access rights

6%

Unsure

12% 0%

FY 2014

Ponemon Institute© Research Report

5%

10% 15% 20% 25% 30% 35% 40%

FY 2011

14

15 In some areas, companies are getting better at enforcing privilege user access policies. The findings indicate that respondents are more positive about the ability to conduct certain activities. Figure 20 reveals these as: providing evidence of compliance with regulations and industry mandates and enforcing segregation of duties requirements. Fewer respondents believe they are excellent or good at understanding privileged user entitlements that violate policy and enforcing access policies in a consistent fashion across all information resources. Figure 20. How well does your organization ensure privileged user access policies are strictly enforced? Excellent and good response combined

70% 67%

Providing evidence of compliance with regulations and industry mandates 55% 51%

Enforcing segregation of duties requirements Assigning access based on job function or responsibilities

42% 40%

Vetting privileged users through background security checks before granting access rights

41% 39% 41% 45%

Changing privileged access rights when an employee’s job changes or they are terminated Monitoring privileged users’ access when entering administrative root level access areas

37% 34%

Understanding privileged user entitlements that are out of scope for a particular role

36% 35% 30% 28%

Understanding privileged user entitlements that violate policy

26% 23%

Enforcing access policies in a consistent fashion across all information resources 0% FY 2014

Ponemon Institute© Research Report

10% 20% 30% 40% 50% 60% 70% 80% FY 2011

15

16 Lack of visibility hinders the ability to determine if users are complying with policies. Figure 21 reveals that 42 percent of respondents are not confident that they have the enterprisewide visibility for privileged user access and can determine if users are compliant with policies. Only 16 percent are very confident that they have this visibility. Figure 21. How confident are you that your organization has enterprise-wide visibility and can determine if these users are compliant with policies? 50% 42%

45%

45%

40% 35% 30%

22% 23%

25% 20%

16% 15%

18%

15%

15% 10% 2%

5%

2%

0% Very confident

Confident

Somewhat confident FY 2014

Not confident

Unsure

FY 2011

Reasons for not being confident is the inability to create a unified view of privileged user access across the enterprise and this has increased from 44 percent to 51 percent of respondents in 2014, as shown in Figure 22. Another problem is keeping up with changes occurring in their organization’s IT resources (on-boarding, off-boarding and outsourcing for management), according to 30 percent of respondents. Figure 22. Main reasons for not being confident 51%

Can’t create a unified view of privileged user access across the enterprise

44% 30% 29%

Can’t keep up with the changes occurring to IT resources 10% 15%

Can’t apply controls that need to span across information resources

9% 12%

Privileged user account information is visible but not entitlement information 0% FY 2014

Ponemon Institute© Research Report

10%

20%

30%

40%

50%

60%

FY 2011

16

17 Budgets and investment in reducing the risk of insider threats How are companies allocating resources to reduce insider threat? Figure 23 reveals that 40 percent of respondents say they have a budget specifically allocated for investment in enabling technologies to reduce the insider threat but a similar percentage (43 percent) say their organizations do not have one. Fifty-one percent of respondents say they allocate between 5 and 8 percent of their organizations’ overall IT budget to insider threat technology. Figure 23. Is the budget allocated for investment in technologies to reduce the insider threat? 50% 43%

45%

40%

40% 35% 30% 25% 17%

20% 15% 10% 5% 0% It is part of the overall IT budget

It is not part of the IT budget

No

Technologies and personnel receive the most resources to stop insider threats. When asked to allocate their organization’s efforts to reduce the insider threat, 43 percent say it is dedicated to technologies and 38 percent to personnel, according to Figure 24. While organizations rely on training programs (as discussed above), only 11 percent are allocated to training. Figure 24. How does your organization allocate resources to mitigate insider threats? 50% 45%

43% 38%

40% 35% 30% 25% 20% 15%

11% 7%

10% 5%

1%

0% Technologies

Personnel

Ponemon Institute© Research Report

Training

Governance

Other

17

18 New tools to reduce the risk are considered important. When it comes to technology, 41 percent say they are more likely to buy new tools specifically for mitigating insider threats or more likely to make existing tools work (33 percent), as shown in Figure 25. Figure 25. Investing in insider threat mitigation technologies versus making existing tools work

More likely to buy new tools built specifically for mitigating insider threats

41%

More likely to make existing tools work

33%

Equally likely to buy new tools or make existing tools work

21%

Cannot determine

5%

0%

Ponemon Institute© Research Report

5% 10% 15% 20% 25% 30% 35% 40% 45%

18

19 Part 3. Methods A random sampling frame of 18,821 privileged users, including database administrators, network engineers, IT security practitioners and cloud custodians located in the United States were selected as participants to this survey. As shown in Table 1, 779 respondents completed the survey. Screening and failed reliability checks removed 86 surveys. The final sample was 693 surveys (or a 3.7 percent response rate). Table 1. Sample response

Freq.

Total sampling frame Total returns Rejected and screened surveys Final sample

Pct%

18,821

100.0%

779

4.1%

86

0.5%

693

3.7%

Pie Chart 1 reports the respondent’s organizational level within participating organizations. By design, 58 percent of respondents are at or above the supervisory levels. Pie Chart 1. What organizational level best describes your current position?

4%

5%

3% 16% Senior Executive/VP Director Manager

33%

Supervisor 23%

Technician Staff Contractor

16%

Ponemon Institute© Research Report

19

20 Pie Chart 2 reports the respondent’s direct reporting channel. Fifty-six percent of respondents report to the CIO and 16 percent report to the CISO. Pie Chart 2. What best describes your direct reporting channel? 7%

2% 1%

9%

Chief Information Officer Chief Information Security Officer Chief Technology Officer

9% 56%

Chief Risk Officer Compliance Officer Chief Financial Officer

16% Chief Security Officer

As shown in pie chart 3, 66 percent of respondents are from organizations with a worldwide headcount of 1,000 or more employees. Pie chart 3. Worldwide headcount of the organization 7%

15%

9% < 500 500 to 1,000 19%

19%

1,001 to 5,000 5,001 to 25,000 25,001 to 75,000 > 75,000

31%

Ponemon Institute© Research Report

20

21 Pie Chart 4 reports the industry segments of respondents’ organizations. This chart identifies financial services (18 percent) as the largest segment, followed by state or local government (12 percent) and federal government (11 percent). Pie Chart 4. Industry distribution of respondents’ organizations

3% 3%

2% 3%

2% 3% 18%

Financial services State or local government Federal government

4%

Health & pharmaceutical Services

5%

12%

Consumer Retail

6%

Technology & software Industrial Energy & utilities

6%

11%

Communications Entertainment & media

6% 8%

8%

Hospitality Defense & aerospace Transportation Other

Part 4. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are privileged users, database administrators, network engineers, IT security practitioners or cloud custodians. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response.

Ponemon Institute© Research Report

21

22 Appendix: Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in April 2014. Sample response Sampling frame Total returns Rejected & screened surveys Final sample Response rate

FY 2014 18,821 779 86 693 3.7%

FY 2011 16,579 622 64 558 3.4%

FY 2014 0% 13% 53% 34% 0% 100%

FY 2011 6% 12% 43% 33% 6% 100%

Part 1. Background Q1. What best describes your level of access to your organization’s IT networks, enterprise systems, applications and information assets? Please select only one choice. Limited (ordinary) end user access rights to IT resources (Stop) Expanded access rights to IT resources, but not overly broad Broad access rights to IT resources Root level access rights to IT resources None of the above (Stop) Total Q2. Have recent well-publicized incidents such as wiki leaks and Edward Snowden increased the level of concern about insider threats within your organization Yes, caused a significant increase in our level of concern Yes, caused some increase in our level of concern No impact in our level of concern Unable to determine Total *Data not available in FY2011 Q3a. Is privileged access required in order for you to complete your current job assignments or functions within the organization? Yes No Total Q3b. If you said no, what is the primary reason you still have privileged access rights? Please select only one choice. I needed privileged access in a previous position and it was not revoked after my role changed Everyone at my level has privileged access even if it is not required to perform a job assignment The organization assigned privileged access rights for no apparent reason I don’t know Total Q4. Do you believe this risk will increase, decrease or stay the same over the next 12 to 24 months? Increase Stay the same Decrease Total

Ponemon Institute© Research Report

FY 2014 58% 31% 8% 3% 100%

FY 2014 75% 25% 100%

FY 2011 78% 22% 100%

FY 2014

FY 2011

36%

35%

38% 17% 9% 100%

41% 15% 9% 100%

FY 2014 45% 43% 12% 100%

FY 2011 44% 42% 14% 100%

22

23

Q5. What best describes your role in the organization’s IT department or related functions? Please check all that apply. Database administrator Systems administrator Network engineer IT security practitioner IT audit practitioner Data center manager Application developer Cloud custodian Other (please specify) Total Q6. How do you determine if an action taken by an insider is truly a threat? Select all that apply. Monitor and review log files Conduct manual oversight by supervisors and managers Deploy SIEM and/or other network intelligence tools Utilize big data analytics to identify suspicious insider activities Deploy next generation security technologies Endpoint monitoring Other (please specify) Total *Data not available in FY2011 Q7. How do you protect your organization from privileged user abuse? Select all that apply. Perform thorough background checks before issuance of privileged credentials Conduct manual oversight by supervisors and managers Monitor and review provisioning systems Review and act upon threat intelligence Deploy IAM policy monitoring tools Conduct regular privileged user training programs Other (please specify) Total *Data not available in FY2011 Q8. What are the biggest challenges your organization faces in establishing whether an event or incident is an insider threat? Select all that apply. Not enough contextual information provided by security tools Security tools yield too many false positives Behavior involved in the incident is consistent with the individual’s role and responsibilities Security tools yield more data then can be reviewed in a timely fashion Total *Data not available in FY2011

Ponemon Institute© Research Report

FY 2014 32% 36% 24% 31% 11% 44% 19% 24% 1% 222%

FY 2011 33% 35% 21% 26% 12% 41% 15% 18% 2% 203%

FY 2014 63% 51% 40% 16% 33% 34% 2% 239%

FY 2014 57% 51% 50% 18% 36% 62% 3% 277%

FY 2014 69% 56% 28% 45% 198%

23

24

Q9. Please rate your organization’s level of agility in responding to changes in the insider threat environment? Very high High Moderate Low Very low Total *Data not available in FY2011

FY 2014 14% 20% 35% 22% 9% 100%

Q10. What is the biggest barrier to achieving the necessary agility to respond to changes in the insider threat environment? Select only one. Cost Expertise Culture IT infrastructure Dispersed workforce Other (please specify) Total *Data not available in FY2011

FY 2014 16% 15% 31% 10% 27% 1% 100%

Q11. Using the following 10-point scale, please rate the ability of your training programs to reduce the insider threat risk. 1 = Low to 10 = High 1 to 2 3 to 4 5 to 6 7 to 8 9 to 10 Total *Data not available in FY2011

FY 2014 15% 31% 30% 16% 8% 100%

Q12. How does your organization allocate resources to mitigate or curtail insider threats? Please allocate 100 points to each category presented below Training Technologies Personnel Governance Other (please specify) Total *Data not available in FY2011 Q13a. Do you have a budget specifically allocated for investment in enabling technologies to reduce the insider threat? Yes, it is part of the overall IT budget Yes, it is not part of the IT budget No Total *Data not available in FY2011

Ponemon Institute© Research Report

FY 2014 11 43 38 7 1 100

FY 2014 40% 17% 43% 100%

24

25

Q13b. If part of the overall IT budget, what is the percentage allocated to insider threat technology investments? < 1% 1% to 2% 3% to 4% 5% to 6% 7% to 8% 9% to 10% 11% to 15% 16% to 20% > 20% Total *Data not available in FY2011 Q14. What one statement best describes your organization’s preference for investing in insider threat mitigation technologies versus making existing tools work? We are more likely to buy new tools built specifically for mitigating insider threats We are more likely to make existing tools work We are equally likely to buy new tools or make existing tools work Cannot determine Total *Data not available in FY2011 Part 2. Scenarios: How likely would it be for the following events to occur within your organization? Very likely & likely response combined Q15. The organization assigns privileged access rights that go beyond the individual’s role or responsibilities. Q16. Privileged users are pressured to share their access rights with others in the organization. Q17. Social engineers outside the organization target privileged users to obtain their access rights. Q18. Malicious insiders target privileged users to obtain their access rights. Q19. Privileged users are not properly vetted or have their backgrounds checked prior to receiving their access rights. Q20. Privileged users become disgruntled and leak data or damage equipment. Q21. Privileged users access sensitive or confidential data because of their curiosity. Q22. Privileged users believe they are empowered to access all the information they can view. Q23. Privileged users who leave the organization continue to have access rights for a period of time after their discharge. Q24. Privileged users working from a home office have administrative or root level access rights. Average

Ponemon Institute© Research Report

FY 2014 2% 5% 8% 21% 30% 15% 11% 5% 3% 100%

FY 2014 41% 33% 21% 5% 100%

FY 2014

FY 2011

54%

55%

40%

41%

45% 47%

30% 21%

38%

34%

27%

28%

65%

68%

73%

71%

15%

16%

41% 45%

35% 41%

25

26 Part 3. Privileged user access governance Q25. Please check all 12 of the enabling security technologies below that are used by your organization. Enterprise role lifecycle management Access request system Access policy automation Access review and certification system Privileged user management Security information and event management (SIEM) Access policy automation for the cloud Log and configuration management User provisioning systems Authentication and identity management Host-based auditing* Endpoint monitoring* Average

FY 2014 42% 38% 35% 28% 50% 54% 36% 64% 60% 72% 17% 49% 45%

FY 2011 43% 38% 32% 31% 43% 48% 32% 56% 63% 68%

Q26. What types of data do you consider to be most at risk in your organization due to the lack of proper access controls over privileged users? Top two choices. Customer information Consumer information Employee information Financial information General business information Corporate intellectual property Classified information* Total

FY 2014 49% 26% 35% 15% 56% 33% 29% 35%

FY 2011 54% 19% 35% 13% 51% 12%

Q27. What type of applications do you consider to be most at risk in your organization due to the lack of proper access governance and control? Please select the top three. Finance/ERP applications CRM applications Supply chain management applications Revenue generating applications Business unit specific applications Human resource applications Productivity applications Knowledge applications Cloud-based applications Social media applications Peer-to-peer database* Mobile applications Total

FY 2014 10% 17% 13% 5% 33% 20% 16% 21% 38% 39% 34% 48% 294%

FY 2011 13% 20% 15% 12% 34% 25% 21% 31% 35% 51%

FY 2014 49%

FY 2011 51%

35%

31%

15% 1% 100%

16% 2% 100%

Q28. What best describes the process for assigning privileged user access to IT resources in your organization today? Please select one best choice. An “ad hoc” process Determined by well-defined policies that are centrally controlled by corporate IT Determined by well-defined policies that are controlled by business or application owners Unsure Total

Ponemon Institute© Research Report

45%

184%

41% 298%

26

27 Q29. Who in your organization is most responsible for granting privilegeduser access to information resources? Top two choices. Information technology operations Information security department Compliance department Business unit managers Application owners Human resource department Unsure Total

FY 2014 40% 10% 17% 51% 35% 21% 7% 181%

FY 2011 40% 11% 16% 43% 38% 25% 6% 179%

Q30. What processes are used for granting privileged user access to IT resources: Please select the top two. Manual process (i.e. email or phone) Homegrown access request systems Commercial off- the-shelf automated solutions IT Help Desk Unsure Other Total

FY 2014 40% 17% 57% 36% 0% 5% 155%

FY 2011 22% 16% 35% 20% 1% 6% 100%

Q31. What processes are used to review and certify privileged user access? Please select the top two. Manual process (i.e. email, spreadsheets) Homegrown access certification system Commercial off-the-shelf access certification system IT Help Desk Unsure Other Total

FY 2014 46% 17% 44% 8% 10% 7% 132%

FY 2011 23% 18% 31% 3% 16% 9% 100%

Q32. Who within your organization is most responsible for conducting privileged user role certification? IT security Business units Audit Compliance Quality assurance Data center management Other Total

FY 2014 24% 36% 5% 15% 2% 7% 11% 100%

FY 2011 23% 32% 4% 9% 3% 5% 24% 100%

FY 2014 33% 12%

FY 2011 20% 13%

33% 9% 7% 6% 100%

36% 13% 6% 12% 100%

Q33. How does your organization detect the sharing of system administration access rights or root level access rights by privileged users? Please select the top two. Technology-based identity and access controls Manually-based identity and access controls A combination of technology and manually-based identity and access controls Access to sensitive or confidential information is not really controlled We are unable to detect sharing of access rights Unsure Total

Ponemon Institute© Research Report

27

28

Q34. How well does your organization ensure privileged user access policies for the following tasks are strictly enforced? Combined excellent and good response. Assigning access based on job function or responsibilities Revoking or changing privileged access rights as needed when an employee’s job or function changes or their relationship with the organization is terminated Enforcing access policies in a consistent fashion across all information resources in the organization Monitoring privileged users’ access when entering administrative root level access areas Enforcing segregation of duties requirements Providing evidence of compliance with regulations and industry mandates Understanding privileged user entitlements that are out of scope for a particular role Understanding privileged user entitlements that violate policy Vetting privileged users through background security checks before granting access rights Average Q35a. How confident are you that your organization has enterprise-wide visibility for privileged user access and can determine if these users are compliant with policies? Very confident Confident Somewhat confident Not confident Unsure Total Q35b. If “not confident,” please select one main reason. We can’t create a unified view of privileged user access across the enterprise We only have visibility into privileged user account information but not entitlement information We can’t apply controls that need to span across information resources We can’t keep up with the changes occurring to our organization’s IT resources (on-boarding, off- boarding and outsourcing for management) Total Q36. What are the critical success factors for governing, managing and controlling privileged user access across the enterprise? Very important and important response combined. Senior level executive support Ample budget Identity and access management technologies SIEM and network intelligence technologies Clearly defined privileged user access policies and procedures Accountability for governing user access owned by the business Privileged access rights assigned based on job function and responsibilities Compliance controls consistently applied across the enterprise Ability to automatically remediate privileged user access policy violations Monitor access inactivity to determine if access should be revoked Audits by an independent third-party Background checks before granting privileged access rights Average

Ponemon Institute© Research Report

FY 2014 42%

FY 2011 40%

41%

45%

26%

23%

37% 55% 70%

34% 51% 67%

36% 30%

35% 28%

41% 42%

39% 40%

FY 2014 16% 18% 22% 42% 2% 100%

FY 2011 15% 15% 23% 45% 2% 100%

FY 2014

FY 2011

51%

44%

9% 10%

12% 15%

30% 100%

29% 100%

FY 2014 65% 88% 86% 75% 44% 51% 63% 52% 61% 61% 36% 56% 62%

FY 2011 66% 90% 87% 78% 45% 53% 61% 45% 56% 63% 27% 48% 60%

28

29

Q37. What are the main problems your organization faces in delivering and enforcing privileged user access rights? Please select only your top three choices. Takes too long to deliver access to privileged users (not meeting our SLAs with the business) Too expensive to monitor and control all privileged users Too much staff required to monitor and control all privileged users Cannot apply access policy controls at point of change request Delivery of access to privileged users is staggered (not delivered at the same time) Cannot keep pace with the number of access change requests that come in on a regular basis Lack of a consistent approval process for access and a way to handle exceptions Difficult to audit and validate privileged user access changes Burdensome process for business users requesting access No common language exists for how access is requested that will work for both IT and the business Other (please specify) Total Part 4. More scenarios. In your opinion, how will each of the following situations affect your organization’s access governance process, especially concerning privileged users? Please use the scale from very significant impact to no affect. Q38. Increasing number of regulations or industry mandates Q39. Adoption of cloud-based applications enables the business or endusers to circumvent existing access policies Q40. Outsourcing of applications and data for management Q41. The constant turnover (ebb and flow) of employees, contractors, consultants and partners Q42. Availability of SIEM and other network intelligence technologies Q43. Constant changes to the organization as a result of corporate reorganizations, downsizing and financial distress Q44. Adoption of virtualization technologies Q45. Expanded use of mobile devices in the workplace Q46. Change in the nature and scope of cyber crime Q47. The level of risk caused by privileged users abuse or misuse of IT resources Average

FY 2014

FY 2011

44% 30% 16% 22%

32% 38% 23% 27%

5%

8%

62%

53%

45% 29% 35%

52% 35% 23%

4% 0% 292%

5% 2% 298%

FY 2014 62%

FY 2011 60%

71% 36%

65% 45%

41% 56%

43% 57%

27% 48% 76% 71%

32% 56% 48% 65%

26% 51%

19% 49%

Part 5. Your role D1. What organizational level best describes your current position? Senior Executive/VP Director Manager Supervisor Technician Staff Contractor Other Total

Ponemon Institute© Research Report

FY 2014 3% 16% 23% 16% 33% 4% 5% 0% 100%

29

30

D2. Check the Primary Person you or your IT security leader reports to within the organization. CEO/Executive Committee Chief Financial Officer General Counsel Chief Information Officer Chief Technology Officer Compliance Officer Human Resources VP Chief Security Officer Chief Information Security Officer Chief Risk Officer Other Total

FY 2014 0% 2% 0% 56% 9% 7% 0% 1% 16% 9% 0% 100%

D3. What is the worldwide headcount of your organization? < 500 500 to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to 75,000 > 75,000 Total

FY 2014 15% 19% 31% 19% 9% 7% 100%

D4. What industry best describes your organization’s industry focus? Agriculture & food services Communications Consumer Defense & aerospace Education & research Energy & utilities Entertainment & media Federal government Financial services Health & pharmaceutical Hospitality Industrial Retail Services State or local government Technology & software Transportation Other Total

FY 2014 0% 3% 6% 2% 1% 4% 3% 11% 18% 8% 3% 5% 6% 8% 12% 6% 2% 2% 100%

Ponemon Institute© Research Report

30

31

About Raytheon Raytheon Company, with 2013 sales of $24 billion and 63,000 employees worldwide, is a technology and innovation leader specializing in defense, security and civil markets throughout the world. With a history of innovation spanning 92 years, Raytheon provides state-of-the-art electronics, mission systems integration and other capabilities in the areas of sensing; effects; and command, control, communications and intelligence systems, as well as cyber security and a broad range of mission support services. Raytheon is headquartered in Waltham, Mass. For more about Raytheon, visit us at www.raytheon.com and follow us on Twitter @Raytheon.

Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or organization identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.

Ponemon Institute© Research Report

31