Another example of privileged access being abused recently made headlines – this time with the FBI’s National Crime Information Center (NCIC) database. According to the story, a New York Police Detective logged onto the NCIC database and looked up personal information on fellow colleagues that had nothing to do with his duties as a law enforcement officer.
According to the FBI website, the NCIC database serves 90,000 agencies and gets 9 million entries a day by users seeking information on stolen guns and cars, fugitives, sex offenders, orders of protection and other subject. The NY police department assigns login names and passwords that allow supervisors to manually track login usage to NCIC database.
Employees, regardless if its law enforcement officers, with boundless privilege to access sensitive data presents greater risk of intentionally, accidentally or indirectly misusing that privilege and potentially stealing, deleting or modifying data. This presents a very fine line between intent and action, especially when excessive privileges on IT resources are involved. Human nature is the weakest link when it comes to the intersection of people, process and technology – the three tenets of security.
The technology is only as good as the people and processes that are put into place. If people who manage these technologies decide to circumvent the technology’s ability to enforce policies, or make an exception or ignore violations, or do not instill sufficient supervisory mechanisms then the technology will fail. It appears in this case, the process around accessing the FBI’s NCIC database is based purely on having a badge with only the oversight by supervisors to manually monitor logging habits. Trust is not a technology for any agency or organization to rely on.
At EiQ Networks, we believe organizations need to implement security best practices, such as SANS 20 Critical Security Controls, to protect against cyber attacks and espionage. Recently the we launched, ThreatVue, the first closed-box security monitoring solution that automates the analysis of those essential security controls and delivers key security intelligence that an organization needs to know.