Excessive 'privilege' is still a gaping security hole

Why controlled privilege is the foundation of good security

Brian, for the uninitiated, what exactly are 'admin rights' and privilege management?

For most purposes, admin rights can be loosely defined as being the set of rights granted to either a root user (Linux, Unix, Mac OS X) or an administrator account (Windows), as opposed to standard user rights.

One of the biggest security issues in organisations is that admin rights are given too often and for a couple of common reasons: first, many users want to have control over their own desktops (who wants to wait until the IT department can get around to installing that vital piece of application software that you need?). Second is the perception that putting the onus on the user also reduces overall IT support costs (for example, fewer calls to the IT helpdesk), but the truth here is actually quite the opposite.

Privilege access or privilege identity management is the name given to the process of managing those rights: in other words, who has access to what. It matters because admin rights open up gaping security holes, however careful a company might think it is being. It's one thing to have a multi-layered investment in security software, but if Miss Jones in accounts is allowed to download a piece of software that turns out to contain malware that wreaks havoc all over the organization, then those big investments are in vain.

Do you have any insight into what the scale of the problem is?

Over 70% of known vulnerabilities in Windows 7 require admin privilege to be exploited. In a survey by BeyondTrust in late 2013, it was discovered that 44% of respondents knew that there were users in their company with excess account privilege, 65% had implemented so kind of control for this privilege and 54% knew that their users could circumvent those controls.

Forrester reported a couple of years ago that around 43% of data breaches are from internal sources. A Verizon report states that in 2011, 98% of data breaches came from external agents, but goes on to suggest those attacks were successful because they were enabled in part by human error or ignorance. By 2012, this had only dropped 6% to 92%. In short, as long as there are users with excessive privilege, companies are leaving the door wide open for this to happen each and every day.

Of course, those figures are going to vary but I'd argue we haven't seen much improvement. There have been some pretty high profile examples of where admin rights or excessive privilege have enabled data to be leaked or security breached, Target being one of the most recent examples.

Can you provide some examples of what actually goes wrong?

A hacker gaining access to a company network has to be extremely lucky to find themselves with access to a system with sensitive or valuable data as their initial point of entry. Most exploits happen on a system that has lower security, usually because it's not holding any sensitive data. Once on that system the hacker needs to find a privileged account to allow them to make lateral moves through the system until they find some useful data.

Once they've got that privileged account they aren't hacking any more: they start acting like an internal employee. So they're inside the organisation and behaving like – and treated like – anyone else with that level of admin rights. It's a bit like allowing a guest into the company foyer, not bothering with a security pass and while you're at it, giving them a set of keys to all of the doors, desks and file cabinets in the building. All this can stem from just a simple innocuous action, such as downloading an unauthorised application that brings in malware and gives the attacker a way into the organisation.

And of course, let's not forget that the 'insider threat' isn't just about allowing external attackers to imitate internal users: there have been some cases where employees have abused their privilege to access or distribute sensitive and confidential information.