NOBODY LIKES to give up their privileges. But in cybersecurity, having too many privileges is a liability.
To avoid the liability, businesses should ensure users, both internal and external, have only the system permissions they need for their jobs.
With internal users, organizations often allow employees to hang on to privileges long after they’re required, says Michael B. O'Hara, CISSP, principal consultant/owner of MEDSEC Privacy Consulting. And that couldn’t make hackers happier.
“One of the favorite conditions for a hacker is scope creep because it’s one-stop shopping. It’s the Costco for hackers,” O’Hara says.
The more permissions you have, the bigger target you become. If a hacker steals your credentials, they gain access to more network assets than if your privileges were confined to your role in the company.
One major cause of so-called “permissions drift” is people getting promoted, says O’Hara. Along the way, the person receives more access rights but never forfeits those they no longer need for their current responsibilities.
The issue isn’t limited to internal users. In its January SaaS Application Security Insights report, security vendor SaaS Alerts warned that the guest accounts some organizations create for visitors, partners, contractors, and suppliers are also a problem.
“External users are frequently granted the same permissions as internal staff, including privileged access. Guest User Accounts set up for contractors and external parties often persist longer than intended and well beyond the completion of services by the contractor,” the report says.
Currently, 42% of the 129,000 SaaS accounts monitored by SaaS Alerts are guest accounts, the report says. “For many organizations, the unmonitored use of Guest User Accounts has resulted in data being exposed.”
Permissions drift can happen even when companies have policies on user privileges. “Most organizations don’t even realize they need these policies and procedures, and if they have them, they’re only paying lip service to them,” says O’Hara.
To address the problem, he recommends the following:
- Conduct a risk assessment. To determine what policies an organization should enforce, it needs to understand its security posture and address existing gaps.
- Define and implement policies and procedures. This should include a least-privileges policy to prevent drift.
- Follow through. Enforce the policies. Every time someone’s role changes, their privileges should be reassessed. O’Hara stresses: “It should be: This is our culture, this is how we live, eat, and breathe.”
MSPs, O’Hara says, should help clients develop these policies. And they need to lead by example—by ensuring they implement and enforce the same rules internally.
PEDRO PEREIRA is a freelance writer in New Hampshire who has covered the IT channel for two decades.