The principle of least privilege is a best practice constantly preached by access control experts, but according to a new survey, many enterprises still struggle to control and monitor user access rights.
As part of its recent "Privilege Gone Wild" survey, Phoenix-based security vendor BeyondTrust Inc. asked 265 IT security managers and network/systems engineers about the privileges and access rights granted to users at their organizations. The results showed many employees are granted access rights beyond what they need to do their jobs, opening up enterprises to a multitude of unnecessary risks.
When asked whether employees at their current organizations have unneeded access rights, 45% of the IT pros surveyed said "yes," with more than 80% of respondents thinking users are at least somewhat likely to access sensitive information out of curiosity. Perhaps more worryingly, 65% of those surveyed said their organization had controls in place to monitor access rights, but more than half of those respondents divulged that they or others within their organization were able to circumvent the controls.
Marc Maiffret, chief technology officer for BeyondTrust, was shocked by the results. He said security pros have been preaching the importance of actively managing user rights for 15 years, which filled him with confidence that organizations were doing just that. Unfortunately, the survey results suggested many companies are still failing to adequately manage
"It was eye opening that companies just aren't doing this as much as I honestly would have believed," Maiffret said.
In particular, Maiffret was disappointed that the widely discussed concept of least privilege -- that a user should only be granted the least amount of access necessary to accomplish their tasks -- is not being adhered to by so many organizations. Two-thirds of the IT pros surveyed admitted their organizations were at least somewhat likely to provide access rights to users that were outside the scopes of their roles.
He said this was often the result of applications that need to be run with elevated permissions. In such instances, IT departments will typically give users local administrator rights over their laptop or workstation, which makes the machines more susceptible to malware and, perhaps more importantly, according to Maiffret, gives attackers extra privileges that can be utilized to move through the corporate network undetected.
Still, Maiffret conceded that out-of-the-box versions of Microsoft Windows don't provide administrators with the granular controls needed to allow users to run individual applications with elevated permissions, posing a barrier to organizations that are aware of this issue, yet are unable to solve it without inhibiting user productivity.
Privilege auditing is another problematic area of access rights management for many organizations. Maiffret noted a recent BeyondTrust customer that had a mostly Windows-based environment, but also a handful of Linux systems that were being managed as individual servers outside the boundaries of Active Directory (AD). The customer had given an employee special permissions for the servers, but a year after the employee left the organization, the client discovered the account was still active, though thankfully, unused.
Maiffret said many organizations fail to keep up with special permissions and other "one-off" accounts given to users for specific purposes, such as file servers on different domains. He specifically recommended a company review the privileges given to any user when he or she leaves the organization. Though enterprises are often aware enough to disable a user's primary account connected to Active Directory; such one-off accounts are commonly forgotten. These one-off accounts, particularly those outside of AD, are particularly tempting targets for attackers because they usually lack password policy enforcement and hence are trivial for knowledgeable attackers to compromise.
Ultimately, Maiffret hopes the BeyondTrust survey will serve to raise awareness among enterprise security pros that, even though the principle of least privilege is oft discussed, too many users are being granted excessive access rights and creating needless opportunities for attackers.
"It's repeated all the time by security practitioners about the importance of users and what they have access to, and how much access rights, and not running as the administrator," he said. "And so there's definitely that kind of disconnect that we're all kind of saying it, but in a lot of the cases, it's not actually being done."