Reversing the hidden risk of permission creep

Issue 6 2022 Cyber Security

Does the following scenario ring true? An employee starts at the bottom, working their way up through the organisation. As they are promoted, they require access to different applications and files. Within a couple of years, they have accrued an impressive number of permissions on their user account, even though they don't need many of those privileges.

Now, imagine someone gets their hands on that well-permissioned account – what could they do? If it's a criminal, they can unleash a very effective and widespread ransomware attack. If it's the employee, they might consider committing fraud, stealing competitive business information or causing damage in self-righteous rage. Whatever the scenario, user accounts are the preferred way to compromise business technologies.

"It's not even a claim that needs qualification anymore. Whether you look at reports from Gartner, Microsoft or other sources, compromised user accounts are almost always at the root of successful breaches. It has inspired a surge of identity-driven security, such as zero-trust and data-centric privilege management. But if we look at the source of the problem, it's usually because user accounts gain too many access rights," says Paul Green, head of Microsoft Identity and Access at cybersecurity company, Performanta.

The source of permission creep

Permission creep, also called access creep and privilege creep, is when a user account has permissions it doesn't require. This creep can occur in two ways: employees can attain permissions as their career evolves within the organisation, or they might gain temporary permissions for projects or events that are never withdrawn.

It's tempting to blame administrators for such oversights, but permission creep can often occur to meet business needs. For example, an entire team might gain specific permissions because a few members require those access levels. Whole departments could enjoy access to certain information to accommodate specific staff members.

Overlaps between different parts of the business also create elaborate permissions – legal and HR working on employment contracts might require both groups to access resources they'd typically not need. Then there is the matter of ego: people like the status of access privileges, and higher-ranking employees – especially executives – can expect or demand access just because they feel entitled to it.

"User permissions can look very simple, like a bouncer with a guest list – how complicated could it really be?" says Green. "But when you deal with numerous business systems, file storage, collaboration environments and overlapping projects, it's very easy to assign permissions and lose track of who can do what."

Newer developments such as cloud services and remote working have made permission creep more common and complicated. Most organisations still have to catch up on the issue.

Fixing permission creep

Companies pay close attention to user permissions, at least at the start. It's common practice to have rigid permission rules and policies when creating a new account. But such discipline grows lax as the employee's tenure grows. Overworked administrators are very likely to reflexively grant permissions when asked because they have competing priorities and don't wish to prevent other people from doing their jobs.

It's important to have appropriate access policies that include provisions for permission creep, such as matching roles with appropriate permissions, conducting regular audits on accounts, and stipulating the shelf lives of temporary access. Companies should have formal channels for permission requests, particularly to help protect the integrity of administrators who don’t want managers screaming at them over the phone, demanding access.

Likewise, policies must clarify that nobody is above the privilege line – even the CEO should justify why they need this or that access. Groups used to widespread access, such as IT super users or master administrators, must dampen their expectations – if they don't need the access, they can't have it.

"Look at access from the vantage point of a criminal," says Green. "If they get their hands on an executive or senior IT administrator's account, how much damage can they do and how hard will it be to track them down in your systems? Those are the accounts they target."

Notably, phishing (a fake correspondence attack that tries to steal user credentials) and spear-phishing (the same as phishing, but targeting specific groups or individuals) have risen sharply in recent years.

Yet policy, audits and awareness aren't sufficient. They take time and are prone to human error. Companies should link their user management and HR systems, using business rules to determine access. It's becoming best practice to integrate HR data with an access management system such as Active Directory and a robust identity management platform where rules automate permission choices.

"The best way to manage user accounts is to automate them through HR data. If someone is promoted, they automatically gain and lose certain permissions. If someone leaves the company, their access is automatically revoked. Temporary rules can cover certain project or user groups, with built-in expirations. If you combine automated identity management, access policies and privilege audits, you'll reduce and contain permission creep,” says Green.

There are many ways to break into business systems, but getting your hands on an account brimming with different access rights is the easiest and most common method. Criminals and insiders are much greater risks if your organisation doesn't address permission creep. Conversely, a robust access management environment will bolster security and productivity.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Industrial control systems under attack
News Cyber Security
According to Kaspersky ICS CERT statistics, from January to September 2022, 38% of computers in the industrial control systems (ICS) environment in the META region were attacked using multiple means.

OSINT: A new dimension in cybersecurity
Cyber Security
The ancient Chinese strategist Sun Tzu noted, you should always try to know what the enemy knows and know more than the enemy.

Sasol ensures Zero Trust for SAP financials with bioLock
Technews Publishing Editor's Choice Cyber Security Security Services & Risk Management
Multi-factor authentication, including biometrics, for SAP Financials from realtime North America prevents financial compliance avoidance for Sasol.

Building a holistic application security process
Altron Arrow Cyber Security
Altron Arrow asks what it means to build a holistic AppSec process. Learn what’s involved in a holistic approach and how to get started.

Managing data privacy concerns when moving to the cloud
Cyber Security
While the cloud offers many business benefits, it can also raise concerns around compliance, and some organisations have taken the approach of staying out of the cloud for this reason.

Accelerating your Zero Trust journey in manufacturing
IT infrastructure Cyber Security Industrial (Industry)
Francois van Hirtum, CTO of Obscure Technologies, advises manufacturers on a strategic approach to safeguarding their businesses against cyber breaches.

The democratisation of threats
Cyber Security
Bugcrowd looks at some of the primary vulnerabilities the world faced in 2021, and the risks moving forward with growing attack surfaces and lucrative returns on crime.

Protecting yourself from DDoS attacks
Cyber Security Security Services & Risk Management
A DDoS attack, when an attacker floods a server or network with Internet traffic to prevent users from accessing connected online services, can be costly in both earnings and reputation.

Exploiting Android accessibility services
Cyber Security
Pradeo Security recently neutralised an application using Android accessibility services that exploits the permission to perform fraudulent banking transactions.

Cyber resilience is more than cybersecurity
Technews Publishing Editor's Choice Cyber Security Integrated Solutions IT infrastructure
Hi-Tech Security Solutions held a round-table discussion focusing on cyber resilience and found that while the resilience discipline includes cybersecurity, it also goes much further.