Privilege Abuse: Don’t Let Employee Access ‘Level Up’

Cracking the code, beating the “boss,” discovering a lost key or “Easter egg” are all ways that players can level up in video games. The search for the next phase can be exhilarating, leaving players desperate to find ways to get there. Once they enter the new level, players get access to new tools, powers and other components to help them ultimately win. Along the way, players can use websites and forums to learn cheat codes and tricks to get them to the end of the game faster.

In many ways, network infrastructure design is similar to a video game. Different tiers of employees have access to escalating levels of information and are granted entitlements based on their role, seniority, or other factors. Typically, access to sensitive information and critical systems is limited to privileged users such as IT and network administrators. Unlike in video games, however, the goal is to reduce the ability for average employees – or worse, outside adversaries – to “level up.”

Employees and contractors are the number-one cause of data breaches. Without a security protocol in place, employees can easily gain access to sensitive information and increase the risk of data being leaked. This can happen by accident, because of sloppy or lacking privileged access management (PAM) or through the interference of a cyber adversary. Think of the components of PAM as the player’s nemesis – at each gameplay level, obstacles are in place to stop them from getting to the next stage. Here’s how this can happen, as well as the consequences, and how organizations can keep those employees from reaching the “final boss.”

How Employees Might Falsely Elevate Their Privilege

There are a few ways that employees can “level up” their privileged access. One of the most common is when organizations fail to limit who has access to sensitive information or systems. The more employees that are granted access, the greater the likelihood of information being leaked. Without proper protection, a hardworking employee just trying to finish a project might download a restricted document from the server and accidentally attach it to an email. When the user clicks “Send,” the information can spread to another team member, customer, partner or third-party.

Too much access can also be a danger in the event of a disgruntled or former employee. When organizations fail to monitor or cut off their identity and its entitlements, an angry employee, whether they were furloughed, denied a raise or fired, might sell intellectual property (IP), customer or employee information (such as social security numbers, addresses, and more) to a competitor or adversary for profit. If a former employee’s credentials are not cut off, individuals can have access to sensitive data, applications and systems even if they are no longer with the company.

Employees can also increase their privileges simply by logging in using a privileged user’s account. Forrester estimates that 80 percent of security breaches now involve default, lost, stolen or otherwise compromised privileged credentials. According to NordPass’s recent password report, over 2.5 million users are still using, “123456,” as a password. With a bit of time and a little luck, lower level employees can guess the credentials of a privileged account and pose as the legitimate user. Compared to external threats, they likely have extensive personal knowledge of the privileged employee, which can be a major advantage when  guessing passwords.

Threat actors also recognize the value of insider threats. Just as a standard employee can pose as a privileged user, cyber adversaries can do the same. Hackers will look for ways to access confidential information and systems or manipulate vulnerable employees, often by watching social media accounts to look for individuals publicly sharing job dissatisfaction or a job move. Through phishing campaigns, social engineering techniques, digital scanners, password sniffers or any combination of these, hackers can gain access to an employee’s login information. The most hardened security perimeters will not recognize this as an attacker, as it will look like a legitimate user. After they gain access, an adversary will gather an understanding of their surroundings and look for ways to elevate access privilege in order to extract data or disrupt the company with distractions like ransomware.

What Happens When an Employee ‘Levels Up’

Whether the employee is a legitimate user who has accessed information by mistake or an adversary looking for a payday, there are devastating consequences for organizations if sensitive information is not protected.

Some examples of damage caused by an employee gaining access to sensitive information include:

• In the spring of 2019, two employees of General Electric (GE) were charged for stealing IP, such as computer models for calibrating turbines and some marketing and pricing information, in order to start a new company to compete with GE.
• A former Tampa-area hospital employee was able to gain access to patient forms and was convicted for filing fraudulent tax returns.
• At the end of July 2019, a former Amazon employee was able to gain access to the personal and financial data of more than 100 million Capital One customers after scanning cloud customers for a specific web application firewall misconfiguration on Amazon Web Services. The exposed data left customers vulnerable to cyberattacks and identity theft.

From millions of dollars in reputational and financial damage to potential criminal charges, organizations are often ill-equipped to handle the consequences of an employee, or an adversary posing as one, gaining too much access to sensitive information. Luckily, there are steps businesses can take to protect themselves.

It’s Game Over With Least Privilege

To put an end to unauthorized access to sensitive systems and information, organizations first must identify shared administrative accounts and vault them. All other privileged users should have least privilege-based controls. A system must be put in place to verify who is requesting access and why, as well as assess the risk of the environment they are logging into. To finally say, “game over” to unnecessary or improper privilege elevation, businesses must:

1. Establish the concept of least privilege. Any employee can fall victim to an adversary’s attack or become the hacker themselves, and security architecture must be structured with this idea in mind. Companies should strive for zero standing privileges, closing privileged access once a task is complete so systems and data are not left open for attackers to use.
2. Enforce segregation of duties. Separate duties, especially for sensitive processes and tasks, will ensure no individual has more access than absolutely needed to do their job. Businesses can then leverage so-called “identity access zones” to tie a user’s rights to resources they need daily based on their role.
3. Implement access requests and approval workflows. Govern privilege elevation with self-service access requests and multi-level approvals. This will provide visibility into who approved access and the context associated with the request.

Reaching a new level in Fortnite or Super Smash Brothers can be exciting, but the same cannot be said for employees gaining access to critical data. By establishing the concept of least privilege, enforcing segregation of duties and implementing access requests and approval workflows, organizations can defeat privilege abuse once and for all.