Time to Reassess Your Network Access Rights

At the heart of the celebrated case of Edward Snowden lies one important fact: The infamous contractor gained access to the trove of documents that he ultimately leaked to journalists by escalating his access rights. And despite this very real poster boy having been in the news for the past several months, many enterprises haven’t done much with reeling in — or even auditing – the access rights they have in place.

HackerIn fact, far too many enterprises don’t know how many of their employees have administrative rights to their servers and systems. You’d think that post-Snowden, this would be a no-brainer and that your management would be all over you to lock down your networks. You’d be wrong.

In this report, end users attending a McAfee customer conference said that less than a third of them had actually made any alterations to their administrator rights policies since the NSA breach was publicized. What is worse, 80 percent couldn’t even say who had admin rights to their servers. That’s just downright wrong.

It isn’t as if privilege rights issues began and ended with Snowden’s caper. The issue has been around for literally decades, since the first local area networks were created. Remember the first versions of Windows NT? One of the early exploits was being able to reboot the server with a floppy disk and having total access to its hard drive due to its poor rights management features.

This isn’t just a technical issue, either. From my own checkered employment history, I know that many of my ex-employers didn’t terminate my access rights for days, weeks, or months after my job ended. I’m sure many of you have similar stories. It’s sad how this basic security practice is ignored, especially when no fancy software or hardware is needed. Just vigilance.

The exploit of privilege escalation is such a popular one that the Open Web Application Security Project has put together a short code example and script that you can use to set up your own tests for Web servers. And as recently as this month, we saw stories about a similar problem with Windows XP that caused Microsoft to issue this security warning.

There are dozens of such warnings for most popular software applications, too, but this might be the final reason anyone needs to rid themselves of XP. One suggestion from McAfee is to use the transition to Windows 7 or 8 as a teaching moment for network IT managers and do a thorough audit and census of their privilege management policies.

If you’re worried and want to do something about it right now, there are vendors who can help you track this information and lock down your admin rights. They include EPO from Avecto (the sponsor of the McAfee survey) and the Shell Control Box from Balabit. Such tools insert themselves into your networks and keep track of who has rights to the wrong places so you keep things locked down.

But the first step is to admit that you don’t have any clue about what is going on with your network access rights — and then start being more attentive.

2 Responses to “Time to Reassess Your Network Access Rights”

  1. This is a complete load of carp. Unless you work in a small company, with an IT department of a handful of people, then most large companies are pretty diligent about keeping their info locked down.

    Though I also guess on how much money the company makes. I was in Lowe’s for 6 years, and they are ahead of the game as far as access goes. But they make 50 billion a year in profit… so they are protecting their income. It’s like fort knox so they have to keep out the rifraff lol.

    The government? They don’t count because they know any money they waste or lose.. they’ll just get it from the tax payers.

    So that leaves all these other small-profit, mid-size companies with all these gaping holes in their access policies…

    • Maurice Brown

      I beg to differ.
      I’ve worked for the most powerful software company on the face of the Earth and can attest that they have this issue as much as any other large enterprise.

      Technology is the easy part.

      It’s people that are hard.
      It’s people who do simple iterations on passwords to beat reuse and complexity policies.
      It’s people who use stuff like Dropbox to move corporate IP around (admittedly it’s the IT and CIO’s fault in that case, it’s not like it’s really hard to stop those you just need the management backing to get that done).

      You missed the key point he was making. It wasn’t about keeping someone out, it was about keeping someone in their “box”, collapsing said box when they leave, and making sure they can’t get in or have another box inside after they’re gone.

      There are valid threats and disturbingly well-resourced adversaries outside your gates but there are few things more dangerous than the same thing INSIDE.