[BreachExchange] How Full Admin Rights Could Pose a Threat to Your Business

[Destry Winant]

http://infosecisland.com/blogview/25100-How-Full-Admin-Rights-Could-Pose-a-Threat-to-Your-Business.html

All threat actors will know that the day they gain access to an
account with full administrative rights, they’ve hit a goldmine. It
only takes one weak endpoint for an attacker to have free reign over
an entire corporate network. The 2016 Forrester Wave on Privileged
Identity Management revealed that 80 percent of all data breaches
involve the use of privileged credentials in one way or another. As
cyber risks continue to evolve, understanding the risks associated
with full admin privileges and limiting the unnecessary use of them is
essential for organisations of every size, in every sector.

Reducing administrator rights should form the foundation of any
organisation’s security strategy or processes to ensure secure access
to system controls. Yet many companies are still not putting
appropriate measures in place to counter the threat, purely due to the
lack of understanding around the risks of over-privileged accounts.
Therefore, it is vital for organisations and employees to be aware of
some of the common ways that full administrator rights can pose a
threat to security.

Access all areas

To put it simply, when user accounts have admin rights, it enables the
end-user to install new software, add accounts and change the way
systems operate. It also allows users to own any file on the network –
privileges always beat permissions. From there, admin users can change
ownership of relevant documents or folders and either restrict access,
copy or transfer sensitive data without other authority, or
potentially alter protected security policies.

With the help of direct access and change specific registry keys,
admin rights allow users to navigate around Group Policy Object
settings and other in-built central management policies. By having the
freedom to create new accounts and set privilege levels, any
compromised local administrator account could be opened up to both
malicious users and their accomplices.

Once you’re in, you’re in

Once a malicious individual gains access to a user’s desktop, they can
turn their attention to widening the net and compromising an entire
corporate network. Malicious users will have full reign and access to
any part of the operating system or network, but can also lay traps
for users with higher privilege, such as domain admins, to provide
further access to highly-sensitive data.

Having unrestricted admin rights in place, therefore, poses a
significant risk of privilege escalation attacks and lateral movement.
The ability to manage certificates for a local machine means admin
users – or those impersonating them – also risk exposing others to
phishing and man-in-the-middle attacks. By installing a fake
certificate authority, malicious users can trick others into believing
they are visiting trusted sites or receiving information from a
trusted source, which could lead to sensitive information being
leaked, or the installation of malware that could infect an entire
system.

The use of port scanning tools, often used by businesses to capture
network traffic, serve as an easy target for those looking to take
advantage of vulnerabilities within a network. But when this privilege
falls into the wrong hands, it also allows malicious users to identify
and exploit key weaknesses in the corporate system.

Gone without a trace

The threats that come from admin rights aren’t all external –
employees can also pose a danger to themselves and the organisation.
The freedom to install, update or remove any application or software
can inadvertently leave the IT environment open to vulnerabilities.
End users do not necessarily know the full implications of their
actions, and this lack of awareness can pose a serious risk to system
stability and data security.

For example, applications can be configured to run bypassing User
Account Control protocols, while processes can be run as System too,
meaning that malicious software can be embedded and set to trigger in
future, running in the background to existing applications.

The ability to make any changes within an IT system offers
cyber-criminals the ability to cover their tracks in cases of
misdemeanor. They can delete applications, system and security event
logs to cover up any wrongdoing with relative ease – leaving
organisations completely clueless about how their business and
sensitive information was compromised.

Whichever way you frame it, once a hacker finds a way to infiltrate an
endpoint with full administrator privileges, they can very easily cast
their net much further and bring down an entire network if they
please. The best ones out there can even remain undetected.

According to Gartner Vice President and Distinguished Analyst Neil
MacDonald, privileged account management should be one of the top
priorities for CISOs when it comes to security.It’s important that IT
leaders balance this whilst empowering users to complete their work
efficiently. This is where restricting the privileges of your users
can play a crucial role. Having a culture and awareness around the
cyber threats alongside least privilege will mean that organisations
can strengthen their security posture, without limiting the agility of
day-to-day operations. Understanding the positive effect, this can
have is a must. Implementing least privilege will protect what’s most
valuable to organisations – its reputation and the compromise of
sensitive data.