All threat actors will know that the day they gain access to an account with full administrative rights, they’ve hit a goldmine. It only takes one weak endpoint for an attacker to have free reign over an entire corporate network. The 2016 Forrester Wave on Privileged Identity Management revealed that 80 percent of all data breaches involve the use of privileged credentials in one way or another. As cyber risks continue to evolve, understanding the risks associated with full admin privileges and limiting the unnecessary use of them is essential for organisations of every size, in every sector.
Reducing administrator rights should form the foundation of any organisation’s security strategy or processes to ensure secure access to system controls. Yet many companies are still not putting appropriate measures in place to counter the threat, purely due to the lack of understanding around the risks of over-privileged accounts. Therefore, it is vital for organisations and employees to be aware of some of the common ways that full administrator rights can pose a threat to security.
Access all areas
To put it simply, when user accounts have admin rights, it enables the end-user to install new software, add accounts and change the way systems operate. It also allows users to own any file on the network – privileges always beat permissions. From there, admin users can change ownership of relevant documents or folders and either restrict access, copy or transfer sensitive data without other authority, or potentially alter protected security policies.
With the help of direct access and change specific registry keys, admin rights allow users to navigate around Group Policy Object settings and other in-built central management policies. By having the freedom to create new accounts and set privilege levels, any compromised local administrator account could be opened up to both malicious users and their accomplices.
Once you’re in, you’re in
Once a malicious individual gains access to a user’s desktop, they can turn their attention to widening the net and compromising an entire corporate network. Malicious users will have full reign and access to any part of the operating system or network, but can also lay traps for users with higher privilege, such as domain admins, to provide further access to highly-sensitive data.
Having unrestricted admin rights in place, therefore, poses a significant risk of privilege escalation attacks and lateral movement. The ability to manage certificates for a local machine means admin users – or those impersonating them – also risk exposing others to phishing and man-in-the-middle attacks. By installing a fake certificate authority, malicious users can trick others into believing they are visiting trusted sites or receiving information from a trusted source, which could lead to sensitive information being leaked, or the installation of malware that could infect an entire system.
The use of port scanning tools, often used by businesses to capture network traffic, serve as an easy target for those looking to take advantage of vulnerabilities within a network. But when this privilege falls into the wrong hands, it also allows malicious users to identify and exploit key weaknesses in the corporate system.
Gone without a trace
The threats that come from admin rights aren’t all external – employees can also pose a danger to themselves and the organisation. The freedom to install, update or remove any application or software can inadvertently leave the IT environment open to vulnerabilities. End users do not necessarily know the full implications of their actions, and this lack of awareness can pose a serious risk to system stability and data security.
For example, applications can be configured to run bypassing User Account Control protocols, while processes can be run as System too, meaning that malicious software can be embedded and set to trigger in future, running in the background to existing applications.
The ability to make any changes within an IT system offers cyber-criminals the ability to cover their tracks in cases of misdemeanor. They can delete applications, system and security event logs to cover up any wrongdoing with relative ease – leaving organisations completely clueless about how their business and sensitive information was compromised.
Whichever way you frame it, once a hacker finds a way to infiltrate an endpoint with full administrator privileges, they can very easily cast their net much further and bring down an entire network if they please. The best ones out there can even remain undetected.
According to Gartner Vice President and Distinguished Analyst Neil MacDonald, privileged account management should be one of the top priorities for CISOs when it comes to security.It’s important that IT leaders balance this whilst empowering users to complete their work efficiently. This is where restricting the privileges of your users can play a crucial role. Having a culture and awareness around the cyber threats alongside least privilege will mean that organisations can strengthen their security posture, without limiting the agility of day-to-day operations. Understanding the positive effect, this can have is a must. Implementing least privilege will protect what’s most valuable to organisations – its reputation and the compromise of sensitive data.
About the author: Andrew has been a fundamental part of the Avecto story since its inception in 2008. As COO, Andrew is responsible for Avecto’s end-to-end customer journey, leading the global consultancy divisions of pre-sales, post sales and training, as well as customer success, support and IT.
Source: infosec island