Are You Overlooking These 6 Access Management Vulnerabilities?

Sponsored by Trend Micro:

Network administrators may think they’ve covered their bases by putting security tools like firewalls, antivirus, sandboxing and whitelisting into place. Unfortunately, none of those tools can protect the company network when employees fail to protect their passwords. According to Time Magazine, some of the top employee choices for passwords are “password” and “123456.” Employees have a lot of progress to make toward improving their password protection habits.

The first solution is to take password protection out of employee hands and protect employee passwords using password manager software. Many network security and antivirus companies produce password managers, or businesses can use tools like LastPass or 1Password. Password manager software stores passwords so employees don’t have to remember them. It can also generate complex passwords with a variety of upper and lower-case letters, numbers and symbols. The second solution is to scour the network for access management vulnerabilities. Start by addressing these six common problems.

Problem 1: Inherited and Nested Permissions

Inherited permissions happen when permissions are set on a parent folder and then passed along to every new file and subfolder. For example, one user with permission to view one file folder could then have access to every subfolder within the original folder.

Microsoft designed the “inherit permissions” function for Windows Server to streamline file creation and access, but it creates vulnerabilities because permissions aren’t set for individual files.

Nested files or groups are created when one file or group is defined as a member of another file or group. For example, if one department has access to certain types of data, it’s easy to set up a nested group as a member of the department.

Problems occur when nesting gets complex because nested permissions are granted without a lot of deliberation. It may seem easy to assign one employee to a group because he needs a certain set of permissions, but he may gain access to unnecessary information if the master group’s allotted permissions change later.

Problem 2: Temporary Changes Never Changed Back

When one employee in a department takes leave, another employee may temporarily fill in and need a higher level of access. However, in the busyness of day-to-day tasks, IT may fail to rescind the temporary permissions when the original employee returns to work. Therefore, the employee who filled in still has access to potentially sensitive information.

Problem 3: Non-Admin Users With Administrative Privileges

One of the best things a company can do to improve security is to limit administrator privileges. For instance, a busy network administrator may provide admin credentials to a department head in an effort to reduce IT’s workload. However, when too many non-IT employees have these privileges, the network becomes vulnerable. For example, the NSA discovered that Edward Snowden gained access to privileged files when other employees gave him their admin-level usernames and passwords.

Problem 4: Too Much Access Compared to Employees in Similar Positions

Excessive access privileges often trace back to temporary situations that never get reversed. As companies make more and more of their own applications, for example, developers are often brought in to fix application problems. Involving the developer means giving the developer access to production systems. Developers end up with production-side credentials, and the credentials are never revoked. Similar situations happen when someone in a high-authority position steps down to a part-time position or other position that doesn’t require extensive permissions.

Problem 5: Poorly Designed Roles

Every workplace has a few employees who end up doing a little bit of everything. In truth, this situation often happens when job descriptions and roles within the company are poorly designed. It can also happen when IT doesn’t break down permissions by department or job title or when IT doesn’t set up default deny controls to keep employees from venturing into unnecessary areas of the company network.

Problem 6: Ghost Credentials

One of the biggest network vulnerabilities occurs when employees leave the company, but their passwords and access privileges remain in place. According to statistics compiled by GO-Gulf, 59 percent of employees admit stealing their former employer’s data when they move on to their new positions. Leaving these “ghost credentials” in the system makes the network vulnerable to disgruntled former employees.

Plugging up these six common network vulnerabilities prevents employees from getting into places they shouldn’t be on the network. It also limits the damage that could be done if an attacker were to obtain employee credentials.

Contributor

More Posts