Access Creep

In this scenario Sally has been working at a BrandName University for the passed 10 years. Within this time she’s been promoted twice and moved around three departments to further build out her resume. BrandName’s overburdened IT department puts security as an afterthought and doesn’t keep track of Sally’s access levels, nor is the personnel infrastructure gracefully updating her security groups as she moves from department to department. Any time she changes roles, she gets added to another security group after she realizes she can’t access something or can’t update someone in her new role.

Ideally to prevent access creep, her current levels would be revised each time she updated her roles with the university. As Sally moves around the university through the years, she along with her supervisors request access to varying resources and databases containing student information, staff information, and financial information. In essence she has accrued 10 years of antiquated and irrelevant security groups now stacked like pancakes on her user object. She (or anyone else) doesn’t know it but she is all powerful and all seeing.

A new student worker named Meka comes onboard to Sally’s Administration department but didn’t receive login credentials from HR or IT and is just sitting there staring at her computer and looking around the room. Over the years Sally has grown accustomed to IT’s non- responsiveness and figures it’ll be at least a week before Meka gets a username and password. Sally being the kind soul that she is logs in for Meka using her own credentials and starts giving her work to do (since that’s the whole reason they brought the student worker onboard). Meka loves facebook and spends a lot of her time on there while Sally is bustling about. While doing her work she flips around facebook now and then. One of Meka’s new friends sends her a link to a bargain website for designer purses.

In less than 1/100th of a second Meka has inadvertently initiated a reverse bind shell to a botnet with Sally’s credentials and access levels. For the next month and a half the university’s information is getting siphoned unbeknownst to anyone. Another month passes before some of the BrandName’s student information is being posted on pastebin…

Now in this scenario there isn’t necessarily a specific target that did any great single thing wrong that brought the information system down to its knees; it was a cumulative effect of weak infrastructure, lack of policies and lack of enforcement to name a few things. Quite typical in fact for a higher-ed environment, especially those that are moving to more of a fast moving faux- corporate attitude. Add clouded services and the magnitude increases.

Had an inline Adaptive Network Access Control (ANAC) appliance been in place to help alleviate the lack of human factor and overall security this scenario would have been forced to play a lot differently from the get go… and that’s even with the typical overburdened IT department! An ANAC solution prevents unauthorized access to network resources and eliminates or mitigates malware intrusion. Milton Security Group’s adaptive solutions provision authentication, validation, remediation, and inspection for policy compliance.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *