Check your access control permissions before hackers do

Every organization has devices, networks or cloud services with improperly configured permissions that expose sensitive data or could allow hackers to gain privileged access. Check them now.

I’ve repeatedly talked about the two biggest cybersecurity risks to most organizations: social engineering and unpatched software. A few weeks, ago I added passwords as the likely third biggest security issue facing most organizations. Now, I’m adding a fourth largest threat: incorrect access control permissions.

Of the hundreds if not thousands of security reviews I’ve done over the past two decades, I’ve always found incorrectly set permissions (when that was within scope of the review) on single PCs, devices, networks or cloud instances. These days operating system vendors have a good set of default permissions. It’s the admins and end-users who are making the mistakes that are leaving their devices and private information open to the world.

I don’t have hard data to show that incorrect access control permissions are the fourth biggest security issue, but I do know there are a lot of exposed documents and folders. According to Varonis, 18.9% percent of companies with more than 1 million folders have 100,000 folders accessible by every employee, 19.3% have over 1,000 sensitive folders open to everyone, and 19.6% of companies have over 1,000 folders with inconsistent permissions.

The two most dangerous types of incorrectly set permissions

Depending on the OS and device, there can be dozens of individual granular permissions, along with inheritance issues and group membership considerations that can add up to permission mistakes. It’s easy for a single security principal (e.g., a user) to get permission to something they shouldn’t have access to. That’s a problem, but I’m not even talking about those sorts of small, individual mistakes.

To continue reading this article register now

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!