You don’t need to carry the keys to the enterprise network to have a malicious hacker tail you. Here’s who’s at risk and what to do about it Credit: Thinkstock Some users’ accounts are more attractive to malicious hackers than others.Computer security experts have long focused on local administrators/root — and recently even more on all-powerful network administrators such as members of the domain admin and enterprise admin groups. Those same experts warn about protecting even slightly elevated accounts, like those of network configuration operators or printer operators. The idea is that any account with permissions and privileges beyond a regular user account is a target ripe for hacker abuse.But it’s a mistake to think that hackers seek only the obvious prizes — ordinary users often have more power than you think. Sometimes it seems that security experts are so obsessed with network and OS security, they forget about the data and applications that such infrastructure is intended to protect.Hackers want you!Anyone can be an application administrator. When users have elevated rights and permissions for critical applications, they become juicy targets. I have single, mission-critical applications with literally hundreds of admins, most of whom are not elevated network or OS admins. I’ve seen single, ordinary users become application admins for dozens of applications. None of those users needs to be a local OS administrator or domain administrator, but they still have fantastic value as an exploitable target.In some cases, privilege isn’t the point — position is. Most advanced persistent threats (APTs) collect data and email credentials for top C-level accounts. In other cases the most interesting account to outside attackers belongs to someone in charge of a large, competitive project or technology. Lots of APT attackers seek intellectual property and other competitive information. Many companies consider themselves “hacked” when the official Twitter or Facebook account of the company has been compromised by a phishing attack on the employee managing the social account. Worse, many times the social account’s password is the same as the user’s company account password.Clearly, you don’t need to be a member of a network or local administrator’s group for your user account to glisten in the eyes of attackers.Track your personal threat valueSome companies track each employee’s personal threat value. The idea is that each elevated permission or privilege, whether to the local computer, network, application, or service, contributes to a ranking number for personal threat value. User accounts with high personal-threat values should be protected and secured.A member of the enterprise admin or domain admins group would get the highest ranking, but so too would someone in charge of many mission-critical applications and services. An administrator of even one top-value application or service would be ranked fairly high, especially if successful exploitation could lead to a corporate reputational issue or embarrassment.C-level employees would be ranked fairly high as well. Every admin of any important application should also be ranked, along with infrastructure admins for DNS, DHCP, Active Directory, and so on. Best case, every user account should be given a personal threat value, with all employees ranked from top to bottom. Some companies go even further and include computers in their rankings. Threat values exceeding a certain threshold should be given additional protection. Protection strategiesAccounts with elevated personal threat value assessments should be protected in much the same way traditional elevated network and local administrator accounts are protected.At the very least, these users should work on highly protected computers, with strong security configurations, up-to-date antimalware software, and aggressive auditing. More important, these users should be given serious training about their value to hackers.Personally, I think all highly elevated user accounts should be made to use secure administrative workstations (SAWs) when performing administrative duties. SAWs are securely configured workstations, but with other settings that most other users would find unacceptable, such as no (or limited) Internet connectivity and application whitelisting.Although it’s critical to use a SAW for administrative tasks, I would argue that anyone with an elevated personal threat value should be forced to use one all the time. Remember: Admins are most likely to be compromised when performing nonadmin duties. Accounts with elevated personal threat values are the most important accounts in your enterprise. Treat them that way. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe