What if your devices, networks, and cloud services have misconfigured settings?
When entrepreneurs invest in their business/startup, but their administrators fail to maintain the security aspects of the data being present in the system, this is where the problem typically is.
Incorrect access controls is now a major concern for businesses, and a backdoor for hackers to enter. A survey conducted by Varonis found that:
- 18.9% of companies with 1 million folders have some 100,000 folders accessible to every employee.
- 19.3% have more than 1,000 sensitive folders open to everyone.
- 19.6% of companies with 1,000 folders have inconsistent Permission
The data is reflecting the nature of businesses – those with the most data and a large number of folders often neglect the accessibility controls. In such cases, even sensitive folders sometime left accessible to everyone. The lack of strategies also plays a role that leads to inconsistent permissions.
There are different incorrectly-set permissions that we often don’t prioritize, but some of them are more dangerous than any other.
The Most Dangerous Incorrectly Set Permissions
Permission mistakes depend on the operating system and device, coupled with some inheritance issues and group participation considerations, keeping individual granular permissions aside.
For a user, it’s easier to follow a single self-created security principle to deal with accessibility permissions, but controlling thresholds in an organization is more difficult than it sounds. There are two main permission types:
- Everyone has the right to read/write/modify the files and folders that are not supposed to be under the ambient of permissions; an exact or even more permissive set of permissions like Everyone-Full Control (in Windows), is a must.
- Setting database permissions incorrectly, that could also equate the same issues.
Many people incorrectly set overly permissive permissions; mostly due to a lack of configuration skills. We saw this with Uber disclosing a year-old AWS data breach which compromised the information of 57 million users, including 600,000 U.S. drivers. Also an Open AWS S3 bucket exposed information including 119,000 scanned documents of thousands of FedEx customers.
Who has access to network folders?
Network folder permissions contain folders, which contain find all the shared executables or scripts that can be executed for every user (and device) that logs on.
We often permit our employees to modify executables or scripts, this also helps them creating and/or impacting other logins and allows them to edit such controls.
Also when looking for folders, don’t forget to check the “Everyone Read Folders.” Why? Because it is a common permission to find even “Everyone Write” as well, especially on folders and shares that are used by every user like; \Windows\Temp or \Temp, /bin. You should also look for all the non-default folders and shares, like /Human Resources, \Payroll.
Admins often keep the backup sets of data before troubleshooting an issue, or as a regular backup scheme; such folders or shares with backups always have overly permissive permissions.
Adjust your Access Control Permissions, do it before it’s too late!
The solution is simple - check the set permissions and rectify the incorrect ones. There are so many security and encryption tools that make the task easier, define the parameters of permissions and put them in a range, and provide the right security credentials to meet the desired criteria.
Do your organization have suitable tools to manage the permission controls? If not, search "tools check file permissions”; you’ll get dozens of candidates, (free and paid).
What else can you do? Do periodic audits on all computers and devices with sensitive data; have a good data inventory, and make all the data stakeholders understand the database permission auditing.
Realizing issues is costlier than fixing it
Concluding, when anyone puts a new server, sensitive data repository, or application be sure to do the following:
- Verifying permissions is a must once it is installed.
- Don’t forget that deploy and decay - reasons for overly permissive permissions - are not your friends.
Overly permissive permissions may or may not be the next cybersecurity threat, but permissions mistakes are making numbers in headlines; means we have to add “checking file permissions” as a part of our security culture since the world is going more into cloud-based servers and services.
Devin Smith is a tech-mech by profession, and also passionate into finding variant indulgence of the Tech World. He has studied marketing and now turning his exposure into the experience; when you find him playing soccer, it must be his spare hours.