Some users’ accounts are more attractive to malicious hackers than others.
Computer security experts have long focused on local administrators/root — and recently even more on all-powerful network administrators such as members of the domain admin and enterprise admin groups.
Those same experts warn about protecting even slightly elevated accounts, like those of network configuration operators or printer operators.
The idea is that any account with permissions and privileges beyond a regular user account is a target ripe for hacker abuse.
But it’s a mistake to think that hackers seek only the obvious prizes — ordinary users often have more power than you think. Sometimes it seems that security experts are so obsessed with network and OS security, they forget about the data and applications that such infrastructure is intended to protect.
Hackers want you!
Anyone can be an application administrator. When users have elevated rights and permissions for critical applications, they become juicy targets.
I have single, mission-critical applications with literally hundreds of admins, most of whom are not elevated network or OS admins.
I’ve seen single, ordinary users become application admins for dozens of applications. None of those users needs to be a local OS administrator or domain administrator, but they still have fantastic value as an exploitable target.
In some cases, privilege isn’t the point — position is. Most advanced persistent threats (APTs) collect data and email credentials for top C-level accounts.
In other cases the most interesting account to outside attackers belongs to someone in charge of a large, competitive project or technology. Lots of APT attackers seek intellectual property and other competitive information.
Many companies consider themselves “hacked” when the official Twitter or Facebook account of the company has been compromised by a phishing attack on the employee managing the social account. Worse, many times the social account’s password is the same as the user’s company account password.
Clearly, you don’t need to be a member of a network or local administrator’s group for your user account to glisten in the eyes of attackers.
Track your personal threat value
Some companies track each employee’s personal threat value.
The idea is that each elevated permission or privilege, whether to the local computer, network, application, or service, contributes to a ranking number for personal threat value. User accounts with high personal-threat values should be protected and secured.
A member of the enterprise admin or domain admins group would get the highest ranking, but so too would someone in charge of many mission-critical applications and services.
An administrator of even one top-value application or service would be ranked fairly high, especially if successful exploitation could lead to a corporate reputational issue or embarrassment.
C-level employees would be ranked fairly high as well.
Every admin of any important application should also be ranked, along with infrastructure admins for DNS, DHCP, Active Directory, and so on.
Best case, every user account should be given a personal threat value, with all employees ranked from top to bottom.
Some companies go even further and include computers in their rankings.
Threat values exceeding a certain threshold should be given additional protection.
Accounts with elevated personal threat value assessments should be protected in much the same way traditional elevated network and local administrator accounts are protected.
At the very least, these users should work on highly protected computers, with strong security configurations, up-to-date antimalware software, and aggressive auditing. More important, these users should be given serious training about their value to hackers.
Personally, I think all highly elevated user accounts should be made to use secure administrative workstations (SAWs) when performing administrative duties.
SAWs are securely configured workstations, but with other settings that most other users would find unacceptable, such as no (or limited) Internet connectivity and application whitelisting.
Although it’s critical to use a SAW for administrative tasks, I would argue that anyone with an elevated personal threat value should be forced to use one all the time. Remember: Admins are most likely to be compromised when performing nonadmin duties.
Accounts with elevated personal threat values are the most important accounts in your enterprise.
Treat them that way.