Privilege Abuse

Privilege Abuse

Alternative Forms

  • Abuse of Authorizations ENISA Threat Taxonomy

  • Abuse of System Privilege Open Threat Taxonomy

  • Privilege Misuse

Definitions

Definition 1

Privilege Abuse is a class of information security threat consisting in an intentional abusive usage of effectively granted access permissions. It is a subclass of the insider threat.

It may be divided into two subclasses:

  • Excessive Privilege Abuse: when the granted access permissions did not comply with the least privilege principle considering the organization’s policies or expectations. This threat family is enabled by the absence or misconfiguration of access controls.

  • Legitimate Privilege Abuse: when the granted access permissions complied with the least privilege principle but their usage was contrary to the organization’s policies or intentions.

The main motivations of threat actors for Privilege Abuse are fun and curiosity, and financial gain.

Privilege abuse is distinct from privilege escalation in that no subversion of the system is required, i.e. the system functions as expected.

It is also distinct from data mishandling, the former being intentional and the later accidental.

Privilege abuse may occur with workforce, federated (third-parties), customer and privileged identities. The potential harm of privilege abuse on privileged identities is critically more important because of the significantly larger blast radium of privileged identities.

Countermeasures for privilege abuse comprise: vetting, least privilege, audit logs, session recording, awareness training, honeypots, deterrent discipline, user behavior analytics (UBA), etc.

Examples

  • Eve was working as a back office clerk for Acme bank. She was jealous of Alice who just bought a beautiful house nearby. Driven by curiosity, she abused her privileges and checked Alice’s accounts in the Acme banking system to see how much money she had.

Note - OTT Mapping

The Privilege Abuse concept may be mapped with the Open Threat Taxonomy version 1.1:

TEC-014 > Abuse of System Privileges - Threat Rating of 4.0

(https://open-measure.atlassian.net/wiki/spaces/BIB/pages/1105002608)

Note - ETT Mapping

The Privilege Abuse concept may be mapped with the ENISA Threat Taxonomy version 1.0:

Nefarious Activity > Abuse > Abuse of Authorizations - Threat of using authorised access to perform illegitimate actions.

Conceptual Diagram

Definition 2

An incident that realizes the privilege abuse threat.

Related Terms

Quotes

Description

An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources. If access control mechanisms are absent or misconfigured, a user may be able to access resources that are intended only for higher level users. An adversary may be able to exploit this to utilize a less trusted account to gain information and perform activities reserved for more trusted accounts. This attack differs from privilege escalation and other privilege stealing attacks in that the adversary never actually escalates their privileges but instead is able to use a lesser degree of privilege to access resources that should be (but are not) reserved for higher privilege accounts. Likewise, the adversary does not exploit trust or subvert systems - all control functionality is working as configured but the configuration does not adequately protect sensitive resources at an appropriate level.

Privilege abuse happens when a user is authorized by the access control policy to exercise a permission, in contradiction to the organizational security policy. For example, if Bob attempts to exercise the green permission in Figure 1.1, he would commit privilege abuse, as the access control policy in Figure 1.1 authorizes this, but the security policy forbids it. Perhaps Bob had no malicious intention and just was not aware that he should not exercise the green permission. Even in this case, we classify his action as privilege abuse.

Privilege Abuse (Misuse)

(…)

Misuse, on the other hand, takes the form of privilege abuse (using logical access to assets, often databases, without having a legitimate medical or business need to do so) in 74% of cases. Interestingly, the motive (when known) is most often (47%) that of “fun or curiosity.” Examples of this are when an employee sees that their date from last weekend just came in for a checkup, or a celebrity visits the hospital and curiosity gets the better of common sense. Not to be forgotten, our faithful friend avarice is still alive and well, with financial gain being the motivation in 40% of internal misuse breaches.

Insider threats are usually the most difficult to detect and can take months, or longer, to discover. Identifying insider privilege abuse can be difficult because it is often committed by employees perceived to be trustworthy, and because they are using the privileges granted to them by the organization. Organizations should proactively take steps to minimize the privileges users are provided with. They should also keep detailed audit logs of users with administrative privileges.

When the nature of their actions is known, the general privilege abuse is always at the top of the list. This is merely using access to gain information for alternative and unsanctioned uses.

Privilege Abuse comes in two flavors: Abuse of excessive privileges and abuse of legitimate privileges.

Not unexpectedly, privilege abuse — taking advantage of the system access privileges granted by an employer and using them to commit nefarious acts — tops the list. We realize that encompasses a very broad range of activities, but the overall theme and lesson differ little: most insider misuse occurs within the boundaries of trust necessary to perform normal duties. That’s what makes it so difficult to prevent.

There are many data security risks in the use of IT, such as hacker attacks, network breaks, natural disasters, separation failure, public management interface, poor encryption key management, and privilege abuse. Specific risks to cloud computing are separation failure, public management interface, poor encryption key management, and privilege abuse.

 

The threat of insiders using their assigned privileges in an unintended way like e.g. corrupt data administrators cannot be excluded, no matter how noble the intentions of the application providers are or how deterrent the consequences of privilege abuse are communicated to be.

Bibliography

See Also


Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.


This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.