Overview
Administrator with Licences attached
The administrator with licences attached alert is triggered when the system detects a user with administrative privileges, and a licenced product attached to the same account.
Administrators with Licenses
Privilege separation
Protect user accounts
Monitor for changes
Risk minimisation
Improved compliance
Impact
Real world impact
Problems Faced
Jane Smith uses her jane.smith@ account for usual activities: Checking email, creating and saving files, sharing communications with other users. Jane is also a Global Administrator. If Jane’s account is compromised (for example, by a targeted phishing attack) – then the attacker will gain not just access to Jane’s account, but also the complete/whole company environment (tenancy). This could be a devastating attack with no further controls on the impact. Administrator accounts should be dedicated and separated from daily accounts. By identifying accounts at risk (having elevated permissions and used for general day-to-day activity – steps can be undertaken earlier to mitigate the potential for escalation).
Solution
It is important to identify administrative accounts that are being used for day-to-day activities. These type of accounts are often held by high value team members, and can be specifically externally targeted due to the potential for further escalation of permissions. Left unattended to, this may lead to a future account compromise being far more serious than it needs to be.
Checking all your users for their permissions and segregation of access on a regular basis is tedious, time consuming, and at high risk of error. You cannot be expected to review all the accounts and administrative access levels on a daily basis. CatchBefore can undertake this check multiple times per day. The sooner the situation is discovered, the sooner you can take mitigation steps, and reduce the potential for a larger impact.
Prevention
What are the main questions you should consider when working out how to manage this risk?
- Do you have any system or solution in place to detect when administrator users also have licences attached?
- If a normal user (with licence attached) was escalated to administrator today, would you find out?
- Have you ever checked for administrators with licences attached?
- What would the impact be on your organisation if an administrator account was compromised (hi-jacked) by a malicious actor?
Problems Faced
Jane Smith uses her jane.smith@ account for usual activities: Checking email, creating and saving files, sharing communications with other users. Jane is also a Global Administrator. If Jane’s account is compromised (for example, by a targeted phishing attack) – then the attacker will gain not just access to Jane’s account, but also the complete/whole company environment (tenancy). This could be a devastating attack with no further controls on the impact. Administrator accounts should be dedicated and separated from daily accounts. By identifying accounts at risk (having elevated permissions and used for general day-to-day activity – steps can be undertaken earlier to mitigate the potential for escalation).
Solution
It is important to identify administrative accounts that are being used for day-to-day activities. These type of accounts are often held by high value team members, and can be specifically externally targeted due to the potential for further escalation of permissions. Left unattended to, this may lead to a future account compromise being far more serious than it needs to be.
Checking all your users for their permissions and segregation of access on a regular basis is tedious, time consuming, and at high risk of error. You cannot be expected to review all the accounts and administrative access levels on a daily basis. CatchBefore can undertake this check multiple times per day. The sooner the situation is discovered, the sooner you can take mitigation steps, and reduce the potential for a larger impact.
Prevention
What are the main questions you should consider when working out how to manage this risk?
- Do you have any system or solution in place to detect when administrator users also have licences attached?
- If a normal user (with licence attached) was escalated to administrator today, would you find out?
- Have you ever checked for administrators with licences attached?
- What would the impact be on your organisation if an administrator account was compromised (hi-jacked) by a malicious actor?
More
Blog
CatchBefore it is too late!
Your data is actively being targeted. Safeguard your information with proactive measures.