Overview

Administrator with Licences attached

The administrator with licences attached alert is triggered when the system detects a user with administrative privileges, and a licenced product attached to the same account.

Banner Image 2

Administrators with Licenses

  Privilege sepration

  Protect user accounts

  Monitor for changes

  Risk minimisation

  Improved compliance

Controls Security Threats

Situations

Situations faced by the client

How is this check useful in the real world? As an example, let’s take a user account (say Jane)

Problems Faced

Jane Smith uses her jane.smith@ account for usual activities: Checking email, creating and saving files, sharing communications with other users.  Jane is also a Global Administrator.  If Jane’s account is compromised (for example, by a targeted phishing attack) – then the attacker will gain not just access to Jane’s account, but also the complete/whole company environment (tenancy). This could be a devastating attack with no further controls on the impact.  Administrator accounts should be dedicated and separated from daily accounts. By identifying accounts at risk (having elevated permissions and used for general day-to-day activity – steps can be undertaken earlier to mitigate the potential for escalation).

Solution

It is important to identify administrative accounts that are being used for day-to-day activities.  These type of accounts are often held by high value team members, and can be specifically externally targeted due to the potential for further escalation of permissions.  Left unattended to, this may lead to a future account compromise being far more serious than it needs to be.

Checking all your users for their permissions and segregation of access on a regular basis is tedious, time consuming, and at high risk of error.  You cannot be expected to review all the accounts and administrative access levels on a daily basis. CatchBefore can undertake this check multiple times per day.   The sooner the situation is discovered, the sooner you can take mitigation steps, and reduce the potential for a larger impact.

 

Prevention

What are the main questions you should consider when working out how to manage this risk?

  • Do you have any system or solution in place to detect when administrator users also have licences attached?
  • If a normal user (with licence attached) was escalated to administrator today, would you find out?
  • Have you ever checked for administrators with licences attached?
  • What would the impact be on your organisation if an administrator account was compromised (hi-jacked) by a malicious actor?
Problems Faced Jane Smith uses her jane.smith@ account for usual activities: Checking email, creating and saving files, sharing communications with other users.  Jane is also a Global Administrator.  If Jane’s account is compromised (for example, by a targeted phishing attack) – then the attacker will gain not just access to Jane’s account, but also the complete/whole company environment (tenancy). This could be a devastating attack with no further controls on the impact.  Administrator accounts should be dedicated and separated from daily accounts. By identifying accounts at risk (having elevated permissions and used for general day-to-day activity – steps can be undertaken earlier to mitigate the potential for escalation).
Solution It is important to identify administrative accounts that are being used for day-to-day activities.  These type of accounts are often held by high value team members, and can be specifically externally targeted due to the potential for further escalation of permissions.  Left unattended to, this may lead to a future account compromise being far more serious than it needs to be. Checking all your users for their permissions and segregation of access on a regular basis is tedious, time consuming, and at high risk of error.  You cannot be expected to review all the accounts and administrative access levels on a daily basis. CatchBefore can undertake this check multiple times per day.   The sooner the situation is discovered, the sooner you can take mitigation steps, and reduce the potential for a larger impact.  
Prevention What are the main questions you should consider when working out how to manage this risk? Do you have any system or solution in place to detect when administrator users also have licences attached? If a normal user (with licence attached) was escalated to administrator today, would you find out? Have you ever checked for administrators with licences attached? What would the impact be on your organisation if an administrator account was compromised (hi-jacked) by a malicious actor?