Security Experts:

Companies Have Little Control Over User Accounts and Sensitive Files: Study

Lack of Control Over Sensitive Files Leaves Companies Open to GDPR Failure

Security teams are urged to assume intruders are already on their networks. The quantity and frequency of data loss breaches lends credence to that assumption. The implication is that perimeter defenses are insufficient, and that sensitive data needs to be locked down as far as possible within the networks. A new study shows, however, that 41% of companies have more than 1.000 sensitive files open to everyone with access to the network.

Each year, New York, NY-based data protection and governance firm Varonis analyzes the results of its risk assessments on new and potential customers. Its 2018 Global Data Risk Report (PDF) contains the findings of 130 corporate risk analyses conducted during 2017. It looks for free-form data at risk from existing intruders and potential malicious insiders; and the process examined more than 6 billion individual files from 30 different industries across more than 50 countries.

The results clearly show that companies are struggling to control sensitive data contained in free-form text documents. A common problem is leaving files open to global access groups. For example, 58% of companies have more than 100,000 folders open to everyone -- and the bigger the company, the worse the problem. Eighty-eight percent of companies with more than 1 million folders have more than 100,000 open folders.

The problem becomes more pressing when those files contain sensitive data -- defined here as information subject to regulations such as GDPR, PCI, and HIPAA. The Varonis platform works by looking at both the structure of the network, and the content of the files. In this study it found that 41% of companies have more than 1,000 sensitive files open to everyone.

For these companies any malicious insider or low-privileged intruder can simply access and potentially steal sensitive data, bringing the company into immediate compliance failure. Most regulations either require the principle of least privilege or imply its requirement.

The basis of protecting sensitive files requires two things in particular: the principle of least privilege to restrict access to sensitive documents to authorized persons only; and privileged account management to prevent attackers' access to and unauthorized use of privileged accounts to access restricted documents. However, the Varonis study shows that companies have as little control over their user accounts as they do over their sensitive files.

A common issue with account management is the failure to remove old accounts. This usually happens when the account is no longer necessary, or its owner leaves the organization's employment. These are variously known as 'stale' or 'ghost user' accounts. Varonis found that 65% of companies have more than 1000 stale user accounts. The study does not indicate how many of these stale accounts are also privileged accounts, but with so many sensitive documents open to everyone, an attacker's access to a privileged account isn't necessary.

"User and service accounts that are inactive and enabled (aka 'ghost users') are targets for penetration and lateral movement," warns the Varonis report. "If these accounts are left unmonitored, attackers can steal data or cause disruption without being detected."

The combination of open sensitive files and ghost accounts increases the likelihood of a data breach and compliance failure. The regulation top-of-mind with most security teams right now is the EU's General Data Protection Regulation (GDPR), with the potential for heavy fines, and due to come into force next month. 

A common perception is that if a firm can demonstrate strong attempts to protect personal data, it will not be prosecuted to the full by European data regulators. Certainly, regulators will take account of any breached firm's attempts to conform -- but overexposed documents and ghost accounts are a de-facto failure.

Last month, the Irish data protection commissioner discussed how she intends to handle her GDPR remit. Ireland is particularly important because it is the European home of many large U.S. firms (such as Facebook, Google, Twitter, Pfizer, Boston Scientific and Johnson & Johnson) that have extensive offices and/or their European headquarters in what is sometimes known as Dublin's Silicon Docks.

Discussing whether 'state of the art security' would be a mitigating factor over any GDPR-relevant data breach, Ireland's Data Protection Commissioner Helen Dixon told Independent.ie, "it's a theoretical possibility that if they have applied objectively demonstrable state-of-the-art security and there really appears to have been nothing further they could have done, that would certainly be a mitigation criteria [sic]. But, we haven't come across it."

Regardless of all other security controls, if any firm investigated under GDPR has failed to operate least privilege for all documents containing personal data, it will likely be subject to the full sanction of the General Data Protection Regulation -- that is, 4% of global turnover.

Related: Organizations Failing Painfully at Securing Privileged Accounts 

Related: Organizations Fail to Maintain Principle of Least Privilege 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.