You don’t need to carry the keys to the enterprise network to have a malicious hacker tail you. Here’s who’s at risk and what to do about it Credit: Thinkstock Some users’ accounts are more attractive to malicious hackers than others.Computer security experts have long focused on local administrators/root — and recently even more on all-powerful network administrators such as members of the domain admin and enterprise admin groups. Those same experts warn about protecting even slightly elevated accounts, like those of network configuration operators or printer operators. The idea is that any account with permissions and privileges beyond a regular user account is a target ripe for hacker abuse.But it’s a mistake to think that hackers seek only the obvious prizes — ordinary users often have more power than you think. Sometimes it seems that security experts are so obsessed with network and OS security, they forget about the data and applications that such infrastructure is intended to protect. Hackers want you!Anyone can be an application administrator. When users have elevated rights and permissions for critical applications, they become juicy targets. I have single, mission-critical applications with literally hundreds of admins, most of whom are not elevated network or OS admins. I’ve seen single, ordinary users become application admins for dozens of applications. None of those users needs to be a local OS administrator or domain administrator, but they still have fantastic value as an exploitable target.In some cases, privilege isn’t the point — position is. Most advanced persistent threats (APTs) collect data and email credentials for top C-level accounts. In other cases the most interesting account to outside attackers belongs to someone in charge of a large, competitive project or technology. Lots of APT attackers seek intellectual property and other competitive information. Many companies consider themselves “hacked” when the official Twitter or Facebook account of the company has been compromised by a phishing attack on the employee managing the social account. Worse, many times the social account’s password is the same as the user’s company account password.Clearly, you don’t need to be a member of a network or local administrator’s group for your user account to glisten in the eyes of attackers.Track your personal threat valueSome companies track each employee’s personal threat value. The idea is that each elevated permission or privilege, whether to the local computer, network, application, or service, contributes to a ranking number for personal threat value. User accounts with high personal-threat values should be protected and secured. A member of the enterprise admin or domain admins group would get the highest ranking, but so too would someone in charge of many mission-critical applications and services. An administrator of even one top-value application or service would be ranked fairly high, especially if successful exploitation could lead to a corporate reputational issue or embarrassment.C-level employees would be ranked fairly high as well. Every admin of any important application should also be ranked, along with infrastructure admins for DNS, DHCP, Active Directory, and so on. Best case, every user account should be given a personal threat value, with all employees ranked from top to bottom. Some companies go even further and include computers in their rankings. Threat values exceeding a certain threshold should be given additional protection. Protection strategiesAccounts with elevated personal threat value assessments should be protected in much the same way traditional elevated network and local administrator accounts are protected.At the very least, these users should work on highly protected computers, with strong security configurations, up-to-date antimalware software, and aggressive auditing. More important, these users should be given serious training about their value to hackers.Personally, I think all highly elevated user accounts should be made to use secure administrative workstations (SAWs) when performing administrative duties. SAWs are securely configured workstations, but with other settings that most other users would find unacceptable, such as no (or limited) Internet connectivity and application whitelisting. Although it’s critical to use a SAW for administrative tasks, I would argue that anyone with an elevated personal threat value should be forced to use one all the time. Remember: Admins are most likely to be compromised when performing nonadmin duties.Accounts with elevated personal threat values are the most important accounts in your enterprise. Treat them that way. Related content news analysis SEC rule for finance firms boosts disclosure requirements Amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. By Evan Schuman May 17, 2024 5 mins Data Breach Financial Services Industry Data Privacy feature DDoS attacks: Definition, examples, and techniques Distributed denial of service (DDoS) attacks have been part of the criminal toolbox for over twenty years, and they’re only growing more prevalent and stronger. By Josh Fruhlinger May 17, 2024 10 mins DDoS Cyberattacks news FCC proposes BGP security measures Protecting the Border Gateway Protocol is as important as protecting the border. By Gyana Swain May 17, 2024 1 min Regulation Network Security news US AI experts targeted in cyberespionage campaign using SugarGh0st RAT Threat actors use phishing techniques to obtain non-public information about generative artificial intelligence. By Lucian Constantin May 16, 2024 4 mins Phishing Data and Information Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe