Solution

Privilege Tampering

• Access controls in operation systems, DBMSs, web servers, routers, etc. include users and their permissions or rights to access different system resources. With middle to large enterprises, this data in access controls can be very large.

• Administrators may not have the right time and tools to frequently visit access controls to make sure that all users are valid and also those users have the right level of permissions.

• An attack that starts from a privilege creation or escalation can hence go undetected for a significant time if no proper automatic auditing mechanisms exist to screen for such issues. Privilege tampering can take one of three forms:

• Creating a new account for a user. This means that an attacker may not need an insider account in this case and they will just try to create and use this new account.

• Using an existing account. An employee with proper account and permissions can be a victim of an identity theft where an attacker will try to use their account and permissions. Those are compromised accounts (i.e., internal accounts that have been compromised by external attacks). In this case, the account and permissions are valid but used by a malicious user. It can be very hard in such case to distinguish the attacker from the victim employee.

• Privilege escalation: In those cases, valid users (e.g., insiders) are trying to maliciously escalate their privileges to access resources that they are not supposed to and knowingly misuse data and exploit the system.