Assigning unnecessary permissions to users puts both the organization and the user at risk. These cases can be so complex that I will demonstrate them in a series of articles later, for now, I present only the most common dangers.
It can be dangerous for an organization that different kind of misuse can happen on behalf of a user:
- Either by the user itself
- or by another internal or external attacker who can log in, using the user’s account
System-critical functions, in excessive permissions, can be exploited, or some business process steps can be performed that can cause direct damage.
However, the abuse does not need to take place within the system! Accessing sensitive data with unnecessary privileges could be a serious problem since these can be leaked or used outside the system.
Apart from abuse, it can cause problems to the organization if the user accidentally runs unnecessary functions (for not being taught how to use that function) or simply fails to adjust due to the many privileges in the system menu.
Excessive rights are dangerous to the users because their credentials can be much more valuable to an attacker.
The essence of many types of attacks is to get a high privileged identifier in some way, and by entering, they are abusing it on the users’ behalf. Moreover, they will be suspected first, and it is doubtful if it would ever turn out that they were not the real attacker. As a result, users are far more vulnerable to an attack, and they are exposed to much more risk if additional privileges are granted to them.
Live example: I’ve seen an employee from HR department shaken by the fact that we’ve found a wage transfer right that he thought had been revoked for years!