If you think about the most publicized data breaches in the last few years, specifically Manning and Snowden, you’ll realize that these weren’t perpetrated by nefarious hacker collectives such as Anonymous, but were instead perpetrated by insiders with political agendas.
The vast majority of organizations don’t do anything that would raise an ideologues ire. However every organization in the planet has people that think evil thoughts about the people above them in the organization. The fictional demon Crowley in Terry Pratchett and Neil Gaiman’s book “Good Omens” opines that more pain in the world is the result of low level constant nastiness than single acts of actual evil. Even though the book is comic fantasy, there’s something about that statement which resonates when you think about organizational security. That the sum of all the low level security breaches that occur due to vaguely dissatisfied insiders are greater than the single spectacular breaches you read about on websites such as this.
It’s a bit like sharks and car accidents. When I think about going to the beach, I vaguely worry about sharks (and being Australian perhaps box jellyfish, blue ringed octopus, crocodiles, stonefish, mutant aquatic surfer Wombats with giant razor fangs which we don’t talk about because it would scare away international tourists …) when if I was assessing risks properly I’d be more likely to die in a car accident driving down to the beach than having something happen once I got in the water. With security, we worry about and protect against the big unlikely stuff without doing as much about the constant low level breaches that we don’t get excited about because “hey, does it really matter that Frank from Accounts has access to the list of sales contacts because someone didn’t configure the file permissions correctly on a network share”.
Actually yes it does – because incorrectly configured permissions are the number one way that people get access to data to which that they should not have access. Manning leveraged incorrectly configured permissions. Snowden leveraged incorrectly configured permissions.
When permissions are configured incorrectly, a user that has access to a document will generally assume that there is no *problem* with them having access to that document. Deep down they might think “well I probably shouldn’t be able to see that” but they’ll rationalize it as “well if I really wasn’t meant to see it, I wouldn’t be able to open it”.
Permissions are difficult to get right because they involve the ongoing maintenance of security groups. As security groups need to be managed manually, the contents of many security groups don’t precisely align with the users that should be members of the security group.
In the long run, the solution to this problem is to move away from the permissions model we’ve used for the last few decades towards something like Dynamic Access Control – which controls access to files based on a user’s account properties and attributes. Rather than checking to see if a user is a member of the group “BlueEyes”, the user’s attributes are checked to see if their eyes are blue (that isn’t a real Active Directory attribute, but if you muck around with the schema it could be).
Long story short – you’re probably spending time and effort protecting infrastructure from big external threats, whereas you are more likely to suffer breaches due to small internal ones. One of the easiest breaches to perpetrate is to gain access to something that you can access because the permissions aren’t configured correctly. Fixing permissions won’t stop breaches from occurring, but it will reduce a class of common breaches where people are accessing material to which they shouldn’t have access.