Overly Permissive Access - WST

Recently, the United States Supreme Court issued a decision where all nine justices found in favor of former Georgia police sergeant Nathan Van Buren and levied an opinion affecting the Computer Fraud and Abuse Act of 1986.

Van Buren was caught in an FBI sting operation accessing license plate information and associated nonpublic personal information, or NPI, for payment from unauthorized individuals. Van Buren’s then-presumed felonious activities led to United States Attorneys successful prosecution under the Act, and Van Buren was sentenced to 18 months in prison.

Van Buren appealed, and in Van Buren v. United States, the Supreme Court heard Van Buren’s attorneys argue that although Van Buren had misused the computer system to which he had been granted access and abused department policy; his actions did not meet the standard of “exceeds authorized access” when Van Buren leveraged his given and duly authorized access rights to access the data.

Under the phrase “is not entitled so to obtain” the government prosecutors claimed that the word “so” included data that Van Buren was not allowed to access. And thus, Van Buren’s initial conviction hung on the word “so.” Van Buren’s attorneys argued, and SCOTUS determined that the phrase in the act did not cover instances where access was granted giving the user the right to access systems or data, in the “manner and circumstances in which one has the right to obtain information” and that the word “so” is superfluous and does not specifically and explicitly denote what data Van Buren should and should not access. His access rights were implied by his granted ability to access the data.

This author is not a proctor of the law and does not play one on television. However, common sense tells us that no matter what policy says – policies are important – the practice of protecting customer data comes down to how security is applied, not the words that dictate that security “must” or “shall” be applied. Van Buren’s access was granted, and that’s how he accessed the data; and the policy limitations had no impact on his decision to act. By the time management is referring to policy during an incident, things have gone really wrong, someone is going to be polishing their resume, law enforcement has been engaged, and it’s likely too late to recover the data.

Good security practices limit access to only and exactly what a user needs to perform their job duties, and nothing more. Tellers should not have access to audit data. Mortgage loan officers should not be able to access data dumps from the core processor meant for ingestion into a data warehouse. The president of the institution does not need access to the firewall login page. And the policy should back and enforce those access restrictions and allowances to notify users and guide administrators in applying those rights.

As part of the 10-D Security Independent IT Audit scope, auditors are charged with a review of access granted to a least privileged user, which in most cases is modeled after a teller or a test user account that has only been added to the Domain User security group in Active Directory. The auditor will use this account to attempt to access any element of data considered NPI or to access systems and resources that a least privilege access user would not normally have access, because that is what a threat actor will do if able to access your network. They will watch traffic, attempt to obtain additional credentials, move laterally, and then escalate privilege while attempting to avoid alerting administrators. Any files or access obtained, even administrative login prompts for network security devices or other resources, are fair game for the threat actor, and as it applies to the audit, will likely show up as references in your report.

The next time your IT steering committee meets, consider adding an agenda item to discuss user access. Do you want your institution’s reputation and customer data to hang on the word “so” or do you want to tighten up your controls and limit access to data to the least amount of access necessary for your employees to service your customers? Let’s not have SCOTUS decide for us.

If your institution is interested in obtaining more information about our audit and technical assessment programs, including those that test privileged access, please reach out to our sales team at (913) 529-1031.

The Supreme Court opinion referred to in this article can be obtained in PDF format by going to https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf.

Authored by: Mike Smith, AWS-CCP