Cyber security “permissions” threat preys on businesses at risk

Dr Simon Parkinson has developed a free downloadable software Creeper to help companies fight the ‘permissions creep’ cyber threat

A STEALTHY threat to cyber security can now be tackled with free software created by a University of Huddersfield researcher.

The tool – developed by Dr Simon Parkinson – is named Creeper.  It combats the problem that has been dubbed “permissions creep”.  This happens when employees – as their career develops or their role changes – accrue and retain increasing numbers of permissions to gain access to a firm or organisation’s file systems and directories, where they can then open, read and modify documents and data.

Permissions that are no longer relevant to a person’s job might never be revoked and this increases the vulnerability of computer networks, said Dr Parkinson, who is Senior Lecturer in Computer Science, with a speciality in cyber security.

“It is not necessarily a security threat,” he added.  “If a person has got an elevated permission level and they are very careful, then it is not really a problem, but it does mean that if they have unwittingly installed some malware or ransomware then there is potential for it to gain access to more information.”

The standard way to spot permissions creep is through manual auditing of file systems, but this is highly complex and time consuming.  Now, Dr Parkinson has developed Creeper, which is open source software that is available as a free download.

It uses machine learning to autonomously detect whether a user’s permissions are consistent with those of other users, or if they are irregular and warrant further investigation.

“Creeper is able to calculate a benchmark level of what it thinks is normal and then it is able to look for outliers that don’t match that model,” said Dr Parkinson.  He developed the software after being awarded a £25,000 Researcher in Residence programme at the Bradford-based Digital Catapult Centre Yorkshire, which is backed by Government funding body Innovate UK.

The importance of managing permissions and privileges is one of the 10 Steps to Cyber Security that have been issued by the Government to coincide with the General Data Protection Regulation (GDPR) that replaces the Data Protection Act in May.  Fines for data breach could be stiffer under the GDPR, said Dr Parkinson, and this makes the development of the Creeper tool especially timely.