Over the years, there has been many attacks and compromises of various networks, some of these are from internal attacks, others are from external agents. Many of these attacks are in the form of attempting to gain access to an account with high enough access to give them privileges to gain access to services they require for their purposes. In the case of Sony they were after their internal data. In these cases the enemy agents, their main goal is to gain an account with Administrative priviledges, because these accounts give unfettered access to not just a single system but multiple system, and all the data on those systems. These may include, but not limited to the workstations, servers, file servers. And in the case of Windows based systems, this could give access to even Workstations and Servers that are encrypted with Microsoft's Encrypted File System. This single all powerful account permission, gives a single attack target, and with this ability being remotely accessible it makes this an ideal target. This account alone can not only gain access to the important information, but in some cases even hide the existance of the attack.
So how could this be fixed? People may believe that this cannot be fixed, but this risk can be greatly reduced, since many attacks that are not from "inside threats", occur through phishing attacks, the simplest method is to simply seperate the users account from their administration accounts, with this change it makes it more difficult from providing unfettered access. An added level of security would to provide seperate machines for administration and day to day usage, this limits the attack plane. But either method, requires that these administrative accounts should have the least level permissions to do their job.
A better solution though it would require a great deal more configuration, and possibly functional changes with the various operating systems, is to build a system based on Privilege seperation, each administrative account will have limited access, and cannot view or access functions outside of it's mandate. So a user administration account, could manipulate the users account information, and provide privilege access to below this accounts privilege levels of this account, but would not have access to the file system. The filesystem administration account would be totally unaware of detailed user information, and could not modify or user information, and would not have access to the account passwords. Services administrator account, would give access to required file, network, and other services required to start and run the service. The main Administrator account can only modify, create, delete the privilege administrator accounts.
Priviledge seperation would provide, a greater level of security by limiting what an administrator account can do, especially if the true administrator account is only accessible from a trusted interface, this would completely limit what can be done by any of the administrator accounts, and almost completely limit unauthorized accounts or accounts receiving unauthorized permissions.
