Least Privilege: What is it, and why care?

    Nov 13, 2020 3:56:58 PM Keeran Networks

    In IT, the principle of least privilege (PoLP) refers to the concept that any process, program or user must be provided with only the bare minimum privileges (access or permissions) needed to perform a function. For instance, if a user account has been created for accessing database records, it need not have admin rights. Also, a programmer responsible for updating lines of legacy code can do so without access to the company’s financial records.

    PoLP is a cybersecurity best practice and often considered a critical step for protecting privileged access to a businesses’ high-value assets and data (including customer/employee records). Since this principle extends beyond the scope of human access, it is also applicable to systems, applications and connected devices that require certain permissions or privileges to perform a task.

    What Least Privilege is Used For

    Did you know that two of the most infamous data breaches on record, namely the ones at Home Depot[i] and Target[ii], occurred due to a compromise of their network credentials? In both the cases, hackers used privileged accounts to access critical business data and private records of customers. Taking a cue from these breaches in the past, you need to understand that whoever is looking after your IT must deploy security strategies for users and applications that perform critical functions within the network. It’s not enough to just put up protections to stop cybercriminals from getting in, you must prepare for the eventuality that they might, and limit the harm that each user profile might be capable of doing. 

    To make sure you can actually enforce this principle of least privilege, you need to have a central location from which to control permissions, while still remaining flexible enough to deal with change inside your business. Security can’t come at the cost of constantly putting up barriers to your staff carrying out their work, so you need to strike a balance between your operational and end-user needs and your compliance and cybersecurity requirements. 

    Securing Your Business

    The Vectra 2020 Attacker Behavior Industry Report[iii] highlights that privileged access is a key aspect that hackers leverage for lateral movement in cyberattacks. A hacker will rarely go for the gold straight away after getting access to a network, but instead slowly strengthen their footing. By incrementally increasing their privileges they ensure they can go for the most critical assets that a business relies upon before launching the final stage of their attack. 

    PoLP is an efficient cybersecurity strategy that can be used to restrict unauthorized access of data from the different levels within your IT environment including applications, end users, systems, networks, databases, processes and so on. You can grant permissions to your users to execute, read or write only those resources or files that they need to perform their job. Additionally, you can restrict access rights for devices, processes, systems and applications to privileges required to carry out authorized activities. 

    Managing Access Levels

    In some cases, the assignment of privileges is done on role-based attributes such as the business unit, time of day, seniority and other special circumstances. Some examples of role-based privileges include:

     Least privileged user accounts — These are standard user accounts that operate with a limited set of privileges. Under normal circumstances, most of your users should be operating under these accounts, 90 to 100 percent of the time.

     Superuser accounts — These are essentially admin accounts that are used by specialized IT users and often come with unlimited privileges. In addition to the read/write/execute privileges, these accounts have the permission to execute systemic changes in your IT network. These folks essentially have the keys to the castle, so keep their number limited.

     Guest user accounts — These accounts are created on a situational basis and often have the least number of privileges — lower than those of the standard user accounts.

     Managing Third-Party Vendor Risk

    An interesting thing to note about the Target data breach is that it started with the hackers gaining access to nearly 70 million customer accounts through an HVAC contractor who had access to Target’s network and the permission to upload executables.[iv] Apart from your internal users, you must also implement the principle of least privilege for your third-party vendors, as they can be a major security risk for your business. They can have just as much power, and therefore present an equally large risk, without even the control of having the person inside your own four walls. Limiting third-party vendor access to your critical data can be an efficient strategy towards minimizing the associated risk, and simplifying the steps that would come following any breach.

     Benefits of the Principle of Least Privilege

    We have rounded up a list of benefits of leveraging the principle of least privilege for your business. Read on:

     Diminishes the Attack Surface

    As mentioned earlier, the role of an HVAC contractor was critical to the Target data breach. Given the fact that the third-party vendor had elevated privileges, one can safely say that Target failed to implement PoLP, which consequently created a broad attack surface for the hacker to leverage.

    Under PoLP, restricting privileges for your applications, processes and users significantly diminishes the attack surface and limits the ingresses and pathways that can be exploited.

    Reduces the Impact of Breaches

    By implementing PoLP, you can significantly reduce the impact of a breach that might occur as a result of unauthorized or unwanted use of network privileges. For instance, if a user account that has only limited privileges is compromised, the scope of the damage is restrained, and catastrophic harm can be avoided.

    Reduces Malware Propagation and Infection

    Hackers usually target applications and systems with unrestricted privileges. As one of the most common web applications cyberattacks out there, a SQL injection attacks by inserting malicious instructions within SQL statements. The hacker can then enhance his privileges and acquire unauthorized control over your critical systems. However, by implementing PoLP, you can effectively contain such malware attacks to where they first entered your system. Fail to do so and a breach of a relatively minor system can have devastating repercussions for the entire organization.

    Ensures Superior Data Security Capabilities

    In addition to eliminating any security flaws on the periphery of your business, you also need to focus on minimizing the risk of proprietary data thefts and insider leaks. That means turning security’s eyes inwards; it is imperative to monitor and control the activity of your authorized users to reinforce your cybersecurity stance.

    Since PoLP restricts privilege elevations as well as the number of users that are given access to confidential information, it inherently enhances the security of your critical data.

     PoLP Best Practices

    There are certain best practices that you must follow to efficiently implement PoLP in your security policies.

    Here is a list:

    • For starters, you must conduct a privilege audit for all your existing programs, processes and user accounts to make sure that they have only the bare minimum permissions required to do their jobs. This can be a large task, so make sure to segment the process and deal with the highest priority areas first.
    • Make sure that going forward you start all your user accounts with privileges set to the lowest possible level. Once least privilege is the default for all your new user accounts, applications and systems it’s time to do the same for your existing users.
    • You must elevate account privileges as needed and only for a specific time period that is required to do the job. An efficient strategy to provide the required access while also maintaining control is using one-time-use credentials and expiring privileges.
    • Keep track of all the activity on your network including access requests, systems changes and individual logins. Having a comprehensive understanding of who is operating on your network and what they are doing is critical to maintaining control over who can access what.
    • Maintain a management platform that allows flexibility to securely elevate and downgrade privileged credentials.
    • Conduct regular audits to check if there are any old accounts, users or processes that have accumulated privileges over time and analyze whether or not the elevated privileges are still relevant. Improper off-boarding of former employees can result in an accumulation of inactive accounts that nonetheless still can be used as back doors into your environment. With credentials purchased from the dark web these can present an easy angle of attack.

    According to PoLP, organizations should operate under the zero-trust framework by not blindly trusting anything within or outside their network and verifying everything before granting permissions for access.

    Implement PoLP across your IT environment today to strengthen your cybersecurity posture. Don’t know how? Contact us now to help you understand how you can implement and leverage the powerful capabilities of PoLP.

     

     

     

    Article curated, modified, and used by permission.

     [i] https://www.webtitan.com/blog/cost-retail-data-breach-179-million-home-depot/#:~:text=The%20Home%20Depot%20data%20breach,one%20of%20the%20retailer's%20vendors

     [ii] https://arxiv.org/pdf/1701.04940.pdf#:~:text=1%20INTRODUCTION,of%20personal%20information%20were%20stolen

     [iii] https://www.securitymagazine.com/articles/91830-surge-in-attacker-access-to-privileged-accounts-and-services-puts-businesses-at-risk

     [iv] https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

     

     

    Keeran Networks

    Written by Keeran Networks