Cyber security and the principle of least privilege

One of the pillars of information security that many businesses tend to struggle with is based on the principle of least privilege.

Principle of least privilege is the idea that accounts are created with the minimum access required to accomplish the necessary business functions.

There is a substantial risk to any organization that fails to address proper access rights as many cybersecurity attacks rely on exploitation of privileged access.

Oftentimes organizations have time, resource and knowledge constraints that may lead to access being overlooked when implementing new systems and solutions.

Far too many people consequently are given elevated privileges on systems that have little to nothing to do with their day-to-day jobs.

In addition, many key individuals can wear many hats within an organization or serve as a backup when someone goes on vacation. Over time, this situation can lead to employees accumulating privileges across the organization that never get taken away that they may no longer need.

This "privilege creep," as it is often named, opens up the attack surface and compounds issues during cyberattacks.

All user accounts should be unique to the individual and unique to the resource being accessed. This means that you don't share or reuse usernames and passwords.

While there are many good reasons for not sharing passwords, one reason is that it provides "non-repudiation."

Non-repudiation is just a fancy word for "who did it." If malicious actions were taken with a specific account it becomes much easier to track down the source when passwords are not shared. There is no mystery of who accessed a system when the offending account is not shared.

As an added bonus the remediation and recovery efforts during an attack can be isolated quicker and without looming questions surrounding whose account might be targeted.

When you are in the middle of a cybersecurity incident, you don't want to be wasting time isolating what user accounts are in scope.

This concept also holds true for service accounts that often are used by the IT team for administration. A service account should be created for each service used and not generically used across the organization for various functions.

A generic account used for multiple functions is difficult to control especially when an IT resource leaves the company with unknown use and implications when those passwords need to be changed.

Worse yet, the lack of understanding and the risk of changing passwords when someone leaves becomes so vast that the passwords remain unchanged for years as employees come and go.

That's not a good situation for anyone to be in.

An alternative to giving increasing privileged access to a user is to implement role-based access controls in which privileges are assigned to a role.

Users are placed in that role during onboarding and are removed when they change roles or leave the company. Their level of access corresponds with the expected duties of that role instead of cloning access from a similar user that may give more access than anticipated.

The principle of least privilege starts with leadership. It is a cultural shift.

Taking away local admin rights for regular end-users is simple from a technical standpoint, but it becomes complicated when the people in the organization have grown accustomed to installing whatever they feel like.

Support your security team in initiatives to limit security risk, especially around access to systems.

Brandon Blankenship is a cybersecurity consultant at ProCircular and a board member of SecMidwest, a Cedar Rapids based not-for-profit focused on cybersecurity education. Visit SecMidwest.org for more information on attending its free monthly meetings.