Brandon Blankenship, SecMidwest
One of the pillars of information security that many businesses tend to struggle with is based on the principle of least privilege.
The principle of least privilege is the idea that accounts are created with the minimum access required to perform the necessary business functions.
There is a substantial risk for any organization that does not respect the correct access rights, as many cybersecurity attacks rely on the exploitation of privileged access.
Often organizations have time, resource and knowledge constraints that can lead to overlooked access when implementing new systems and solutions.
As a result, far too many people are granted high privileges on systems that have little or nothing to do with their day-to-day work.
Additionally, many key people may wear multiple hats within an organization or act as a backup when someone goes on vacation. Over time, this situation can cause employees to accumulate privileges throughout the organization that are never taken away from them and may no longer need.
This “privilege creep,” as it is often called, opens up the attack surface and exacerbates the problems in cyber attacks.
All user accounts must be unique to the individual and unique to the resource being accessed. This means that you do not share or reuse usernames and passwords.
While there are many good reasons not to share passwords, one reason is that it offers “non-repudiation”.
Non-repudiation is just a fancy word for “who did it.” If malicious actions have been taken with a specific account, it becomes much easier to trace the source when passwords are not shared. There is no mystery as to who accessed a system when the offending account is not shared.
As an added bonus, remediation and recovery efforts during an attack can be isolated more quickly and without questioning which account might be targeted.
When you’re in the middle of a cybersecurity incident, you don’t want to waste time isolating affected user accounts.
This concept also applies to service accounts which are often used by the IT team for administration. A service account should be created for each service used and not used generically in the organization for various functions.
A generic account used for multiple functions is difficult to control, especially when an IT resource leaves the company with unknown usage and implications when those passwords need to be changed.
Worse, the lack of understanding and the risk of changing passwords when someone leaves becomes so vast that passwords remain unchanged for years as employees come and go.
This is not a good situation for anyone.
An alternative to granting increasing privileged access to a user is to implement role-based access controls in which privileges are assigned to a role.
Users are placed in this role during onboarding and are deleted when they change roles or leave the company. Their level of access matches the tasks expected of that role instead of cloning the access of a similar user who may give more access than expected.
The principle of least privilege begins with leadership. It’s a cultural change.
Removing local administrator rights for regular end users is technically straightforward, but it gets complicated when organization members get used to installing what they want.
Support your security team in initiatives to limit security risks, especially around system access.
Brandon Blankenship is a cybersecurity consultant at ProCircular and a board member of SecMidwest, a Cedar Rapids-based nonprofit focused on cybersecurity education. Visit SecMidwest.org for more information on attending its free monthly meetings.