Do you know one of the most common cybersecurity mistakes small businesses make?
Not properly administering access throughout their networks.
Everyone gets access to everything - leading to security breaches that leak massive amounts of data.
Let’s look at how you can implement the principles of least privilege and reduce your attack surface.
What is the principle of least privilege?
The principle of least privilege is a methodology for granting access in information systems. Every user or application is given only the minimal access they must have to do their job and no more. Furthermore, access is granted based on the function of a person or application rather than based on who.
Let me explain:
Security access should be strictly controlled and granted only where there is an actual need.
The CEO of the company doesn’t necessarily need access to everything and every piece of data on the network.
In fact, senior business leaders should have as little access as possible.
Limiting the access these executives have means that should an attacker compromise their account, the attacker will still not have anything valuable.
This applies to everyone in the company.
John Kindervag has outlined a list of access control criteria In the Zero Trust security architecture that we can borrow for the principle of least privilege: where, what, who, when, how, why
Before granting an individual access to a system or data, you should answer as many of these access control criteria as you can.
Access Control Question
Precisely what data or systems does the individual need access to? What is the minimum amount of access they can have and still do their job?
Where is the data or system located? For example, if you have an HR office in Germany and the US, do the US employees need access to the data on the German server?
Which employee is it? Remember each employee should use an individual account, not a shared one.
How will the data be accessed? Will the files on the server be accessed via FTP? SMB file share?
When does the individual have access to the data at that location? Are they only allowed to use the VPN during business hours?
Why does the individual employee need access to that particular data or system? For example, the HR manager needs access to employee records so they can do their job.
Why is limiting access so important for information security?
Limiting users’ access to data and systems in your environment is important because it reduces cyber attack surface, helps stop the spread of malware, improves end-user productivity, and helps streamline compliance and audits. Overall, it means that an attacker will have to work harder to pivot in your environment.
Let’s dig into each of these
Reducing cyber attack surface
Most cyber attacks today involve hackers gaining an initial foothold using an exploit or social engineering. Once the attacker has access, they look for ways to pivot to an account with administrative privileges. Usually, this means an IT administrator who has privileged access.
Preventing the spread of malware
Malware doesn’t spread through your environment as easily when access is properly limited. For example, when malware attempts to run on a device with a user logged in a regular account, they will be prompted to enter administrative credentials - limiting its spread
Streamlining compliance and audits
Most cybersecurity frameworks and regulations require that least privilege principles are followed. HIPAA, for example, mandates that healthcare employees only access patient records when it is required for treatment. You can reduce the workload needed to comply with regulations like this if you already have limited access.
Examples of privilege and access mistakes
We see a lot of access control and privilege management mistakes and misconfigurations during penetration tests.
In fact, we regularly use lapses in access control to get access to troves of sensitive information.
This is especially true of c-suite employees.
They are just granted access to everything in the environment even if they don’t actually need it.
Let’s look at a few examples of places you should enforce least privilege and mistakes we often see.
Third Party Access - Most companies have vendors or third parties who need to access their systems or data. This could be a software developer that remotely connects to computers to provide support or billing companies that you share payment data with. You must limit the access your vendors have and monitor that access closely.
- Users with administrative access to computers - Windows has two main user types - regular and administrators. Admin users can make configuration changes and install software on the device. Everyone should work in regular user accounts - including IT personnel. They should work in regular accounts and only use the administrative account for administrative tasks. This reduces the risks of malware running with administrative privileges.
Database users - it can be very tempting to allow users to access all data in a database for ease of management. This poses huge risks. Users and applications that access data from your databases(s) should only have access to the tables they need. Furthermore, if they only need to read data, they shouldn’t have write permissions.
Removing access from old employees - we see this a lot during penetration tests - users who are no longer with a company still have active accounts. IT should work very closely with HR to communicate employee terminations and hiring. IT should be notified when individuals leave the company so they can remove access. On another note, periodic audits can identify stale accounts.
Shared user accounts - each user in your environment should have a unique account. Employees should never (rarely) share accounts. There are several reasons. For one, shared accounts lack repudiation - if something happens on a shared user account, how can you prove who actually did the action.
The principle of least privilege is important for network security.
When employees have more access than they need to do their jobs, attackers are able to pivot through your network very quickly and exfiltrate sensitive information.
Following a least privilege access model, though, makes is exponentially harder - we’ve seen this first hand on penetration tests.