What is the Principle of Least Privilege?
And why failing to adopt it can create a broad attack surface for your company
The principle of least privilege (POLP), also known as the “principle of least authority” is a security concept based upon limiting access to the minimum necessary for an action to be performed. Contrary to popular belief, the least privilege concept does not only apply to users. In fact, it covers multiple areas, such as hardware, systems, process, applications, and more. However, the focus of this article is going to be the concept of least privilege applied to your employees, or in other words, how limiting your users’ rights to the lowest level possible will close security holes in your organization.
Principle of Least Privilege Definition
So, what is the principle of least privilege?
In simple terms, the concept refers to users not being able to access information or perform actions unless they absolutely must in order to do their jobs. The same applies to every single area that I’ve mentioned above and it also extends to real-life scenarios.
Think about it: why would someone from the IT department need access to your payroll reports? Or why would your entire pool of employees be able to view, download, and edit your customers’ database? Actually, does every single user really need full admin rights at all times?
Not applying the principle of least privilege is a fundamental security mistake that threatens your organization, encourages the propagation of insider threat, and puts your business’ data at high risk.
One thing you should keep in mind is that the least privilege model isn’t all about taking away admin rights from your employees. It also involves monitoring the access for the ones who do have admin rights and temporarily escalating and de-escalating users’ rights.
The principle of least privilege must be part of your cybersecurity strategy since it will lower the risks of malware infections and data breaches.
Real-life examples of organizations that failed to adopt POLP
According to research, 74% of data breaches happen due to privileged credential abuse. Yes, that many breaches could have been prevented if only the wrong users did not have the “right” privileged accounts to be abused by malicious actors.
Here are some examples of companies involved in cyberattacks because they did not follow the principle of least privilege.
After Marriot acquired the Starwood hotel chain, in 2018 they discovered that an unauthorized access incident had been occurring for four years (and started with two years prior to the acquisition). The data for 500 million customers was leaked. And for around 327 million of customers, “the information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.” For some of these hotel guests, the data also featured encrypted payment card numbers and payment card expiration dates.
In this case, “unauthorized access” refers to the hotel chain failing to properly manage privileged access within the organization. And the worst part is that the incident occurred for four years due to poor admin rights management.
In 2016, an employee of the UK account and payroll software company Sage was arrested for an insider threat data breach. Allegedly, the employee used unauthorized access to steal the organization’s confidential information of between 200 and 300 of its customers, including addresses, insurance numbers, and bank account details.
The financial services giant based in Quebec, Canada was affected by a massive data breach caused by insider threat. The incident took place in the summer of 2019 and the personal information of more than 2.9 million members was shared with people outside of the organization. The compromised data included names, dates of birth, social insurance numbers, addresses, phone numbers, email addresses, and banking details. According to the source, passwords, security questions, and PINs were not disclosed.
An attacker with insider knowledge had stolen the personal data of 2 million of Vodafone’s customers from a server located in Germany. The malicious actor worked for a company contractor and was not a direct Vodafone employee, which only emphasizes that vendor privileges should also be carefully monitored.
Korea Credit Bureau
An employee from the Korea Credit Bureau (KCB) was arrested and accused of stealing the data from customers of three credit card firms. The sources say that he was working for them as a temporary consultant. The number of affected users was at least 20 million, which makes up almost 40% of South Korea’s total population. The data included names, social security numbers, phone numbers, credit card numbers, and expiration dates. The data was sold to marketing companies, whose managers were also arrested.
This list could go on and on, but I believe you’ve learned the lesson and got an idea of what can happen if the wrong people have high levels of privileges inside your organization.
How can you apply the principle of least privilege?
First of all, let’s take a look at two important concepts related to POLP:
- Privilege bracketing
- Privilege creep
What is privilege bracketing?
Unlike standard user accounts, admin accounts have increased privileges and therefore pose higher risks. From a cybersecurity standpoint, it’s best to grant admin rights to your users only when they actually need them and for the shortest time possible that still enables them to complete their tasks.
This approach is called privilege bracketing. Basically, it refers to the practice of reducing users’ permission levels to the shortest timeframe possible for them to complete a task and afterward de-escalating their rights. Privilege bracketing can be automated and controlled by privileged access management software.
How about privilege creep?
Another important aspect related to POLP is privilege creep, being also known as access creep. This concept applies to users who gradually gather unnecessary permissions. The behavior commonly occurs in companies where employees change job functions or departments and their user privileges are not modified to reflect their new roles. This way, the users end up having privileges for multiple positions.
POLP, a crucial layer of defense for your organization
You should keep in mind that POLP is just a single layer within your overall security strategy. The principle of least privilege itself or the privileged access management solutions will not be able to stop malicious code or prevent unwanted network connections.
This means that other tools and technologies should be deployed as well to cover all potential security gaps in your company. To be able to do effectively accomplish this, you should also be running a complete EDR solution that addresses common concerns like security issues related to unpatched software, advanced malware, network vulnerabilities, social engineering attacks, data breaches, email fraud, etc.
What are the benefits of least-privileged user accounts?
As you can probably already tell, the principle of least privilege is of utmost importance inside any organization. Its purpose is to protect a company’s assets from both potential insider and outsider threats. Every business that includes the principle of least privilege in their IT security strategy makes sure that they deny access to their employees to certain information, data, and systems that they do not need to access to be successful in their role.
Here are some major benefits of applying the principle of least privilege for your organization:
#1. Avoiding malware propagation
For instance, let’s suppose a system has been infected by malware. If this system is part of an organization that follows the principle of least privilege it will not be able to spread to other computers. This means that you will reduce the chances of viruses, worms or rootkits being installed since most of your employees will not have the admin rights that enable their installation. Furthermore, since a potentially affected user has limited rights, the malware will not be able to produce any catastrophic damage, such as permanently deleting or downloading proprietary data.
#2. Limiting entrances for malicious actors
Assigning the proper privileges to each user’s job function will prevent malicious employees from stealing data and getting access to confidential information, using it for their own gain, and selling it on the dark web.
Shockingly, according to a study conducted among UK employees, 25% of respondents suggested that they would be open to selling data for the right price (£1,000 or $1,280, that is). Moreover, 1 in 10 respondents admitted that for £250 or less, they would also sell intellectual property, such as product specifications and product code and patents. However, if a user’s credentials get compromised, the cyber attacker will only have limited access to your organization’s resources.
A least privilege policy creates fewer targets for malicious actors while promoting a healthy IT environment.
What’s more, the danger of unintentional insider threats can always exist inside your organization. This means that some employees may unknowingly do harm by clicking on phishing links or following instructions received from imposters.
#3. Improving data classification
The principle of least privilege can also help your company better classify its data. This way, you will always know who has access to what data and where exactly it’s stored in case someone gains unauthorized access.
#4. Complying with regulatory requirements
By applying POLP in your organization, you can improve audit readiness and at the same time achieve regulatory compliance. Currently, many standards require companies to grant employees only the rights they need to complete their daily operations. However, even if it’s not mandatory for your business to comply with these regulations, keep in mind that as a best practice, the principle of least privilege should always be implemented.
How to implement the principle of least privilege
Now that you know how applying the principle of least privilege will benefit your organization, here are some best practices on how you should implement it.
- Set up a privilege audit
This is the first step that will allow you to verify all your accounts and see exactly what permissions have been granted to your users.
- Define what level of privilege each account needs
By default, all accounts should have the lowest level of privileges possible. You should only increase privilege rights as required for certain people to be able to perform their jobs.
- Apply the concept of privilege bracketing
This means that privileges should be raised for users that absolutely require them to perform their jobs for a limited time only. It’s advisable to use a tool that enables you to escalate and de-escalate your users’ rights and set up expiry times for their privileges.
- Use automatic auditing
The privileged access management tool of your choice should also allow you to see full audit trails so you are always aware of what has been run by your users during the time their rights were elevated.
- Prevent privilege creep
Make sure you audit privileges regularly to avoid situations where older users accumulated privileges over time and see if they still need them. Also, monitor when and how your developers use their accounts so you immediately identify any unusual activity.
- Bear in mind the danger of physical devices
In some cases, implementing POLP might be as easy as simply disabling USB ports from your devices so your employees are not able to insert USB drives to download your confidential information or infect your systems with malware.
- Choose a privileged access management solution
For instance, Thor AdminPrivilege™ offers you endpoint protection through admin rights management and a complete overview of your users’ activity. At the same time, it provides an automatic de-escalation of privileges if an endpoint has been flagged for suspicious behavior.
In short, the principle of least privilege is a basic cybersecurity concept that bolsters your defenses and enables you to give your users only the permissions they really need to perform their tasks. No matter how much you trust your employees and how skilled they are, they should have limited access to your company’s resources for the aforementioned reasons.