Thycotic Telephone Number +1-202-802-9399 (US)

Thycotic’s Cyber Security Publication

What is Least Privilege? Why you need it and how to get started

Written by Joseph Carson

November 20th, 2018

Least privilege calls for granting only the minimum permissions required by an end-user, application, service, task or system to perform the jobs they have been assigned.

Least privilege is intended to prevent “over-privileged access” by users, applications, or services to help reduce the risk of exploitation without impacting productivity or involving the IT help desk.

It may help to think of least privilege by its other name—least authority—as it provides only enough authority for an entity to complete the job at hand. The least privilege model can also help curtail costs and increase efficiency.

In this video, Thycotic’s Chief Security Scientist and author of “Least Privilege for Dummies,” Joseph Carson, explains what least privilege is, and its importance in your organization’s cyber security strategy:

Implementing least privilege needn't be hard.

Privilege Manager makes least privilege adoption easy for users and reduces the workload for IT/desktop support.

Why has the least privilege model become central to cyber security best practices?

  1. Least privilege harnesses technology to reduce risks caused by cyber fatigue

Globally, organizations are being challenged by an ever-growing cyber threat landscape and are experiencing serious cyber fatigue. Their employees are dealing with constant information overload about cyber-attacks, ransomware, identity theft and phishing scams.  They reuse previous passwords (under pressure to constantly change passwords every time there’s news of a data breach), which increases both cyber risks and cyber fatigue.

Least privilege access control enforces safer practices

Cyber fatigue is occurring at all levels of the organization, from the CISO looking for metrics on the company’s exposure to cyber-attacks to the IT Security team trying to force employees to be more secure. The organization must meet compliance, and employees need to perform their daily tasks, but nobody knows if the next email is the one that contains malware or might attempt to steal their identity or their credentials.

Least privilege access control enforces safer practices and reduces the likelihood of your organization experiencing cyber fatigue-induced errors.

  1. Least privilege reduces the burden of responsibility on employees

For years, employees across all departments in most organizations have routinely practiced risky behavior, usually unintentionally and unknowingly. They do this by clicking on attachments or links within emails not knowing what might happen next; by logging into internet services using the same password they use for their Facebook account, corporate email and bank account; or by simply plugging in a USB stick they got for free at the last conference they attended.

Despite efforts to raise cyber security awareness and train users on secure behavior, 25% of your employees will open phishing emails, and more than one in ten will click on an attachment that contains malware. (The employee behavior stats on this infographic are cause for alarm.) These types of successful social engineering attacks are just one reason why employee workstations and personal devices are the most vulnerable part of your IT systems.

By implementing privileged access control you relieve employees of some of the responsibility for your organization’s security, and simultaneously reduce your risk level.

The balance between your security solutions and ease of use is critical to security outcomes

IT Security tries to balance the needs of the business while at the same time securing and protecting your organization’s most valuable assets.  To secure the organization, IT Security usually attempts to. However, this can create conflict between IT Security and the rest of the employees as they attempt to complete their tasks with reduced access.

Privileged accounts exist everywhere in your IT environment. In many cases, users may not even realize the type of access they possess. They only know that when access is denied, they can’t get their work done. Hackers and cyber-criminals target these privileged accounts because once compromised, they provide the ability to move across your systems and networks undetected.

All it takes is one compromised user with local administrative privileges to gain full control or steal your most sensitive information

Too many over-privileged users increase the business’s cyber risks

Organizations today typically face major challenges when implementing a least privilege policy because built-in limits on access can impact employee productivity. One thing is clear: when an employee has too many privileges you typically do not hear from them, but when privileges are limited or restricted and the employee is unable to access an account, launch an application or connect to a printer, the IT help desk will surely be the first to know.

Unhappy employees are quick to call the help desk when they are unable to perform their jobs. This usually results in the IT help desk making the user over-privileged, and while they can now perform their job it is at the increased risk of turning a simple incident into a major catastrophe. Should the over-privileged employee fall victim to a cyber-attack, the attack could easily escalate to the entire organization.

Introducing: Least Privilege Access Control

Least privilege access control helps build upon a Zero Trust strategy and includes a risk-based security strategy.  Zero Trust is a place where most organizations should begin, and this means that all access requested by any user or system to the network, services, applications, data or systems is verified, and trust is built but continuously challenged if the trust is changed. This requires organizations to classify users and systems into trust risks, for example, different security controls between employees, contractors, suppliers, temporary or department sensitivity.

Endpoints are the entry point for 85% of all data breaches

Get proactive protection for your endpoints with Privilege Manager.

Cyber security classifications of trust and accepted risk can be dynamic. That is, you create different policies or rules across the enterprise for identities, services, applications, data, and systems.

The more access you have or request the more security controls you must satisfy before you get access.  You have the choice of trust as always, verify, or always audit, depending on how much risk you must reduce.

When implementing Least Privilege you will first want to do the following:

DISCOVER ALL Admin and Local Admin Privileges

First, you should automatically discover all admin and local admin privileges across the environment, and this includes privileges inherited via group memberships.  It is important to know what employees, devices, software, services, applications and hardware have privileged accounts provisioned.  This will help identity where your organization is compliant with industry compliance requirements, and possible gaps that need to be secured further.

INVENTORY ALL your Devices and Software

It is critical that you know what software is deployed and how software gets deployed, so knowing where it was installed from in the first place is a good way to get to know the organization’s risks.  Was software installed from SharePoint, a USB device, downloaded from the internet, via an email or deployed using a software delivery solution?  This will help determine what applications you have, whether you are properly licensed, trusted vendors your organization depends on, suspicious applications, and the most common method chosen by users to install the software.  Depending on your organization’s IT Policy, you might want to determine at this stage your preferred method of deployment, and what should be restricted.

MONITOR PRIVILEGES and Learn Usage

Before enforcing restrictions or least privilege you will want to learn about the common usage: which employees are actively using their privileges and which users are potentially over-privileged.  Now you can determine which users’ administrative privileges need to be replaced with policies to ensure that they can continue doing their job without any disruption.

REPLACE PRIVILEGES with Automation Policies

Once you have audited the environment you can start to remove or reduce privileges from users who no longer require them. For those who actively require them you can replace privileges with policies that allow the task to be elevated on demand without the user becoming over-privileged.

By combining both Privileged Access Management and Application Control you can control access to devices, services, applications, data and hardware, and control which actions they can perform.

 

Combining privileged access management with application control

 

It is also best practice to combine Least Privilege with Privileged Access Management using the PAM Life-cycle:

Combine Least Privilege with Privileged Access Management using the PAM Life-cycle

The Benefits of the Least Privilege Model

The benefits of implementing a least privilege strategy are significant for all organizations.

Most organizations today need to satisfy various compliance requirements and regulations.  A strong least privilege strategy will help organizations meet most compliance and regulations requirements for restricting administrator access, so look at your least privilege strategy as a fast track to meeting most of your compliance security requirements.

Patch Management is one of the most repetitive, challenging tasks that all organizations must carry out, yet they continuously fail at staying current.  As most exploits on Windows require local administrative rights, least privilege security helps reduce the risk of more than 90% of Microsoft Windows Vulnerabilities. So, you can focus on only those vulnerabilities that are exploitable without local admin rights.  This saves an organization both time and money as it becomes more effective at patching critical vulnerabilities.

Malware and Ransomware risks will be reduced because the user will not be able to execute untrusted applications, so an accidental click on that malicious email attachment will be prevented from infecting the system or any other system on the same network.

In Summary, a Strong Least Privilege Strategy will:

  1. Reduce costs: Save time and money by managing users securely. 
  1. Produce empowered, happier employees: They can perform their duties without encountering roadblocks. 
  1. Fast track compliance: Automate reporting will satisfy auditors. 
  1. Improve security: Block cyber-criminals and malicious insiders from exploiting password compromise.

SHARE THIS


The following two tabs change content below.

Joseph Carson

Joseph Carson has over 25 years' experience in enterprise security, is the author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies", and is a cyber security professional and ethical hacker. Joseph is a cyber security advisor to several governments, critical infrastructure, financial and transportation industries, speaking at conferences globally. Joseph serves as the Chief Security Scientist at Thycotic.