WATCH The Principle of Least Privilege Explained – Day 27 of Cybersecurity Awareness Month
Mike Miller 00:06
Welcome to our video series explaining cybersecurity terms and best practices and simple and understandable language. Today we’re here to talk about the concept known as least privilege. This sounds important, and I’m sure it is. And with us to explain what lease privilege means is Craig Taylor, Co Founder and CEO of CyberHoot. Craig, what is least privilege? And why is it important to small businesses and managed service providers?
Craig Taylor 00:31
Mike and Shelly’s least privilege, it refers to the access given to a device, a network, a computer or a data store. So a database or an application in a company. And the least privilege means giving them only the privileges to do what their job requires. So for example, on a computer, you may not need administrative rights to do your job, you could run as an unprivileged user, which would prevent you from installing software, things of that nature. It’s important because giving a user especially a new user too much access or control can spell disaster, for example, accidentally exposing critical or sensitive information could happen, or someone might click on a file they shouldn’t, and they have the rights to install the software. And that could lead to a compromise of the computer network at that company.
Mike Miller 01:30
Okay. So that’s, it sounds like a good idea, you know, but what are some of the ways in which least privilege could be implemented at a company that, you know, might be listening to this?
Craig Taylor 01:42
First off, when I’m called in to consult with a company through our vCISO offering or as a risk assessment, I always ask if they remove administrative rights to all their users. And I usually get quite a bit of pushback, because it’s what people are used to receiving. They they don’t like having shackles on what they can do with their computers, especially power users. In those cases of power users, I’m often telling them, well give them a second account for administrative rights if they absolutely need them.
For someone that knows what they’re doing, or is a developer or an engineer, because they will have enough occasion that they don’t want to wait for it to wander up to their desk to install software, or do what it is they need. Another important step for least privileges classifying the data in your company knowing what data you have, and where it lives. So that you can set application controls, file permissions, maybe even segment the network to prevent access from everyone, perhaps to the human resources file share, or the Human Resources network, or perhaps the finance department is on their own network segment. And you control and limit access between different parts of the company. That’s also a concept of least privilege is this idea of network segmentation. Finally, not every company can put in place these mandatory controls like removing administrative rights or segmenting the network enough or any other manner of file permissioning.
So it’s important to place governance policies to in place for your employees have them review a WISP a Written Information Security Plan, a Password Policy and Information Handling Policy, because when they make decisions about how to run their their lives, or do their jobs, they may have discretionary control or access to certain data. And they need to understand that they need a job. You know, it has to be part of their job to access certain files. For example, in a hospital, if you’re not tending to a patient, you’re not permitted to review the record even though you have access to do so. That’s a discretionary control. You need policies to govern and guide employees and then mandatory controls where possible to set and require and limit access to least privilege.
Mike Miller 04:04
Okay. So I understand now the context of least privilege. Could you give me an example maybe of what could happen when a company or employee doesn’t follow the best practice? Is there no repercussions?
Craig Taylor 04:18
Yes, absolutely. It happens quite regularly in my engagements, usually, that’s why I’m called in because something’s gone wrong. But for example, if your employee operates their computer with admin privileges, we’ve been talking about that. And they go to download a utility they need and they think they’re on a safe and secure website, and they download and run that file. It may in fact, have a Trojan or ransomware embedded within it. If they have that administrative rights, they’re not going to be prompted or prevented from infecting their computer and like quite likely their entire company with ransomware.
And it happens all the time. I’m not talking like dozens of times. I’m talking 10s of 1000s of times all over the world this has happened. Another example and I’m sorry familiar with this one, a nurse who new a famous movie star sports figure was at their hospital went into that person’s record to see what they were in for so they could maybe sell it to The Hollywood Reporter. They were summarily fired because they did not have rights or they were not supposed to be in that. So even though they had the access, they weren’t following lease privilege or need to know in their job responsibilities, and it led to a termination.