What is the Principle of Least Privilege?

[harlan4096]

And why failing to adopt it can create a broad attack surface for your company

The principle of least privilege (POLP), also known as the “principle of least authority” is a security concept based upon limiting access to the minimum necessary for an action to be performed. Contrary to popular belief, the least privilege concept does not only apply to users. In fact, it covers multiple areas, such as hardware, systems, process, applications, and more. However, the focus of this article is going to be the concept of least privilege applied to your employees, or in other words, how limiting your users’ rights to the lowest level possible will close security holes in your organization.

Principle of Least Privilege Definition

So, what is the principle of least privilege?

In simple terms, the concept refers to users not being able to access information or perform actions unless they absolutely must in order to do their jobs. The same applies to every single area that I’ve mentioned above and it also extends to real-life scenarios.

Think about it: why would someone from the IT department need access to your payroll reports? Or why would your entire pool of employees be able to view, download, and edit your customers’ database? Actually, does every single user really need full admin rights at all times?

Not applying the principle of least privilege is a fundamental security mistake that threatens your organization, encourages the propagation of insider threat, and puts your business’ data at high risk.

One thing you should keep in mind is that the least privilege model isn’t all about taking away admin rights from your employees. It also involves monitoring the access for the ones who do have admin rights and temporarily escalating and de-escalating users’ rights.

The principle of least privilege must be part of your cybersecurity strategy since it will lower the risks of malware infections and data breaches.

Real-life examples of organizations that failed to adopt POLP

According to research, 74% of data breaches happen due to privileged credential abuse. Yes, that many breaches could have been prevented if only the wrong users did not have the “right” privileged accounts to be abused by malicious actors.

Here are some examples of companies involved in cyberattacks because they did not follow the principle of least privilege.

Marriot

After Marriot acquired the Starwood hotel chain, in 2018 they discovered that an unauthorized access incident had been occurring for four years (and started with two years prior to the acquisition). The data for 500 million customers was leaked. And for around 327 million of customers, “the information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.” For some of these hotel guests, the data also featured encrypted payment card numbers and payment card expiration dates.

In this case, “unauthorized access” refers to the hotel chain failing to properly manage privileged access within the organization. And the worst part is that the incident occurred for four years due to poor admin rights management.

Sage

In 2016, an employee of the UK account and payroll software company Sage was arrested for an insider threat data breach. Allegedly, the employee used unauthorized access to steal the organization’s confidential information of between 200 and 300 of its customers, including addresses, insurance numbers, and bank account details.

Desjardins Group

The financial services giant based in Quebec, Canada was affected by a massive data breach caused by insider threat. The incident took place in the summer of 2019 and the personal information of more than 2.9 million members was shared with people outside of the organization. The compromised data included names, dates of birth, social insurance numbers, addresses, phone numbers, email addresses, and banking details. According to the source, passwords, security questions, and PINs were not disclosed.

Vodafone

An attacker with insider knowledge had stolen the personal data of 2 million of Vodafone’s customers from a server located in Germany. The malicious actor worked for a company contractor and was not a direct Vodafone employee, which only emphasizes that vendor privileges should also be carefully monitored.

Korea Credit Bureau

An employee from the Korea Credit Bureau (KCB) was arrested and accused of stealing the data from customers of three credit card firms. The sources say that he was working for them as a temporary consultant. The number of affected users was at least 20 million, which makes up almost 40% of South Korea’s total population. The data included names, social security numbers, phone numbers, credit card numbers, and expiration dates. The data was sold to marketing companies, whose managers were also arrested.

This list could go on and on, but I believe you’ve learned the lesson and got an idea of what can happen if the wrong people have high levels of privileges inside your organization.
...

Continue Reading