Principle of Least Privilege: Just Enough Access

“The principle of least privilege” is one of the cornerstones of IT security for organizations. It’s implementation is recommended by authoritative bodies such as Microsoft, NIST, and the Canadian Centre for Cyber Security. It may not be a term that you have heard before, but it’s a concept that I’m sure you’re familiar with.

To illustrate this idea, imagine that you have a newly-hired co-op student; let’s call him Jed. Jed’s a good guy – eager, helpful, and friendly. Now a question: Would you give Jed permission to access your company financials?

Hopefully the answer is no, absolutely not. It represents a huge business risk. He should only have access to the data that he needs to do his job.

OK, follow-up question: Would you allow Jed to have the ability to install malware or ransomware on your corporate network?

The answer should also be no, absolutely not. That’s because a user should be given the minimum level of access to do his/her job. That is the principle of least privilege.

So when it comes to how much control a user should have over their computer, it should be limited, i.e. not administrator level.

What’s the harm in giving everyone admin rights?

Especially for small business owners, it might be tempting to just give employees admin rights. That way they can install their own software whenever they want and not need to ask you for help. You’ve got enough on your plate running a business. Do you really need constant pokes from staff to help them install software?

The problem, of course, is that not all software is to be trusted. With the same ease that a user can install legitimate software, such as Adobe Acrobat Reader, they can also install malicious content. The result could be disastrous, as was seen in the Equifax data breach in 2017 where their failure to follow the principle of least privilege contributed to the personal information of 147 million people being exposed. The settlement included up to $425 million to help people affected by the data breach.

Could something similar happen at your organization? Consider how one of your employees might respond to this Windows pop-up:

What’s your instinct here, would you click Yes? What might happen?

Would you trust everyone at your organization to always make the correct choice?

Would you trust Jed?

He might think to himself, “hmm, image resizer? That’s something I might need”, and he click Yes. If this is a piece of malicious software, it could install malware onto his system.

But it’s just Jed’s computer, right? No big deal, he doesn’t have access to any critical information.

Unfortunately, this attack is not likely to end on Jed’s computer.

The malware can move laterally through the network and gain credentials for a user with global admin permissions. From there, with these elevated permissions, the attacker can take control of your network.

Ultimately, it might only takes one person to make one bad decision to compromise your entire corporate network. For this reason, end users should have local administrator rights removed.

What Can You Do About It?

If you receive pop-ups like the image above, it means that you, and possibly other employees at your company, can freely install programs on your corporate workstations. This is a big problem. You should immediately inform your IT and advocate for the principle of least privilege to safeguard against attacks.

What’s Involved in Making this Happen?

The technical complexity of implementing the principle of least privilege is low, and any IT professional should be able to do this without issue.

Best of all, this is a Windows feature, meaning that there is no cost here.

From a user perspective, though, this could lead to some annoyance. Realistically, users don’t need to install new software very often, but every time they do, they will need to contact IT. If it takes a long time for your IT to respond to your requests, you could be stuck without this software for a while, unfortunately. But when IT security is on the line, users may need to tolerate some inconvenience.

So overall, much like cybersecurity awareness training from the previous post, this is a low-effort, low-cost, high-impact security measure.

What’s Next?

As mentioned above, alert your IT if you or other employees are able to install software without restriction.

If your IT does not action this security gap, or is not responsive enough to handle requests from users to install software in a timely manner,  you can contact EMKAL anytime to see if we might be a fit at your organization and provide a higher level of help desk support.

Get an IT Assessment