Principle of Least Privilege: How to Stop Hackers in Their Tracks
Cybercriminals love user credentials. Compromising a user’s account can give them the freedom to roam a network undetected. Applying the principle of least privilege limits the damage these cyberattacks can cause. It makes defenses harder to penetrate and makes successful breaches less effective. Even though the concept of least privilege has been around for generations as a best practice, the severity of today’s cyberthreats is making it a necessity for modern security and access control. While simple in concept, implementation of this ideal in practice often proves to be challenging.
In this article, we want to introduce you to the principle of least privilege and explain how it blunts cyberattacks. We will explain the benefits least privilege offers and provide some best practices for deploying least privilege in your organization.
The principle of least privilege limits any entity in an information system to accessing the resources needed to perform authorized functions while that need exists. The entity could be a user, the user’s device, or another resource.
In the context of user access, least privilege gives people everything they need to get their jobs done only while they are authorized to do that job. Often paired with role-based access control, least privilege blocks any unauthorized entity (or an authorized entity accessing resources at unauthorized times). With least privilege, the impact of cyberattacks doesn’t translate across resources or entities.
The use of least privilege access dates to the Multics operating system’s development in the 1960s. In addition to other foundational concepts in computer science, the Multics project was the first operating system to make the controlled sharing of information a design requirement. In an overview of Multic’s access control design, MIT professor Jerome Saltzer explained that by minimizing the potential interactions in the system, Multics’ use of least access principles prevented unintentional or malicious activity.
The US Department of Defense and the National Institute of Standards and Technology advanced least privilege in the following decades. By the 2010s, Google was incorporating least privilege through its Zero Trust security system, BeyondCorp.
In response to today’s cybersecurity environment, the principle of least privilege is seen as essential to protecting information. All federal agencies must use least privilege to assign access permissions. Private companies are using least privilege to comply with regulations such as HIPAA and Sarbanes-Oxley.
The threat environment keeps getting worse. In the early months of the coronavirus pandemic, researchers saw spear-phishing attacks rise by nearly 700%. User credentials are the main target of these attacks because they get a cybercriminal’s foot in the door. Once in a system, even one with no value, criminals can work their way through a network, escalating their access to the point where they can do real damage.
Privileged credentials, in particular, are highly sought after by cybercriminals. These are the “keys to the kingdom.” Privileged access lets criminals do whatever they want on a company’s network. More than half of organizations in a recent survey reported the theft of privileged credentials — most of which resulted in critical system breaches. Although good security hygiene will stop many of these attacks, good security hygiene often seems more like the exception than the rule.
In 2020, network management company SolarWinds was the victim — and channel — of a cyberattack that impacted businesses and governments around the world. In the aftermath, reports revealed many security weaknesses including:
- SolarWinds access credentials being sold on cybercriminal forums as early as 2017.
- SolarWinds advised customers to remove its Orion software from antivirus scans.
- Update server passwords (“solarwinds123”) hardcoded in the Orion software.
But what made the hack devastating is that SolarWinds Orion required global administrator privileges to function. The attackers may have penetrated networks at the US Treasury Department, NATO, Boeing, and as many as 18,000 other organizations.
This year, a user of the United Nations’ Umoja project management system did not enable two-factor authentication. Cybercriminals reportedly penetrated the UN’s networks for at least five months using the stolen credentials. Other UN credentials reportedly compromised by this attack have appeared on cybercrime marketplaces.
Traditional security tools are failing to head off attacks like these. Applying the principle of least privilege to your access control policies strengthens your network defenses and mitigates damage.
Restricting the scope of users’ access permissions, especially administrators’ permissions, reduces the potential vectors cybercriminals can use to penetrate network defenses.
Understaffing in IT departments leads to over-credentialing, account sharing, and other bad security habits. Enforcing least privilege reduces the number of users with broad access credentials.
Least privilege helps to block attempts to move laterally across a network. A successful security breach may gain access to one resource, but its ability to spread is constrained.
When a network administrator falls victim to a spear-phishing email, damage is significantly limited if they are using a standard profile that has no privileges beyond email and productivity apps. Requiring separate credentials for the administrator’s access to network infrastructure makes the breach less likely to spread.
The smaller attack surface and constraints on lateral movement slow a cybercriminal’s penetration of the network. Suspicious activity becomes easier to identify, especially when using least privilege with Zero Trust systems. Security administrators have enough time to identify suspicious behavior and stop the attack before it can do more damage.
Across many industries, regulations require enterprises to demonstrate their control over access to protected data. Many companies have adopted the principle of least privilege to implement and document this control. What they found is that least privilege makes compliance with Sarbanes-Oxley and other regulations much easier.
Changing your access control strategy to implement the principle of least privilege is not a trivial task. But the security and compliance benefits make the process worthwhile. To ensure a smooth transition, you should consider these best practices.
This is something you can start doing now. Audit the state of your organization’s permissions and begin tightening user access. Nobody needs privileged device credentials if they’re only using email, PowerPoint, or Facebook. Remove administrator access to all Windows or macOS devices — even for your IT staff.
Change your IT staff’s bad habits. Shut down all shared accounts and issue separate credentials to each user. At the same time, limit the scope of each privileged credential to specific resources.
Review access lists periodically. Set up a standing meeting with the right group of people to regularly review access lists and prune back unnecessary access rights.
Segment your network so lateral moves require new authentications and authorizations based on least privilege. The smaller you make each segment, the less exposed your systems will be to breaches.
Of course, traditional network infrastructure makes micro-segmentation expensive. Look to modern Zero Trust solutions that deploy software-defined perimeters around each resource.
The old way of looking at security tries to protect resources inside the perimeter from threats outside the perimeter. But there is no fixed perimeter in today’s cloud-connected, remotely-accessed world.
Apply the principle of least privilege with all your resources whether on-premises or in the cloud. Be sure to apply these policies to freelancers, contractors, and anyone else who connects to any part of your network.
Besides limiting the scope of access permissions, the principle of least privilege also means limiting their duration. Replace just-in-case access policies with just-in-time policies that grant credentials when the user truly needs them.
Revoke that access as soon as possible. Set timeout criteria, cap session lengths, and terminate credentials when sessions end. You can go further by monitoring device posture and other variables. Any change in context should invalidate the authorization and cut off the user’s access.
Zero Trust-based network access technologies can help by time-limiting authorizations to individual sessions and requiring re-authentication and re-authorization for each new session.
Security and access control systems generate detailed logs of user and device activity. Monitor that activity and flag changes in behavior that could be signs of a security breach. You can also use the activity logs to refine least privilege policies while improving user productivity.
Implementing least privilege access does not need to be difficult or expensive. You can deploy Twingate’s Zero Trust solution in as little as a quarter of an hour. We use software-defined perimeters to protect your on-premises and cloud resources without additional network infrastructure.
Twingate solutions let you apply role-based, least privilege access policies quickly and seamlessly. Whether your users work on-site or from home, are employees or contractors, you can enforce access policies consistently across your organization.
The principle of least privilege may have been around for decades, but now its time has come. User credentials — especially privileged credentials — are the easiest vector for more pervasive and damaging cyberattacks. By constraining user access to the resources they truly need when they truly need it, least privilege reduces your exposure to malware and data breaches.
Contact us to find out how quickly you can make it easier to apply the principle of least privilege when configuring access rights for all your critical resources.
Visualize and Analyze Network Log Data with Twingate and Datadog
Improve security and monitoring by making real-time network log data observable with Twingate and Datadog.