Privilege Abuse & Misuse was at the Center of Many Cyber Incidents4,130 cyber incidents were the result of improper usage, the “violation of an organization’s acceptable usage policies by an authorized user”. Of the 16 major incidents, 11 involved employee improper usage and exfiltration of large amounts of highly sensitive data. We have two words for this problem... Least Privilege. Called out in the Access Control Family of NIST SP800-53, and as part of the Protect functional area of the NIST Cybersecurity Framework, the principle of least privilege is based on mitigating risk from insider threats by limiting access to the lowest level user rights still allowing employees to do their jobs. This limits exposure of sensitive information or inappropriate access to privileges that would allow unauthorized changes within the information system.
Steps to Balancing Security and ProductivitySome are resistant to implementing least privilege for a variety of reasons, but often it is to avoid slowing down the business at hand, or to avoid overburdening an already stretched IT team. But, folks, if you were one of those agencies reporting the 16 major incidents, I’ll guarantee that’s far more inconvenient than an occasional call about user access. Here are a few steps to take to mitigate the majority of incidents described in the FISMA report:
- To support efficiencies, grant privileges to applications and tasks, not users. This means the user is never granted administrator credentials but has access to the applications needed.
- To gain a full picture of privilege activity, analyze privilege password, user and account behavior. This is the key to uncovering emerging privilege escalation threats, pinpointing and reporting on at risk systems, then actively removing the threat. Least privilege doesn’t just mitigate insider threats; it also prevents lateral movement within a system should a breach occur.