Imagine if every person who entered your house had a copy of your house key. All of your family, friends, the guys who delivered your refrigerator, the plumber, and so on and so forth. How about if they all had a copy of your car key, and the combination to your safe, and the password to your email account and online banking, too?
Doesn’t sound very good, does it? Well, that’s a lot like what failing to follow the principle of least privilege (PoLP) is.
The principle of least privilege is one of the most important concepts in cyber security. It’s also especially important for preventing ransomware attacks. So what is it, how does it work, and how can you benefit from it?
What is the Principle of Least Privilege?
The principle of least privilege states that no network user should have any more access rights than they absolutely need to do their job. Most networks handle a range of different tasks, and different users need different access levels to do those tasks.
When it comes to your life, you might give copies of your house key to your close family, but when it comes to a plumber, you might let him in to do the job, but you wouldn’t give him the key.
The same applies with network security. For example, a cyber security administrator needs to be able to change network settings, but someone who just reads documents on a network doesn’t. Also, some types of data may be more sensitive than others, so you don’t want everyone in the network to be able to access and copy it.
Properly applying the principle of least privilege means that if an attacker does breach the network, it becomes much more difficult to move through the network.
Why does the Principle of Least Privilege matter for ransomware?
When a ransomware gang breaches a network, the amount of damage they can do depends on how much of the network they can access. Most ransomware hackers will first shut down a network by encrypting it, and then demand a ransom in exchange for the decryption key.
An organization’s decision to pay a ransom or not is often economic. They calculate how much downtime will cost them, and if the ransom is much cheaper than that, they pay.
Encrypting part of the network may be enough to cause a partial shutdown for an organization, but it might not shut down everything. If a network is totally encrypted, it could be a much bigger problem.
Some types of data are also less valuable than others. If only part of a network is encrypted, it may be easier to accept losing some data. If a large amount of sensitive data is stolen, hackers will also have more leverage to try to blackmail their victims.
Both downtime and ransom amounts depend heavily on how much hackers are able to spread through a network, and how much they can spread depends on the access levels they have. Hackers often break into individual accounts and steal credentials, like usernames and passwords. These are then used to move through the network so that they can encrypt and steal more data.
If network users have access to parts of the network they don’t need to, it greatly increases the chances that hackers will be able to use stolen credentials to gain more power over the network. In cybersecurity, this is called an increased attack surface. It means the hackers have more potential ransomware attack vectors to break in and spread through a network.
How to implement the principle of least privilege
Implementing the principle of least privilege is straightforward, but it requires both some reconfiguration of software and staff training. The first step is to conduct a PoLP audit.
Conduct a PoLP Audit
In a nutshell, a PoLP audit means going through your entire network and figuring out who needs to do what. To do this, you will need to map out passwords, SSH keys, access keys, and password hashes of all different kinds of accounts held by employees and third party contractors, both on site and virtual.
Set defaults to minimum
One problem at the root of many ransomware attacks is leaving default privileges too high. Accounts have privileges they don’t need, leaving the door open for hackers. All systems should be configured so that new accounts are created with a bare minimum of privileges. Exceptions may be added as needed.
Separate privileges
Make sure to separate administrator accounts from normal accounts. For exceptional situations where normal users need additional privilege, implement time-limited privileges. Read, write, and execute privileges should also be separated.
Set up privileged access monitoring
Once privileges are separated, you can set up monitoring on privileged accounts. It may be a good idea to use cybersecurity automation to detect unusual behavior.
Rotate administrator passwords
Using a different password for each administrative login can help to reduce the risk of hackers using credentials captured by keyloggers.
Conduct regular audits
Organizations are dynamic. Roles and responsibilities are constantly changing. It’s important to check from time to time to make sure accounts are not floating around with privileges they don’t need anymore.
It’s also important to note that all entities, both human and applications, need to be included in a PoLP audit. The audit should also include both internal servers and cloud services.
Especially in light of double extortion attacks, it may also be a good idea to divide up data into different types and restrict access to it via encryption.
Balancing Security and Convenience
One of the biggest challenges of implementing the principle of least privilege is keeping the work experience user friendly. Too many restrictions can leave users frustrated. At the same time, restricting administrative privileges can actually improve productivity, because users are less likely to cause problems by changing configurations by themselves.
Although it does take some getting used to, the principle of least privilege is an essential part of any cybersecurity strategy, especially in an age of growing ransomware threats.