Privilege management could cut breaches -- if it were used

It is well established that human error, ignorance and/or malice are more of a threat to online enterprise security than flaws in technology. An employee who falls victim to phishing or puts an infected USB drive into a workstation can let an attacker easily defeat the best security system.

But experts say technology can at least partially trump those human weaknesses. It just has to be deployed, and deployed properly.

And deployment is apparently part of the problem with "least privilege management" (LPM) -- sort of the cyber equivalent of security clearances in government. Not only do you have to be cleared at a certain level, you also have to have a "need to know" something before you are allowed access to it.

LPM basically grants privileges to applications instead of users, with the goal that only those who need access will get it. While it obviously would not entirely eliminate the risk of human error, it would reduce it.

The concept has been around for decades. J. Wolfgang Goerlich, information systems and information security manager for a Michigan-based financial services firm, said it was, "first explicitly called out as a design goal in the Multics operating system, in a paper by Jerome Saltzer in 1974."

But, it appears that so far, it has still not gone mainstream. Verizon's 2012 Data Breach Investigations Report found that, of the breaches it surveyed, 96% were not highly difficult for attackers and 97% could have been avoided through simple or intermediate controls.

LPM falls among those simple or intermediate controls Verizon noted that could save a lot of enterprises enormous grief, Goerlich said. Neither he nor other experts say it will make a system or network bulletproof, but Goerlich said, "It raises the bar by mitigating some attacks and raising the complexity of other attacks."

Bob Rudis, director of enterprise information security and risk management at Liberty Mutual, said it doesn't guarantee security -- but improves it. "It's nigh impossible to account for all types of user interaction with a system," he said. "[But] in applications that are fairly small or focused, properly implemented least privilege would be a solid and nigh unusurpable control."

[See related: Security threats explained: Internal excessive privilege]

Danny Lieberman, CTO of Software Associates, is a bit less confident in LPM, noting that an employee can work around LPM. "If an employee wants to access data, she can always social-engineer it out of a coworker," he said. "The main threat is not unwitting employees but malicious attackers."

The Verizon report does say that 98% of data breaches in 2011 came from external agents, but it also suggests that the success of those attacks were enabled in part by human error or ignorance. And it said: "We highly encourage organizations to run systems in a least-privilege mode."

Another problem with LPM, however, is that it is not always simple to decide who should have access to certain applications or areas.

"In an ideal world, the employee's job description, system privileges, and available applications all match," Goerlich said. "The person has the right tools and right permissions to complete a well-defined business process."

"The real world is messy. Employees often have flexible job descriptions. The applications require more privileges than the business process requires," he said. "[That means] trade-offs to ensure people can do their jobs, which invariably means elevating the privileges on the system to a point where the necessary applications function. But no further."

Mark Austin, cofounder and CTO of Avecto argued in a recent blog post that any worthwhile LPM system has to take into account both security and the user experience. "A poor user experience will inevitably lead to unhappy users and rejection of the solution, regardless of whether it makes the endpoint more secure," he wrote.

Beyond that, experts have varying views on whether putting more security trainingÃ'Â is worth the effort. Bob Rudis, who does security training seminars, describes himself as "a fairly outspoken advocate of awareness programs."

"Awareness is a strategic component of a full security program," he said. "It is not enough just to train employees and it's also not enough just to talk to them once about security awareness. It must be a continuous part of the ecosystem and culture in an organization."

Lieberman is less enthused about the effectiveness of training. "In some types of organizations, security awareness is like writing on water," he said. "The U.S. government is an example."

"If you have a dollar in your pocket I would tell you to spend it on data loss detection, not on fancy access management tools," he said.

That doesn't mean he thinks employees should be given a pass, however. "I would not waste time on security awareness training, but I would have the top management lead by example and make it clear that abuse of the company acceptable-use policy will lead to immediate termination without severance," Lieberman said.

"Like [ex Intel chairman and CEO] Andy Grove once said, 'a little fear in the workplace is not a bad thing.'"

Read more about access control in CSOonline's Access Control section.

Join the CSO newsletter!

Error: Please check your email address.

Tags LPMleast privilegeIdentity & Access | Access ControlNetworkingsecurityAccess control and authenticationleast privilege managementaccess controlIdentity & Accessmanagement

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts