Principle of least privilege
Security controls are essential to keeping sensitive data private and safe. One of the most common controls is the principle of least privilege, also referred to as PoLP or least privilege. The principle of least privilege is a security concept in which a user is only granted the minimum level of access and authorization required to complete a task or function.
Least privilege is a fundamental security control that supports the confidentiality, integrity, and availability (CIA) triad of information. In this reading, you’ll learn how the principle of least privilege reduces risk, how it’s commonly implemented, and why it should be routinely audited.
Limiting access reduces risk
Every business needs to plan for the risk of data theft, misuse, or abuse. Implementing the principle of least privilege can greatly reduce the risk of costly incidents like data breaches by:
- Limiting access to sensitive information
- Reducing the chances of accidental data modification, tampering, or loss
- Supporting system monitoring and administration
Least privilege greatly reduces the likelihood of a successful attack by connecting specific resources to specific users and placing limits on what they can do. It’s an important security control that should be applied to any asset. Clearly defining who or what your users are is usually the first step of implementing least privilege effectively.
Note: Least privilege is closely related to another fundamental security principle, the separation of duties—a security concept that divides tasks and responsibilities among different users to prevent giving a single user complete control over critical business functions. You’ll learn more about separation of duties in a different reading about identity and access management.
Determining access and authorization
To implement least privilege, access and authorization must be determined first. There are two questions to ask to do so:
- Who is the user?
- How much access do they need to a specific resource?
Determining who the user is usually straightforward. A user can refer to a person, like a customer, an employee, or a vendor. It can also refer to a device or software that’s connected to your business network. In general, every user should have their own account. Accounts are typically stored and managed within an organization’s directory service.
These are the most common types of user accounts:
- Guest accounts are provided to external users who need to access an internal network, like customers, clients, contractors, or business partners.
- User accounts are assigned to staff based on their job duties.
- Service accounts are granted to applications or software that needs to interact with other software on the network.
- Privileged accounts have elevated permissions or administrative access.
It’s best practice to determine a baseline access level for each account type before implementing least privilege. However, the appropriate access level can change from one moment to the next. For example, a customer support representative should only have access to your information while they are helping you. Your data should then become inaccessible when the support agent starts working with another customer and they are no longer actively assisting you. Least privilege can only reduce risk if user accounts are routinely and consistently monitored.
Pro tip: Passwords play an important role when implementing the principle of least privilege. Even if user accounts are assigned appropriately, an insecure password can compromise your systems.
Auditing account privileges
Setting up the right user accounts and assigning them the appropriate privileges is a helpful first step. Periodically auditing those accounts is a key part of keeping your company’s systems secure.
There are three common approaches to auditing user accounts:
- Usage audits
- Privilege audits
- Account change audits
As a security professional, you might be involved with any of these processes.
Usage audits
When conducting a usage audit, the security team will review which resources each account is accessing and what the user is doing with the resource. Usage audits can help determine whether users are acting in accordance with an organization’s security policies. They can also help identify whether a user has permissions that can be revoked because they are no longer being used.
Privilege audits
Users tend to accumulate more access privileges than they need over time, an issue known as privilege creep. This might occur if an employee receives a promotion or switches teams and their job duties change. Privilege audits assess whether a user’s role is in alignment with the resources they have access to.
Account change audits
Account directory services keep records and logs associated with each user. Changes to an account are usually saved and can be used to audit the directory for suspicious activity, like multiple attempts to change an account password. Performing account change audits helps to ensure that all account changes are made by authorized users.
Note: Most directory services can be configured to alert system administrators of suspicious activity.
Key takeaways
The principle of least privilege is a security control that can reduce the risk of unauthorized access to sensitive information and resources. Setting up and configuring user accounts with the right levels of access and authorization is an important step toward implementing least privilege. Auditing user accounts and revoking unnecessary access rights is an important practice that helps to maintain the confidentiality, integrity, and availability of information.
Determine the type of attack
Previously, you learned about the eight Certified Information Systems Security Professional (CISSP) security domains. The domains can help you better understand how a security analyst’s job duties can be organized into categories. Additionally, the domains can help establish an understanding of how to manage risk. In this reading, you will learn about additional methods of attack. You’ll also be able to recognize the types of risk these attacks present.
Attack types
Password attack
A password attack is an attempt to access password-secured devices, systems, networks, or data. Some forms of password attacks that you’ll learn about later in the certificate program are:
- Brute force
- Rainbow table
Password attacks fall under the communication and network security domain.
Social engineering attack
Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. Some forms of social engineering attacks that you will continue to learn about throughout the program are:
- Phishing
- Smishing
- Vishing
- Spear phishing
- Whaling
- Social media phishing
- Business Email Compromise (BEC)
- Watering hole attack
- USB (Universal Serial Bus) baiting
- Physical social engineering
Social engineering attacks are related to the security and risk management domain.
Physical attack
A physical attack is a security incident that affects not only digital but also physical environments where the incident is deployed. Some forms of physical attacks are:
- Malicious USB cable
- Malicious flash drive
- Card cloning and skimming
Physical attacks fall under the asset security domain.
Adversarial artificial intelligence
Adversarial artificial intelligence is a technique that manipulates artificial intelligence and machine learning technology to conduct attacks more efficiently. Adversarial artificial intelligence falls under both the communication and network security and the identity and access management domains.
Supply-chain attack
A supply-chain attack targets systems, applications, hardware, and/or software to locate a vulnerability where malware can be deployed. Because every item sold undergoes a process that involves third parties, this means that the security breach can occur at any point in the supply chain. These attacks are costly because they can affect multiple organizations and the individuals who work for them. Supply-chain attacks can fall under several domains, including but not limited to the security and risk management, security architecture and engineering, and security operations domains.
Cryptographic attack
A cryptographic attack affects secure forms of communication between a sender and intended recipient. Some forms of cryptographic attacks are:
- Birthday
- Collision
- Downgrade
Cryptographic attacks fall under the communication and network security domain.
Key takeaways
The eight CISSP security domains can help an organization and its security team fortify against and prepare for a data breach. Data breaches range from simple to complex and fall under one or more domains. Note that the methods of attack discussed are only a few of many. These and other types of attacks will be discussed throughout the certificate program.
Understand attackers
Previously, you were introduced to the concept of threat actors. As a reminder, a threat actor is any person or group who presents a security risk. In this reading, you’ll learn about different types of threat actors. You will also learn about their motivations, intentions, and how they’ve influenced the security industry.
Threat actor types
Advanced persistent threats
Advanced persistent threats (APTs) have significant expertise accessing an organization’s network without authorization. APTs tend to research their targets (e.g., large corporations or government entities) in advance and can remain undetected for an extended period of time. Their intentions and motivations can include:
- Damaging critical infrastructure, such as the power grid and natural resources
- Gaining access to intellectual property, such as trade secrets or patents
Insider threats
Insider threats abuse their authorized access to obtain data that may harm an organization. Their intentions and motivations can include:
- Sabotage
- Corruption
- Espionage
- Unauthorized data access or leaks
Hacktivists
Hacktivists are threat actors that are driven by a political agenda. They abuse digital technology to accomplish their goals, which may include:
- Demonstrations
- Propaganda
- Social change campaigns
- Fame
Hacker types
A hacker is any person who uses computers to gain access to computer systems, networks, or data. They can be beginner or advanced technology professionals who use their skills for a variety of reasons. There are three main categories of hackers:
- Authorized hackers are also called ethical hackers. They follow a code of ethics and adhere to the law to conduct organizational risk evaluations. They are motivated to safeguard people and organizations from malicious threat actors.
- Semi-authorized hackers are considered researchers. They search for vulnerabilities but don’t take advantage of the vulnerabilities they find.
- Unauthorized hackers are also called unethical hackers. They are malicious threat actors who do not follow or respect the law. Their goal is to collect and sell confidential data for financial gain.
Note: There are multiple hacker types that fall into one or more of these three categories.
New and unskilled threat actors have various goals, including:
- To learn and enhance their hacking skills
- To seek revenge
- To exploit security weaknesses by using existing malware, programming scripts, and other tactics
Other types of hackers are not motivated by any particular agenda other than completing the job they were contracted to do. These types of hackers can be considered unethical or ethical hackers. They have been known to work on both illegal and legal tasks for pay.
There are also hackers who consider themselves vigilantes. Their main goal is to protect the world from unethical hackers.
Key takeaways
Threat actors and hackers are technically skilled individuals. Understanding their motivations and intentions will help you be better prepared to protect your organization and the people it serves from malicious attacks carried out by some of these individuals and groups.