It may shock you to learn that over 75% of employees require privileged access rights to complete their current job requirements, but 49% of organizations do not have policies for assigning this access. In 2017!
It’s time that organizations got serious about privileged account security, as the number of data leak incidents that occur through insider threats increases every year. The sad reality is that, according to the 2017 Insider Threat Report, 74% of companies feel that they are vulnerable to insider threats. I personally think this number is a lot higher.
In this article, I’m going to explain why mastering the Principle of Least Privilege is a vital part of reducing the risk of insider threats and how exactly you can do this in 2017.
What are the threats posed by privileged accounts?
Accounts with privileged credentials give potential attackers the permissions they need to get inside critical systems and critical data. It’s not beyond the realm of possibility that a malicious insider can steal valuable data or hijack domain controllers to get a chokehold on the entire IT environment.
Privileged accounts are the quickest way to gain access to domain controllers. Let’s say an employee feels particular disgruntled (passed over for a promotion yet again) and decides to enact his or her own form of revenge by making a bit of money from stealing data. If that employee gets to the domain controllers, they can create their own credentials and go literally anywhere in the domain. That’s worrying, isn’t it? And it happens more often than you might think.
Simply put – if you can prevent the unnecessary or unauthorised escalation of privilege, you can prevent this kind of attack.
What is the principle of least privilege?
The principle of least privilege (or PoLP) is the practice of limiting user profile privileges to only those required for the user’s specific job requirements. But it’s more than this, the principle can also be applied to computers; each system component or process should have the minimal authority possible.
If done correctly, PoLP can successfully reduce the risk of privilege abuse and insider threats by limiting the potential attack surface.
Privileges can escalate unnecessarily due to a number of factors that can be difficult to monitor – including changing job requirements, employees leaving the business or new ones joining. PoLP should help you mitigate the risks of your data being stolen, which is vital in 2017.
The cost of privilege abuse
The average cost of data breaches varies drastically depending on the country, the industry and the number of stolen records involved. However, thanks to the 2016 Data Breach Report conducted by the Ponemon Institute, there are some general averages that we can look at.
Unfortunately for us, the US tops the list as one of the most expensive countries in the world to experience a data breach. The average per capita cost of a single stolen record is somewhere in the region of $221.
Of course, this number increases in organizations that deal with sensitive data on a day-to-day basis. For example, healthcare organizations had an average cost of $355 and education institutions an average cost of $246.
You can very quickly imagine the potential pain that you could experience if you became the victim of a data breach. If someone with privileged user credentials manages to steal around 5000 records, the cost to your organization could easily escalate into the millions.
How can you apply PoLP in practice in your organization?
Easier said than done obviously, but there are some core things you can do:
1. Make sure that all higher-ups are part of the decision-making process when you come to deciding what your privilege access levels are going to be. This should help you determine what privileges are needed in different departments and at various seniority levels.
2. Once you have defined this, you need to schedule regular reviews to keep up to date with any changes in business requirements that require changes to role/access permissions.
3. As we mentioned before, define your role/access permissions based on the specific job requirements of any particular user. You should be confident that only the right users have the right levels of access to the right data.
Is there are a solution that can help?
Years ago, it was almost impossible to justify spending a portion of the (usually strict) IT budget on deploying third-party solutions that help with privilege abuse. Solutions in years gone by were unrealistically priced, which didn’t help. But mainly, it’s incredibly difficult to justify ROI on a solution that helps prevent something that may never happen to you.
At least, that’s the view that many of the high-level decision makers take when it comes to auditing and monitoring solutions. Unfortunately, even if it hasn’t happened to you yet (that you know of), it’s only a matter of time if you continue to grow with an unsecured environment.
Thankfully, things aren’t as dire as they used to be in the world of automated solutions. It’s easy now to find an auditing and monitoring solution that enables you to track permission changes, identify and monitor your privileged users and reverse unwanted changes. More than that, it’s easy to find such a solution that is affordable, easy to use and scales up to the size of your organization.
No more excuses!
Introducing LepideAuditor: Our solution to help prevent privilege abuse
You may be wondering how auditing can help you implement PoLP, and it’s a valid question to ask. Deploying an auditing solution, like LepideAuditor, will give you the visibility you need to act on the current permissions that your users have and stay up to date with any permission changes that occur.
Let’s take a look at how LepideAuditor can help you detect and prevent privilege abuse.
1. Helping you identify privileged users: The best way to create a list of privileged users is by going through Active Directory Users and Computers and the Group Policy Management Console. We covered how to do this in an earlier article: different ways to list Privileged Users. LepideAuditor also helps by displaying lists of members to Administrative groups and listing all users with administrative privileges.
2. Tracking permission changes: Getting meaningful information into what changes are taking place in Active Directory, Group Policy, File Server etc. is practically impossible without a change auditing solution in place. LepideAuditor helps you to do this by generating current permission reports so that you can spot when privileges are being changed unnecessarily.
3. Tracking Privileged Users’ Activities: LepideAuditor keeps track of all privilege user activities and sends real-time/threshold alerts on any critical change made. We’ve written an article on exactly how to track Privileged Users’ Activities in Active Directory using LepideAuditor.
4. Reversing unwanted changes: Knowing that an unauthorised or unwanted change to privileges has occurred is one thing, being able to reverse this change places the power back in your hands. LepideAuditor gives you this control, enabling you to restore Active Directory objects and Group Policy objects to their original states in a matter of clicks.
This is just a very brief look at how LepideAuditor can help you implement PoLP. In practice, there any many actions you need to take based on the data LepideAuditor can show you before you can say you are prepared for privilege abuse. For a deeper look into how LepideAuditor helps with privilege abuse, you can check out another article how LepideAuditor can help in implementing Policy of Least Privileges.