8/15/2023 0 Comments Concept of least privilege![]() SolarWinds advised customers to remove its Orion software from antivirus scans. SolarWinds access credentials being sold on cybercriminal forums as early as 2017. In the aftermath, reports revealed many security weaknesses including: In 2020, network management company SolarWinds was the victim - and channel - of a cyberattack that impacted businesses and governments around the world. Although good security hygiene will stop many of these attacks, good security hygiene often seems more like the exception than the rule. More than half of organizations in a recent survey reported the theft of privileged credentials - most of which resulted in critical system breaches. These are the “keys to the kingdom.‚ Privileged access lets criminals do whatever they want on a company’s network. Privileged credentials, in particular, are highly sought after by cybercriminals. Once in a system, even one with no value, criminals can work their way through a network, escalating their access to the point where they can do real damage. User credentials are the main target of these attacks because they get a cybercriminal’s foot in the door. In the early months of the coronavirus pandemic, researchers saw spear-phishing attacks rise by nearly 700%. The threat environment keeps getting worse. How do cybercriminals target companies where employees’ access rights are overprivileged? Private companies are using least privilege to comply with regulations such as HIPAA and Sarbanes-Oxley. All federal agencies must use least privilege to assign access permissions. In response to today’s cybersecurity environment, the principle of least privilege is seen as essential to protecting information. By the 2010s, Google was incorporating least privilege through its Zero Trust security system, BeyondCorp. The US Department of Defense and the National Institute of Standards and Technology advanced least privilege in the following decades. In an overview of Multic’s access control design, MIT professor Jerome Saltzer explained that by minimizing the potential interactions in the system, Multics’ use of least access principles prevented unintentional or malicious activity. In addition to other foundational concepts in computer science, the Multics project was the first operating system to make the controlled sharing of information a design requirement. The use of least privilege access dates to the Multics operating system’s development in the 1960s. With least privilege, the impact of cyberattacks doesn’t translate across resources or entities. Often paired with role-based access control, least privilege blocks any unauthorized entity (or an authorized entity accessing resources at unauthorized times). In the context of user access, least privilege gives people everything they need to get their jobs done only while they are authorized to do that job. The entity could be a user, the user’s device, or another resource. The principle of least privilege limits any entity in an information system to accessing the resources needed to perform authorized functions while that need exists. What is the principle of least privilege? ![]() We will explain the benefits least privilege offers and provide some best practices for deploying least privilege in your organization. In this article, we want to introduce you to the principle of least privilege and explain how it blunts cyberattacks. While simple in concept, implementation of this ideal in practice often proves to be challenging. Even though the concept of least privilege has been around for generations as a best practice, the severity of today’s cyberthreats is making it a necessity for modern security and access control. It makes defenses harder to penetrate and makes successful breaches less effective. Applying the principle of least privilege limits the damage these cyberattacks can cause. Compromising a user’s account can give them the freedom to roam a network undetected.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |