Sunday, March 23, 2014
Making 'Least Privilege' Cool
Somehow, as executives got promoted, CEO's got hired, and board members got selected, they all got confused. So confused that their security world is turned upside down, and it's their fault. And it's not just corporate executives confused about the security of their enterprise, it's everyone that owns a computer or smartphone that is confused about the security of their own personal enterprise. They somehow got the impression that the higher you are in your enterprise, the MORE computer and network access you should have. In fact, the polar opposite is true. Everyone has forgotten the tried and true security tenet of 'least privilege.'
Least Privilege is a fundamental security concept (who remembers the 'Rainbow Series?'), whereby you only grant the user (human or program) just enough access to perform their tasks. This used to be done all the time in programming, and is often done at the rank and file levels of enterprises today. For instance, the guy in the cube next to you can't access the HR system and look up your salary, because he doesn't have the need for that access. While the HR exec can see your salary, they usually cannot read sensitive company financials. But the CEO can see it all.
In a work setting, it's unfortunately common for senior executives (and therefore their assistants) to be given total access to their digital enterprise, like a master key for every computer, network, and file in their domain. Makes for a juicy target if you're a thief, and the thieves know it and are thriving on this simple lapse of good corporate governance. And that target becomes even juicier when said executives insist on taking their laptops and smartphones with them when they travel abroad (where governments have been known to snoop and share with state owned competitors), insist on downloading the latest privilege-grabbing apps, and insist on blithely connecting from any coffeehouse or other free wifi they happen along.
The key to fixing this rampant problem costs nothing but a little bruise to the ego. Executives should NOT be given keys to their kingdoms. Instead, they should be given just enough privilege to do the routine aspects of their job. While not the complete solution, this simple step will stop the vast number of adversaries that are looking for keys to subvert companies.
Before you condemn your company's execs, think about you and your own computers, tablets, smartphones, and home networks. Almost everyone gives themselves 'root' or 'Admin' access to their devices. When installing new programs, this high level of access is usually required, so that's what you take. This is exactly what today's thieves are counting on. At some point, they are going to trick you into clicking on a link that will take over your account. If your account has Admin privileges, then they have successfully taken over your enterprise. But what if your account only had just enough rights to run your apps, but not enough to make any substantive changes to your device? Then you will still have had your account compromised, but your systems will remain secure. If you don't have Admin rights to begin with, then you can't be the cause of them getting stolen.
What's the cost to implementing least privilege in your home and office? Zero dollars. A few more clicks for the few times you actually do need to load new software. And a hit to your ego because you're not given all the keys. So help me make 'least privilege cool. Brag about how little access your company gives you. Get excited when the malware you stumbled upon fails to execute and gives you an error message instead. Tell your friends and co-workers-- It's cool not to have the keys!