October 4, 2022
Good morning, everyone!
This week’s critical vulnerabilities:
Patch all the things!
The Principle of Least Privilege
So, about that recent Uber hack -- why did it bring to mind the AAA Protocols? Let's talk about that and another of my favorite topics, the principle of least privilege.
CISA has a good primer on the subject. The gist of it is this:
Only the minimum necessary rights should be assigned to a subject that requests access to a resource.
This is a pretty basic concept that people seem to innately understand and accept in certain environments, but not others. For example, most everyone understands that different users in an accounting software package have access only to certain modules. For example, the accounts payable clerk probably doesn't have access to payroll. Whoever runs payroll may not have access to the general ledger. I talked about this last week. You all get this, right?
For some reason, however, this concept is often not carried over to files shared over a network. It is not uncommon for us to find, in the course of doing a network security assessment, that everyone has access to nearly everything on the network. Typically there are a few small bodies of data with extra protection (e.g., financial, HR) but generally speaking, all employees can access the entirety of data for clients that they don't even work with. The whistleblower Peiter Zatko, former CISO for Twitter, complained of "the widespread, ubiquitous access that many employees have to internal systems" as one of their primary security issues.
Why is this a problem? Well, I could write several pages about this! but two important points are (1) potential leakage of confidential client information to employees who shouldn't know that stuff, and (2) in a ransomware incident, the risk is great that the entirety of your organization's data could be encrypted (and possibly stolen first). Limiting what any one person has access to will also limit what that person can put at risk.
In the recent Uber breach, for example, once the attacker was in Uber's internal network, “a single hard coded password has been used to access [Uber’s] privileged access management system, giving access to any area of the IT environment that links to it.” So the attacker found a powershell script with an admin user name & password saved in it. Ouch. The employee whose account was compromised probably should not have had access to the file share where data like this is stored.
So, what's the answer? I talk a lot about segmentation in the context of networks as a whole, but it's a concept that can be applied to user access to data as well. Think about your business processes, who works together, who needs access to specific files. How can you segment that out? By project? By client? By internal department? It may take some thought, but the added security to your data is worth the effort. If you need help, you know where you can find me!
Upcoming Virtual Workshop
Eight years after its release, many organizations still find themselves struggling with how to
implement the NIST CSF. In this virtual workshop, we will break it down into a simple, 7-step process that
anyone can follow.
Have a great week!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺