“Least-privileged access” is a concept that quite a lot of IT experts are familiar with, and this kind of approach became even more relevant with the recent increase in remote work and the number of data breaches. It is a self-explanatory approach to data security that has a single requirement – every user must have as few access permissions as possible, nothing but the bare minimum that is necessary for a specific employee to do their job correctly.
Unfortunately, despite the fact that this concept is well-known as it is, there are still plenty of cases with overprivileged users becoming the main reason for a data breach of sorts – since most of these users are already IT administrators or in a similar position that has to have a lot of permissions from the get-go.
The problem of overprivileged users is still surprisingly massive. The fact that some governments are heavily recommending restricting administrative privileges as one of the first cybersecurity-related pieces of advice is proof enough of how bad this issue is. The Australian government is one such example – with their Essential Eight Maturity Model noting restrictions of administrative privileges as one of the cybersecurity incident mitigation tactics.
As such, it is necessary to figure out a way to secure this particular cybersecurity threat while also not restricting the capabilities of an administrator when it comes to managing applications and systems. However, it is necessary to learn about the context of Australia’s Essential Eight before that.
Australia’s “Essential Eight” is a joint effort of the Australian Cyber Security Centre (ACSC) and the Australian Signals Directorate (ASD), recommending eight essential cyber incident mitigation strategies as a cyber security baseline for all Australian companies. The correct implementation of all eight of the mitigation strategies is supposed to greatly reduce the chances of internal systems being compromised as a result of cyber attacks. The Essential Eight cyber security strategies list itself is taken from a much bigger list of Strategies to Mitigate Cyber Security Incidents that was published by ACSC before the Essential Eight was announced.
The aforementioned “Essential Eight” is comprised of the following strategies:
- Application control – The process of checking and comparing every single installed application with a pre-defined list of approved apps to make sure that any third-party application in the system gets instantly removed.
- Patch applications – Security patches for existing applications should be installed as soon as possible. This also includes removing applications that are no longer updated and receiving necessary security fixes, as well as the necessity to update every application within 48 hours after the new patch release if the vulnerability that is mentioned in the patch notes is considered an “extreme risk” to the system.
- Configure Microsoft Office macro settings – Macros are automated command combinations that may potentially have destructive capabilities, which is why it is heavily recommended to only allow macros that were approved beforehand so that the user in question is sure that the macros only have a limited write access/have a digital credibility certificate.
- User application hardening – Various security-related settings should be applied to user-side applications (web browsers, PDF readers, text editors, etc.) so that it would be more difficult to abuse security vulnerabilities in something akin to a compromised website.
- Restrict administrative privileges – The aforementioned restriction on administration-related accounts prevents them from modifying important security or system-related settings. It is also a good practice to review the user access privileges of every single user on a regular basis to look for discrepancies or overprivileged accounts.
- Patch operating systems – A similar strategy to the one that forces application security patches, but this one is all about operating system security patches. They also have a specific deadline of 48 hours at most for applications that can be connected to the Internet, and using applications or systems without proper security fixes in place is not recommended.
- Multi-factor authentication – Using several different types of credentials for the sake of verifying the identity of the end user is a great security boost for any system in general, even if the combination of credentials is something as simple as an SMS code and a password.
- Regular backups – Regular backups for both new and existing data (as well as application data and system configuration) should be performed on a regular basis and stored separately from the main system with at least three months of retaining period. The recovery process should also be tested regularly, especially after big internal changes such as the modification of an IT infrastructure.
The overwhelming majority of methods in Essential Eight are often mentioned as general cybersecurity practices, and there is only one strategy that is considered the most difficult to implement properly – the Restriction of Administrative Privileges. There is a very narrow balance that needs to be found between restricting the capability of a system administrator to do their job and the administrator account being a prime target for impersonation and other potentially disruptive cyber crimes with the end goal of gaining access to the system in question.
There are also plenty of other potential situations of the overprivileged system administrators extracting sensitive data from the system for one purpose or another – someone like Edward Snowden may be the most recognizable system administrator in the world that gained access to sensitive information and extracted it, technically performing an insider attack.
Luckily, this problem is not unsolvable, and modern data security approaches are the key to solving this entire issue. The basic idea of such a system uses strict access controls to make sure that system administrators can still manage the data without being able to view or modify it afterward unless they have authorization for that specific action. This kind of approach is referred to as Attribute-Based Access Control (ABAC), and it gained more popularity in recent years thanks to the rise of remote work across the globe.
The usage of ABAC in combination with Multi-Level Security, Zero-Trust Architecture, and Data-Centric Security is what allows companies like archTIS to create a dynamic attribute-based information security system that can meet all kinds of modern security requirements – including the Australian’s Essential Eight, as well as both local and global compliance regulations from DISP and PSPF to CMMC, ITAR, NIST, and many others.