Least Privilege Approach

00:00

Welcome back, Toe Intermediate 10 point security course, Andi, In this lesson, I'm going to talk about least privilege approach.

00:08

And I'm going to explain what the least privilege of concept is. What are the benefits and how to plan? Implement less privilege in your company.

00:21

So first thing about these privilege concept is that is used mostly in government organizations, even some, like Military Day ed in the United States and in some other countries. This is this is a regulation says that this privilege,

00:38

ah, principal has to be implemented there.

00:42

So let's talk about what it actually is.

00:47

It is, ah, concept in which restricts ah, right access rights for users, accounts and computing processes to Onley. Those resource is absolutely required to perform routine, legitimate activities. So what is the? The essence of this privilege concept

01:04

is that users don't have admitting privileges on their PC's. This is the first and most important one.

01:11

The second thing is that users cannot install programs which automatically makes impossible for viruses toe for, for example, for trojans doing getting sold on on your PC because if under your account nothing can get installed,

01:27

then you some mulberry also cannot get installed on your PC

01:34

and also Brower browsers run with less privilege.

01:38

And even if you follow the recommendations of less privileged to the letter if you don't follow it to the letter, if you apply these greetings, you have achieved probably 95% of what, what the least privileges when it comes to endpoints or PC's.

01:57

And in that case, you have significantly increased the overall resilience and security off your endpoints.

02:07

So what are the benefits?

02:12

According to Horizon Um, research, 85% of vulnerabilities on Windows systems could have been avoided by removing and mean rights to user. So this is what I was talking about just before.

02:28

If the user doesn't have any rights, they cannot access some settings in the operating system. Then the process is they run like applications and, uh, installations after installations and stuff like that, they cannot be.

02:46

They cannot run

02:47

on. And in that way you have reduced

02:53

essentially the ability off any kind of malicious code to do damage to the B C.

03:02

It s essentially reduces the attack surface

03:07

it reduces. As I said, malware, infection and propagation,

03:10

um, in improves gives you improved operational performance.

03:17

And, um,

03:20

also, if you want to um,

03:23

yeah, if you have to meet some combat regulatory compliance.

03:29

If you have ah, least privileged implemented, it's easier to reach the compliance level and to prove it, Ah,

03:38

to whatever it authority has to approve that you have this you that you have reached the compliance level required.

03:51

So what are the problems with implementation of Lee's privilege? First of all, it's muting the ranks, so users and please might complain about it

04:02

because they will suddenly see that they cannot do some things that have been doing before. Most of the things, if least privileges carefully planned are actually not connected to the work they have to do for in company time. It's there

04:18

to make their

04:20

let's say, work nicer, easier.

04:24

But then communication with people is essential to explain to them. Yeah, OK, these things are very nice, but

04:33

it's, uh,

04:34

it's a security risk. So some some story like OK, guys, if you don't look your house, that's convenient because you don't have to worry if you're locking if you have to carry the keys for it. But then somebody can break in without any problem and take whatever they want.

04:53

So or if you have all the alarm system in our house and you don't don't arm it when you leave the house than what's the point of having it. So some kind of analogy explanation would give them at least the idea. Why are you using it?

05:09

Then you'll have the resistance resistance from management because

05:15

it's called fear off privileges lost or losing privileges. And basically they think that they won't. They might think that they won't be able to do their job effectively because now,

05:33

now that they had done don't have some privileges they had before.

05:36

And all of these things can be avoided if you have done that. Detailed planning. Because if you allow the applications to work, if you allow the applications that you have specially designed or installed on every user specie

05:54

in the company, they can work and they can allow people to do whatever they want

06:00

with their whatever they need to do to to do their job okay with their PC's. Then you have essentially removed the ALS issues that come from people not being happy with their privileges reduced.

06:16

But the planning has to be very detailed, careful and has to include unfortunately, no, just I t people. But Aled business verticals in the company, they all have to be included. They all have to explain to whoever is planning the least privilege are running the project, how

06:36

they do business. So you have to understand not only the

06:41

I d processes in the company, but also business processes. Now, if you have these things all on one place and if you have done the detail planning, you have done a great job, and then you can go and implement the least privilege

06:56

concept

06:58

eso how you do it. First thing you do is you do privilege old it. So you see who has the right to access. What, um, who? What are the people with the administrator passwords?

07:14

The second thing is a force toe. Find a way to remove, admin writes in and points. And of course, you have to have them. Procedures like that stop Management's after that will allow users toe, have the software installed without having and then privileges on a PC.

07:29

Oh, there are some things connected to a network like removing all rotor than an access rights. The servers enforced separation off little privileges and implement just in time privileges for some things. For example, if some applications of processes need

07:45

administrative privileges for short period of time, then you have to implement the system

07:50

to allow these things to happen when they when they're needed.

07:56

Um,

07:58

you have tow. Establish a system off expiration of privileged access. Implement one time use credentials again for some situations in which you need more privileged than you usually do. Um,

08:13

then again, on the network you have to limit member. She's for super user role to the minimum number of people

08:22

that actually need them.

08:24

Because you have people, for example, that are in technical support inside the company that they're allowed to have admitting rights because they need to think or something with BC's or servers

08:35

shouldn't be happening. At least then you should implement. They're one time use credentials. If they have to do something. Yeah, they logging, they finish what they do and they look out,

08:46

allow individual actions should be traceable. This is very important, especially if you need toe. Prove compliance to some regulatory authority,

08:58

and you need finally to have ah, regular reports on access to all privileged accounts and you have toe

09:11

verify upon these reports. So, for example, you have seen that some manager has logged into their accounts and 3 a.m.

09:20

And they were not overseas on the business trip. Oh, or they were, you know, just home. Then you have to check with that person and say, OK, did you actually along at 3 a.m. To your account?

09:33

And if they didn't, then you know that at least there was some. At least you have the notion that there was a bridge. Then you have can take actions like changing passwords is for that account or implementing multilevel authentication or checking just what's happening.

09:54

No, it was happening

09:56

so as the least privileges. Ah, completely separate topic. I'm not going to go into any more details about it. But, uh, I will just ask you one question to check if you have the learned anything. And the question is how many vulnerabilities can be removed

10:15

by implementing light least privilege? When you talk about PC's, of course,

10:18

is it 58%? Is it 76% or is it 85%?

10:26

The correct answer is, if you remember the first slide, it was 85%.

10:33

Okay, so in this video, you have learned about what? The least privilege concept. Our approach is,

10:39

uh, what are problems when you have or issues that you have when you want to implement that the concept

10:48

and then general guidelines on how to implement it. So you have seen that if you want to do it, you have to make sure that all these things are

10:56

there and, uh, plan that there have to be financial harder and people resource is in order to do these things