Protecting Your Business by Implementing Least Privilege

Episode Resources:

• Resilience Cybersecurity & Data Privacy
• Cost of a Data Breach Report – IBM Security (2022)
• Data Breach Investigations Report – Verizon (2022)
• Insider Threats Drive Data Protection Improvements – Forrester (2022)
• Excess privilege makes companies and data insecure – ZD Net
• Enhance security with the principle of least privilege – Microsoft
• What Is The Principle of Least Privilege and Why It’s Important – Code42
• Determining “Need to Share vs. Need to Know” is a Cornerstone of a Data Protection Strategy – Imperva
• Majority of Data Security Incidents Caused by Insiders – IT Security Guru
• 6 Best Data Security Practices You Can Start Today – Imperva
• Cybersecurity and Awareness: Train Your Employees and Reduce Cyber Threats – IT Security Guru

Episode Transcript

Brian: Hey, thanks for joining us on Fearless Paranoia, where we seek to demystify the world of cybersecurity. I’m Brian, the cybersecurity attorney. He is Ryan, the cybersecurity architect. And there’s a subject we have been talking about a little bit lately called least privilege. And it is a topic that Ryan finds very, very important. So Ryan, tell us a little bit about it.

Ryan: Yeah, least privilege is something that’s getting a lot of traction in the cybersecurity world nowadays. And it’s a topic that is it’s kind of front and center in a lot of enterprise environments. But it starts to lose some of its steam, the further down the train you go towards smaller businesses, and especially when you get towards like personal level assets. But it’s a very critical one to pay attention to anywhere that you have important data, or any number of people with access to important data, which primarily tends to be in organizations, businesses, etc. And there’s a whole variety of different reasons why least privilege is an important thing to follow. But let’s start with kind of defining what least privilege really is at its core. It might seem like common sense just by the title of it. But least privilege is reducing access to your important assets and your important items down to the people that actually just need that level of access. A really good high quality example of this. And a good kind of delineation of where you see the difference here is between enterprise and small business, and even just stuff like basic file storage. So let’s start with standard files, shared folder, shared filesystem, etc, we’ve all kind of have these at different levels of business over the course of years. In major enterprises, you’ve got, obviously huge datasets, and those are controlled by access level permissions or access control lists. And that data really should be tied down to again, just the people that need it. There’s no reason why anyone that wouldn’t need access to a dataset should even have access to something like that in the first place. They don’t need it for their job. And giving them access to that data actually means that you’ve opened up some potential security holes there as well, because now you’ve allowed one more account access to a piece of data that’s critical. And if that account gets compromised, that data sets also going to potentially be compromised as well, if you eliminate that access level there, and they user A has access to data A but not data b Well now if users a ‘s account gets compromised, you have to be concerned about data set a but you really don’t need to be concerned about dataset B because that user’s account won’t have access to any of that data, therefore, that data effectively maintained as secure in relation to that account being compromised.

Brian: So basically, what we’re talking about right from the start is this is an authorization and permission system. Right?

Ryan: Yeah, for the most part, and it can kind of extend beyond that. But really anywhere that you’re delegating access out is an area where you should be looking at doing least privilege. Again, in smaller businesses where people tend to wear more hats and have a lot more crossover in different duties, you tend to see a lot less restriction of in the datasets, because you’ve got more people that need more broad access to them. But also at the same point, they have less people guiding the classification and the access to that data as well. And so just by general practice, they default to instead of a security-based posture for their data, they default to a usability-based posture, which is the easiest way for all of our employees to have access to all of our data and not suffer any operational challenges or restrictions is to just open up access to the data to everybody here. If you belong to this company, we trust you, here’s access to everything.

Brian: The important thing there is in a small business, you are likely to see much a lot fewer in the way of barriers, people who don’t necessarily need access, having access and while I think is often prefaced as a combination between usability as you said, or ease of use and practicality thing. The funny thing is, is that makes every single employee almost an admin level user. When it comes to a breach, all you need to do is get to one of the employees in the company to likely have access to almost all of the information.

Ryan: That’s absolutely correct. Which also means in the case of things like ransomware, like we’ve discussed in previous topics, if one user at your company has access to all of the datasets of a company, that means that one compromised account can potentially be a ransomware nightmare for an entire company, especially if they have an administrative level access over that data. If all of your employees have administrative level access over that data, that means that every single employee every single asset that those employees are using are all attack surfaces that are all wide open, ready to let that kind of nightmare ransomware otherwise make its way into your business. And all it takes is one misstep, one mistake even something that is as simple as drive by malware or accidentally clicking on a bad link. Something like that could be enough to bury your entire company because you’ve provided them that level of access to your data. And in smaller businesses especially you have a lot less money dedicated to things like DLP or data monitoring or file integrity or you know, especially user training, this is basic cybersecurity training. So there’s a lot of people in those smaller businesses that just don’t fully understand the detriment that is waiting. If they were to click on that bad link, they don’t understand what happens, oh, I clicked on this one bad link, it can’t be that bad, right, I will just let our IT team handle that, well, it can be that bad. A lot of these attacks nowadays are not human based anymore. They’re all automated. And one click of a link can cause irreparable damage within seconds. And there’s no way that a human security team and IT team anybody can ever sit down and provide that user that is apologize to your users that guidance and that, that not being willing to understand what what’s happening, there’s no way that you can take that person and put enough measures around them that will both allow them the tools they need to do their job and keep them safe without them being a part of that equation somewhere in there. And so in those smaller businesses, you just don’t get that. And so that’s why they are especially at risk and why even though they’re the businesses where you don’t see stuff like least privilege put into place, that’s really the spot where it’s needed the most, because there are fewer security controls, there’s going to be less spend on doing those other pieces that can help protect you on the back end of that like the File Integrity Monitoring and DLP type systems. And so if you don’t have those in place, at least privileges is mandatory, because it’s going to be one of those few things that reduces your attack surface reduces the blast radius for anything that could happen. And you probably also don’t have at that level disaster recovery, planning and backups in place that are routinely tested enough to make sure that you can recover from one of those types of incidents like the larger enterprise businesses do, which means if you become subject to that you’re dead in the water. And there’s probably almost no chance of really recovering gracefully from something like that, unless you’ve got some miracle or some ace up your sleeve. And very few small to medium sized businesses really have that prepared and at the ready.

Brian: You’re listening to the Fearless Paranoia podcast for more information on keeping yourself your family and your company protected against cyber threats. Check out the resilience, cybersecurity and data privacy blog at www dot resilience cybersecurity.com. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms.

Brian: One of the things that you mentioned there’s this notion of the potential risk. And we’ve talked about this before in previous episodes where we’ve talked about how a hacker when they penetrate your system, one of the things that they love to do almost immediately is to move vertically, and then to move horizontally basically to take steps as high as the privileges they can get. And then as broad a spectrum within your system as they can get on that one access. And then they look to get access other users and in that way, and they critically and importantly, by creating a system where the privileges that you were extended that you have use of are kept to a minimum, it’s the least necessary to accomplish the job, hence, least privileged. And the biggest thing that it does is it effectively does silo those attacks and one of the things you mentioned or also it was kind of interesting to me was this idea that in a small business, you click on a bad link, you think well it can handle it, there’s plenty of reports that have come out that are demonstrating how bigger enterprises are discovering, you know, hackers, and improper access and ransomware. That’s being planted much faster, which means that the criminals are having to act much faster, which means in the small business, by the time you even inform it, the damage is likely to be done. And I think that’s a pretty dangerous thing now. So for small business, how does least privilege work? What does it what does it look like in operation?

Ryan: Well, to start with, I’d say the least privilege can be as broad or as simple as you want it to be. But I think that it starts with basic common sense of the posture behind least privilege, which is you need to classify your critical data, large businesses should be classifying all their data to the best of their ability, small businesses need to identify what is your most critical data? What’s the data that you cannot operate the business without? Or what’s the data that’s going to land you in court, or what’s the one that’s going to give you the biggest PR black eye, and those are the things that you need to identify so that you understand what the biggest risks to your business are.

Brian: From my perspective, when I have to talk to companies, I also add the data that you have a legal obligation to protect them from the confidential information that’s important to you as a business. But then there’s also and you mentioned those, the ones that will end up getting you in court, if you fail to identify as the ones you have a legal duty to protect. And that legal duty can come from a lot of sources, so make sure you know them when you set up your data classification.

Ryan: Absolutely. Yeah, because your data is important, but any data that you hold of anybody else’s personal information, anything that falls under HIPAA, or PCI, or anything like that, those are yeah, those are extremely volatile data sets that are very valuable out on the open market and would turn into a major PR headache or a nightmare for you if that data were to get out because of the obligation that you have as a maintainer of that data

and a potential legal and financial headache to so pay attention. Absolutely and it potentially could erode trust, you can end up going down that up rabbit hole like we talked about in a different episode.

Brian: Yeah.

Brian: You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan like to break down in an episode, send us an email at info at Fearless Paranoia.com or reach out to us on Facebook or Twitter. For more information about today’s episode, be sure to check out Fearless Paranoia.com We’ll find a post for this episode containing links to all the sources research information that we have cited to you. And also check out our older posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now back to the show.

Brian: What do small business owners need to know to make sure that they can both set up this system? And to make sure that I mean, let’s face it, you know, one of the hardest things you can figure out in cybersecurity spend is what spending is justified. What do they need to do here?

Ryan: Well, let’s talk about some quick wins before you even get into the point of spending money against this problem. Again, once you’ve gone through and classified your core critical data, identify who has access to it? And if the answer is everybody, then the next question should be does everybody need full time access to this data all the time? If the answer is yes, then you really need to revisit a lot of your procedures, you’re probably going to find out that hopefully you’re around at some point in there. Otherwise, then you need to figure out okay, if it really is critical data and everybody needs access, then you need to ask yourself, how are we going to protect this data from all these users? What if one of these users’ accounts gets compromised, or what if one of them goes rogue and becomes an insider threat problem, you need to be able to cover all these bases. But if you do find out that not everyone needs it, then the first big win is restrict access to it take away people’s access to data that they don’t need. There’s no reason why everybody in a business should need access to your company’s payroll data. That’s like a big one right there. Because that’s employee information. That’s personal information about a lot of your employees, your HR people, your payroll, people shouldn’t need stuff like that, potentially your business owner may be a hiring manager outside of that the use cases drop off pretty rapidly for who would need access to that type of data. Same with, you know, proprietary customer data, who really needs access to that to operationalize your business. And if they don’t, you need to restrict that access. Same thing goes with like user workstations. That’s a really, really easy place at but this is like pulling teeth. This is a tough one and saying that most users, especially if you guys have an IT team or a managed IT service, most users do not need local admin on their machines and should not have it flat out. The most reason why people want to keep that is because they want to do things like listen to Spotify or install small pieces of software stuff like VLC media player so that they can watch certain things on their work machine. most use cases for having those admin level permissions on a workstation that don’t involve a technical user doing something like installing and uninstalling packages or software for developing or something along those lines, something where it’s a little bit more complex, the average user doesn’t need that and shouldn’t have it to be totally honest, because the average user doesn’t have the training to understand the nature of what could happen in some of those rare instances like clicking on a link that you read on a website because you Googled something. And that link has a macro loaded Excel file behind it or you pick up some drive by malware that otherwise wouldn’t be able to operate on your PC without admin rights. But because you’re logged in with an admin level user, and you don’t know any better that now hits your network and then is able to spread anywhere that you’ve got privileges, which goes again, right in the least privileged access. Because now if you do that, while you’re VPN connected, or connected directly into any of your environment, now that stuff can start worming out really quick. And it can start making you know, systematic and automated access to all the datasets that you have access to. And that’s where stuff like ransomware becomes a major pervasive issue and can jump into your, into your life really quickly and aggressively.

Brian: Well, one thing I want to add to that, too is I’ve heard I can’t even count how many times were users say that, you know, there will be tools they need to do various components of the job. And I’m always incredibly suspicious of any of those claims. Because the bottom line is if there’s a legitimate tool that you need to do your job, then why would that not be approved at an admin level? One step above you? Why would your business manager or business officer or supervisor or whoever was in charge of making those decisions? Say no, we’re not going to allow you to download Windows Media Player or a VLC and alternative to Windows Media Player or something like that to do your job. The reality is that while that’s true, they may want to download various applications that are essential to their job. They also want to be able to download things that are not in my mind. You can’t make the argument convincingly, that the only reason you want the local access is for job related apps that are in necessity and you can’t wait for approval.

Ryan: Well, and that’s the big key right there is if you have any sort of IT team or anyone that’s really managing the environment, managing those workstations. They should be the ones with the rights to install that software. So they have the ability to vet that and approve that before it goes on. Have those environments because you get users that are in this, they put their IT teams in these weird catch 22 spots of you’re responsible for maintaining the security of my workstation yet, you need to give me access to be able to blow up my workstation, if I so choose to do it. And that puts your security team in a really awkward position then because now you’ve empowered your end users to effectively damage your entire environment. Yet, as soon as they do all the fingers come pointed back at you, then because you’re the security team that didn’t keep it from happening. And that end user just goes, “Well, how was I supposed to know,” and they try to wash their hands clean of it. Which is why you can’t give them the opportunity to do that. And so I apologize end users, you don’t need local admin rights, even developers and stuff. If you’ve got a really good software distribution network, good management, good mobile device management system that’s in place to be able to offer up those kinds of tools and those kinds of interactions or lovingly in like a big like enterprise environments, you can have tools like a privileged access manager or something that will actually take care of handling those administrative duties for you. So you can just take away everybody’s admin access. I’m a cybersecurity architect, I’m one of the lead authorities at my business, I do not have local admin on my workstation, I don’t run with it every day, if I need to elevate something, I either go to the IT team or I do have an account where I can use to elevate it. But I don’t operate with that on a regular basis, my machine does not run in a privileged nature. And I do that because that is a best practice that we should be following. And if I’m gonna go through and preach that to the rest of my business, I’m going to need to set an example to go along with that. So when we start trying to take away things like admin rights, and we get users complaining about it, and the first thing they say well as well, how do you do your job. And I say, well, the same way that I’m trying to guide you right now without privilege and you go get privilege just in time when you need it, or you go to the people that have the authority to provide that privilege in the instances where you need it. And then you go back to operating in the least privileged mode for the remainder of your daily operational activities. Because it is really the easiest way to secure a lot of those activities at the user level and at the workstation level.

Brian: It’s one of those things it’s painfully clear in principle and incredibly difficult in practice, but you heard it right from the IT specialist himself. Least privilege is how everyone should be operating. I want to thank you for joining us today on the Fearless Paranoia podcast. We are going to continue on our mission to demystify cybersecurity and you can keep up to date with that mission by subscribing to new posts at our website Fearless Paranoia.com or subscribing to the podcast itself on any of your favorite podcasting apps or platform again, want to thank you for joining us for peerless fields from Fearless Paranoia. Yeah, I came up with that name and I can’t say it. Fearless Paranoia. I am Brian.

Ryan: And I am Ryan and we thank you guys for joining us today and we look forward to spreading more cybersecurity knowledge with you next time.

Ryan: Yeah, least privilege is something that’s getting a lot of traction in the cybersecurity world nowadays. And it’s a topic that is it’s kind of front and center in a lot of enterprise environments. But it starts to lose some of its steam, the further down the train, you go towards smaller businesses, and especially when you get towards like personal level assets. But it’s a very critical one to pay attention to anywhere that you have important data, or any number of people with access to important data, which primarily tends to be in organizations, businesses, etc. And there’s a whole variety of different reasons why least privilege is an important thing to follow. But let’s start with kind of defining what leaves least privilege really is at its core, it might seem like common sense just by the title of it. But least privilege is reducing access to your important assets and your important items down to the people that actually just need that level of access. A really good high quality example of this. And a good kind of delineation of where you see the difference here is between enterprise and small business, and even just stuff like basic file storage. So let’s start with standard files, shared folder, shared filesystem, etc, we’ve all kind of have these at different levels of business over the course of years. In major enterprises, you’ve got, obviously huge datasets, and those are controlled by access level permissions or access control lists. And that data really should be tied down to again, just the people that need it, there’s no reason why anyone that wouldn’t need access to a dataset should even have access to something like that in the first place, they don’t need it for their job. And giving them access to that data actually means that you’ve opened up some potential security holes there as well, because now you’ve allowed one more account access to a piece of data that’s critical. And if that account gets compromised, that data sets also going to potentially be compromised as well, if you eliminate that access level there, and they user A has access to data A but not data b Well now if users a ‘s account gets compromised, you have to be concerned about data set a but you really don’t need to be concerned about dataset B because that user’s account won’t have access to any of that data, therefore, that data effectively maintained as secure in relation to that account being compromised.

Brian: So basically, what we’re talking about right from the start is this is an authorization and permission system. Right?

Ryan: Yeah, for the most part, and it can kind of extend beyond that. But really anywhere that you’re delegating access out is an area where you should be looking at doing least privilege again, in smaller businesses where people tend to wear more hats and have a lot more crossover in different duties, you tend to see a lot less restriction of in the datasets, because you’ve got more people that need more broad access to them. But also at the same point, they have less people guiding the classification and the access to that data as well. And so just by general practice, they default to instead of a security-based posture for their data, they default to a usability based posture, which is the easiest way for all of our employees to have access to all of our data and not suffer any operational challenges or restrictions is to just open up access to the data to everybody here. If you belong to this company, we trust you, here’s access to everything.

Brian: The important thing there is in a small business, you are likely to see much a lot fewer in the way of barriers, people who don’t necessarily need access, having access and wallet, I think is often prefaced as a combination between usability as you said, or ease of use and practicality thing. The funny thing is, is that makes every single employee almost an admin level user. When it comes to a breach, all you need to do is get to one of the employees in the company to likely have access to almost all of the information.

Ryan: That’s absolutely correct. Which also means in the case of things like ransomware, like we’ve discussed in previous topics, if one user at your company has access to all of the datasets of a company, that means that one compromised account can potentially be a ransomware nightmare for an entire company, especially if they have an administrative level access over that data. If all of your employees have administrative level access over that data, that means that every single employee every single asset that those employees are using are all attack surfaces that are all wide open, ready to let that kind of nightmare ransomware otherwise make its way into your business. And all it takes is one misstep, one mistake even something that is as simple as drive by malware or accidentally clicking on a bad link. Something like that could be enough to bury your entire company because you’ve provided them that level of access to your data. And in smaller businesses especially you have a lot less money dedicated to things like DLP or data monitoring or file integrity or you know, especially user training, this is basic cybersecurity training. So there’s a lot of people in those smaller businesses that just don’t fully understand the detriment that is waiting. If they were to click on that bad link, they don’t understand what happens, oh, I clicked on this one bad link, it can’t be that bad, right, I will just let our IT team handle that, well, it can be that bad. A lot of these attacks nowadays are not human based anymore. They’re all automated. And one click of a link can cause irreparable damage within seconds. And there’s no way that a human security team and IT team anybody can ever sit down and provide that user that is apologize to your users that guidance and that, that not being willing to understand what what’s happening, there’s no way that you can take that person and put enough measures around them that will both allow them the tools they need to do their job and keep them safe without them being a part of that equation somewhere in there. And so in those smaller businesses, you just don’t get that. And so that’s why they are especially at risk and why even though they’re the businesses where you don’t see stuff like least privilege put into place, that’s really the spot where it’s needed the most, because there are fewer security controls, there’s going to be less spend on doing those other pieces that can help protect you on the back end of that like the File Integrity Monitoring and DLP type systems. And so if you don’t have those in place, at least privileges is mandatory, because it’s going to be one of those few things that reduces your attack surface reduces the blast radius for anything that could happen. And you probably also don’t have at that level disaster recovery, planning and backups in place that are routinely tested enough to make sure that you can recover from one of those types of incidents like the larger enterprise businesses do, which means if you become subject to that you’re dead in the water. And there’s probably almost no chance of really recovering gracefully from something like that, unless you’ve got some miracle or some ace up your sleeve. And very few small to medium sized businesses really have that prepared and at the ready.

Brian: You’re listening to the Fearless Paranoia podcast for more information on keeping yourself your family and your company protected against cyber threats. Check out the resilience, cybersecurity and data privacy blog at www dot resilience cybersecurity.com. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms.

Brian: One of the things that you mentioned there’s this notion of the potential risk. And we’ve talked about this before in previous episodes where we’ve talked about how a hacker when they penetrate your system, one of the things that they love to do almost immediately is to move vertically, and then to move horizontally basically to take steps as high as the privileges they can get. And then as broad a spectrum within your system as they can get on that one access. And then they look to get access other users and in that way, and they critically and importantly, by creating a system where the privileges that you were extended that you have use of are kept to a minimum, it’s the least necessary to accomplish the job, hence, least privileged. And the biggest thing that it does is it effectively does silo those attacks and one of the things you mentioned or also it was kind of interesting to me was this idea that in a small business, you click on a bad link, you think well it can handle it, there’s plenty of reports that have come out that are demonstrating how bigger enterprises are discovering, you know, hackers, and improper access and ransomware. That’s being planted much faster, which means that the criminals are having to act much faster, which means in the small business, by the time you even inform it, the damage is likely to be done. And I think that’s a pretty dangerous thing now. So for small business, how does least privilege work? What does it what does it look like in operation?

Ryan: Well, to start with, I’d say the least privilege can be as broad or as simple as you want it to be. But I think that it starts with basic common sense of the posture behind least privilege, which is you need to classify your critical data, large businesses should be classifying all their data to the best of their ability, small businesses need to identify what is your most critical data? What’s the data that you cannot operate the business without? Or what’s the data that’s going to land you in court, or what’s the one that’s going to give you the biggest PR black eye, and those are the things that you need to identify so that you understand what the biggest risks to your business are.

Brian: From my perspective, when I have to talk to companies, I also add the data that you have a legal obligation to protect them from the confidential information that’s important to you as a business. But then there’s also and you mentioned those, the ones that will end up getting you in court, if you fail to identify as the ones you have a legal duty to protect. And that legal duty can come from a lot of sources, so make sure you know them when you set up your data classification.

Ryan: Absolutely. Yeah, because your data is important, but any data that you hold of anybody else’s personal information, anything that falls under HIPAA, or PCI, or anything like that, those are yeah, those are extremely volatile data sets that are very valuable out on the open market and would turn into a major PR headache or a nightmare for you if that data were to get out because of the obligation that you have as a maintainer of that data

and a potential legal and financial headache to so pay attention. Absolutely and it potentially could erode trust, you can end up going down that up rabbit hole like we talked about in a different episode.

Brian: Yeah.

Brian: You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan like to break down in an episode, send us an email at info at Fearless Paranoia.com or reach out to us on Facebook or Twitter. For more information about today’s episode, be sure to check out Fearless Paranoia.com We’ll find a post for this episode containing links to all the sources research information that we have cited to you. And also check out our older posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now back to the show.

Brian: What do small business owners need to know to make sure that they can both set up this system? And to make sure that I mean, let’s face it, you know, one of the hardest things you can figure out in cybersecurity spend is what spending is justified. What do they need to do here?

Ryan: Well, let’s talk about some quick wins before you even get into the point of spending money against this problem. Again, once you’ve gone through and classified your core critical data, identify who has access to it? And if the answer is everybody, then the next question should be does everybody need full time access to this data all the time? If the answer is yes, then you really need to revisit a lot of your procedures, you’re probably going to find out that hopefully you’re around at some point in there. Otherwise, then you need to figure out okay, if it really is critical data and everybody needs access, then you need to ask yourself, how are we going to protect this data from all these users? What if one of these users’ accounts gets compromised, or what if one of them goes rogue and becomes an insider threat problem, you need to be able to cover all these bases. But if you do find out that not everyone needs it, then the first big win is restrict access to it take away people’s access to data that they don’t need. There’s no reason why everybody in a business should need access to your company’s payroll data. That’s like a big one right there. Because that’s employee information. That’s personal information about a lot of your employees, your HR people, your payroll, people shouldn’t need stuff like that, potentially your business owner may be a hiring manager outside of that the use cases drop off pretty rapidly for who would need access to that type of data. Same with, you know, proprietary customer data, who really needs access to that to operationalize your business. And if they don’t, you need to restrict that access. Same thing goes with like user workstations. That’s a really, really easy place at but this is like pulling teeth. This is a tough one and saying that most users, especially if you guys have an IT team or a managed IT service, most users do not need local admin on their machines and should not have it flat out. The most reason why people want to keep that is because they want to do things like listen to Spotify or install small pieces of software stuff like VLC media player so that they can watch certain things on their work machine. most use cases for having those admin level permissions on a workstation that don’t involve a technical user doing something like installing and uninstalling packages or software for developing or something along those lines, something where it’s a little bit more complex, the average user doesn’t need that and shouldn’t have it to be totally honest, because the average user doesn’t have the training to understand the nature of what could happen in some of those rare instances like clicking on a link that you read on a website because you Googled something. And that link has a macro loaded Excel file behind it or you pick up some drive by malware that otherwise wouldn’t be able to operate on your PC without admin rights. But because you’re logged in with an admin level user, and you don’t know any better that now hits your network and then is able to spread anywhere that you’ve got privileges, which goes again, right in the least privileged access. Because now if you do that, while you’re VPN connected, or connected directly into any of your environment, now that stuff can start worming out really quick. And it can start making you know, systematic and automated access to all the datasets that you have access to. And that’s where stuff like ransomware becomes a major pervasive issue and can jump into your, into your life really quickly and aggressively.

Brian: Well, one thing I want to add to that, too is I’ve heard I can’t even count how many times were users say that, you know, there will be tools they need to do various components of the job. And I’m always incredibly suspicious of any of those claims. Because the bottom line is if there’s a legitimate tool that you need to do your job, then why would that not be approved at an admin level? One step above you? Why would your business manager or business officer or supervisor or whoever was in charge of making those decisions? Say no, we’re not going to allow you to download Windows Media Player or a VLC and alternative to Windows Media Player or something like that to do your job. The reality is that while that’s true, they may want to download various applications that are essential to their job. They also want to be able to download things that are not in my mind. You can’t make the argument convincingly, that the only reason you want the local access is for job related apps that are in necessity and you can’t wait for approval.

Ryan: Well, and that’s the big key right there is if you have any sort of IT team or anyone that’s really managing the environment, managing those workstations. They should be the ones with the rights to install that software. So they have the ability to vet that and approve that before it goes on. Have those environments because you get users that are in this, they put their IT teams in these weird catch 22 spots of you’re responsible for maintaining the security of my workstation yet, you need to give me access to be able to blow up my workstation, if I so choose to do it. And that puts your security team in a really awkward position then because now you’ve empowered your end users to effectively damage your entire environment. Yet, as soon as they do all the fingers come pointed back at you, then because you’re the security team that didn’t keep it from happening. And that end user just goes, “Well, how was I supposed to know,” and they try to wash their hands clean of it. Which is why you can’t give them the opportunity to do that. And so I apologize end users, you don’t need local admin rights, even developers and stuff. If you’ve got a really good software distribution network, good management, good mobile device management system that’s in place to be able to offer up those kinds of tools and those kinds of interactions or lovingly in like a big like enterprise environments, you can have tools like a privileged access manager or something that will actually take care of handling those administrative duties for you. So you can just take away everybody’s admin access. I’m a cybersecurity architect, I’m one of the lead authorities at my business, I do not have local admin on my workstation, I don’t run with it every day, if I need to elevate something, I either go to the IT team or I do have an account where I can use to elevate it. But I don’t operate with that on a regular basis, my machine does not run in a privileged nature. And I do that because that is a best practice that we should be following. And if I’m gonna go through and preach that to the rest of my business, I’m going to need to set an example to go along with that. So when we start trying to take away things like admin rights, and we get users complaining about it, and the first thing they say well as well, how do you do your job. And I say, well, the same way that I’m trying to guide you right now without privilege and you go get privilege just in time when you need it, or you go to the people that have the authority to provide that privilege in the instances where you need it. And then you go back to operating in the least privileged mode for the remainder of your daily operational activities. Because it is really the easiest way to secure a lot of those activities at the user level and at the workstation level.

Brian: It’s one of those things it’s painfully clear in principle and incredibly difficult in practice, but you heard it right from the IT specialist himself. Least privilege is how everyone should be operating. I want to thank you for joining us today on the Fearless Paranoia podcast. We are going to continue on our mission to demystify cybersecurity and you can keep up to date with that mission by subscribing to new posts at our website Fearless Paranoia.com or subscribing to the podcast itself on any of your favorite podcasting apps or platform again, want to thank you for joining us for peerless fields from Fearless Paranoia. Yeah, I came up with that name and I can’t say it. Fearless Paranoia. I am Brian.

Ryan: And I am Ryan and we thank you guys for joining us today and we look forward to spreading more cybersecurity knowledge with you next time.