Cyber Defense eMagazine March Edition for 2022

To prevent lateral movement attacks resulting from stolen and misused privilege access,
information security teams are increasingly embracing the Principle of Least Privilege (PoLP),
which NIST defines as “the principle that users and programs should only have the necessary
privileges to complete their tasks.” It states that for any user or program that needs elevated
privileges to complete its task or function, IT teams must enable the least amount of privilege,
no more and no less, to get the job done. This directly emphasizes authorization -- meaning that
escalated user privileges must only be allowed to match the computing goals of the task at hand.
While the benefits of PoLP are obvious, there are several challenges that can often get in the
way of achieving them – whether due to the complexity of implementation or the inability to adapt
ingrained processes. For example, unlike Linux’s sudoers subsystem, Windows systems do not
provide granular controls for the tasks an administrative user can or cannot perform. Group
Policies also only go so far, especially since interactions between multiple policies may negate
affects to achieve granular control. It’s actually quite common for an enterprise’s Active Directory
to have Nested Groups, Domain Admins and Backup Admins, and all other privilege groups
containing broad, obfuscated and over-permissioned configurations that either contradict or
cancel out any least privileged controls in place.
One of the biggest issues with PoLP is that time is not explicitly called out as a privilege, and
thus is simply not considered at all when conferring least privileges. Let’s go back to the alwayson,
always-available administrative access, but now, the access is constrained to the least
computing privileges required for the task at hand. The fact that all systems have standing
privileges defeats the goal of granular control, because an administrator on one system labeled
trustworthy can, per convenience or with malintent, administer all other systems they have
standing privileges on, effectively making the principle of least privilege null and void.
The first step in addressing time is through what Gartner calls Zero Standing Privilege (ZSP), or
the removal of all standing privileges and the implementation of Just-In-Time administration
(JITA). First, ZSP removes the privilege sprawl. Then, JITA, bolstered by multi-factor
authentication (MFA), selectively elevates privileges to the specific system that requires
attention, exactly when the administration is needed, and for just the right amount of time
necessary to complete the task. If cyber thieves (or insiders) were to get a foothold on a system,
the window of opportunity to steal admin credentials would be significantly narrowed, and most
importantly, they wouldn’t find a plethora of administrative access available to exploit and use to
move laterally within the organization.
Cyber Defense eMagazine – March 2022 Edition 107
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.