Posted on by Insider Threatin
The 15th practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 15: Enforce separation of duties and least privilege. In this post, I discuss how implementing separation of duties and least privilege can benefit any organization's defense-in-depth strategy.
The CERT Division announced the public release of the fifth edition of the Common Sense Guide to Mitigating Insider Threats in December 2016. The guide describes 20 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, as well as case studies of organizations that failed to do so. The 15th of the 20 best practices follows.
Practice 15: Enforce separation of duties and least privilege.
Separation of duties is often synonymous with the "two-person" or "four eyes" rule wherein a task can be completed only with the participation of more than one employee. An example implementation of the two-person rule might include having two individuals enter a passcode and confirm successful, appropriate completion of the same task. While the two-person rule can serve to prevent single-actor insider threats, organizations should still be mindful that collusion between insiders can circumvent this procedure.
However, separation of duties also means that activities are broken into discrete tasks so that there is no one employee responsible for critical functions. An example would be to require separate employees to be responsible for either the backup or restore tasks. Organizations should review each critical function and the extent to which it relies on any one employee to complete the function.
While this concept seems simple, implementation can be a challenge, particularly for small to mid-sized organizations. Organizations can implement both technical and nontechnical controls to enforce the separation of duties in the business units as well as in the IT department:
A complementary concept, least privilege, requires that employees have the minimum privileges needed to perform actions on information or assets that are within the scope of their job function. Implementation of the principle of least privilege on an information system (i.e., read, write, or execute permissions) can include restrictions around the creation, deletion, or modification of information.
Implementation of least privilege may also include restricting the installation of software. For instance, your organization may manage privileges so that interns can read or write files only within specified directories, but not execute programs or reconfigure user settings. While enterprise software typically allows implementing least privilege at scale, some users may seek to escalate their privileges by exploiting bugs or configuration gaps.
Organizations can implement the principle of least privilege in the following ways:
When these principles are implemented, organizations can limit the potential damage that can be caused by insiders. In addition to protecting against malicious attacks, separation of duties and least privilege also assists in mitigating unintentional insider threats. If no single employee has the privileges necessary to access and leak the "secret sauce," then there is no single point of failure if employees are targeted by a social engineering campaign.
Regardless of the strategies used to enforce separation of duties and least privilege, an organization should consider how each strategy fits into its overall defense-in-depth strategy, goals, organizational culture, and mission.
Refer to the complete fifth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned in this post.
Check back next week to read Practice 16: Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities, or subscribe to a feed of the Insider Threat blog to be alerted when a new post is available.