Two topics that we take to heart when it comes to information security are least privilege and separation of duties. These topics tend to go hand-in-hand and are considered complementary.
Least privilege, according to the Cybersecurity & Infrastructure Security Agency (CISA), states that a “subject should be given only those privileges needed for it to complete its task”, which aligns with the availability portion of the CIA triad. When a subject has more privileges than it needs to perform its core set of tasks, the risks of it being com-promised increase.
For example, should a system have administrator access (but no need to) and it gets compromised, then the attackers have administrator access to that system. This could allow for several follow-on attacks by the attacker such as code execution or establishing persistence. This does not necessarily pertain solely to an individual. It could also pertain to a system, service account, or an application. One should determine, either through information from the vendor or by one’s own analysis, what the minimal rights and permissions are for the account to fulfill its function. We can also apply this to fire-walls, configuring them to control zones within your infrastructure in a host-based set-up or to allow only necessary traffic in and out of your network at the boundary.
Separation of duties is when tasks within critical functions are split up among employees so that one individual does not have too much power to conduct a task. An example of this is having Payroll split up into approval and check writing, because having one person able to approve and write a paycheck could lead to that individual providing themselves some bountiful checks on the company’s dime.
Another example would be to have at least two people responsible for a critical function, similar to the incredible opening scene from the original Wargames where the two operators had to turn their key at the same time to launch the missile. Another example is controlling access to audit data, where one role collects it, and the other role analyzes it. This, again, keeps too much power away from one person. This could force collusion, where two people need to work together to perform some type of fraud or crime. While that may sound like something you would like to avoid altogether, the more people that know about a crime being committed, the more likely someone will admit of wrongdoing. Thus, forcing collusion creates a weakness in the crime. Utilizing job rotation, where individuals are moved from job to job within the organization every so often, can help thwart collusion. This also helps with redundancy of skill.
Utilizing these will go a long way in protecting the confidentiality, integrity, and availability (CIA) of your information systems. Following guidance to protect those tenets of the CIA triad will take you a long way down your path towards information security.
