Comprendre la « séparation des privilèges »

[Version anglaise uniquement]

Tom Patterson  by Tom Patterson, CSC Cybersecurity Consulting General Manager

Somehow, as executives got promoted, CEOs got hired and board members got selected, they all got confused. So confused that their security world is turned upside down, and it’s their fault. And it’s not just corporate executives confused about the security of their enterprise; it’s everyone who owns a computer or smartphone who is confused about the security of his or her own personal enterprise. They somehow got the impression that the higher you are in your enterprise, the MORE computer and network access you should have. In fact, the polar opposite is true. Everyone has forgotten the tried and true security tenet of ‘least privilege.’

Least Privilege is a fundamental security concept (who remembers the ‘Rainbow Series?’), whereby you only grant the user (human or program) just enough access to perform their tasks. This used to be done all the time in programming, and is often done at the rank and file levels of enterprises today. For instance, the guy in the cube next to you can’t access the HR system and look up your salary because he doesn’t have the need for that access. While the HR exec can see your salary, he usually cannot read sensitive company financials. But the CEO can see it all.

In a work setting, it’s unfortunately common for senior executives (and therefore their assistants) to be given total access to their digital enterprise, like a master key for every computer, network and file in their domain. Makes for a juicy target if you’re a thief, and the thieves know it and are thriving on this simple lapse of good corporate governance. And that target becomes even juicier when said executives insist on taking their laptops and smartphones with them when they travel abroad (where governments have been known to snoop and share with state owned competitors), insist on downloading the latest privilege-grabbing apps, and insist on blithely connecting from any coffeehouse or other free wifi they happen along.

fairtrade

The key to fixing this rampant problem costs nothing but a little bruise to the ego. Executives should NOT be given keys to their kingdoms. Instead, they should be given just enough privilege to do the routine aspects of their job. While not the complete solution, this simple step will stop the vast number of adversaries who are looking for keys to subvert companies.

Before you condemn your company’s execs, think about you and your own computers, tablets, smartphones and home networks. Almost everyone gives themselves ‘root’ or ‘Admin’ access to their devices. When installing new programs, this high level of access is usually required, so that’s what you take. This is exactly what today’s thieves are counting on. At some point, they are going to trick you into clicking on a link that will take over your account. If your account has Admin privileges, then they have successfully taken over your enterprise. But what if your account only had just enough rights to run your apps, but not enough to make any substantive changes to your device? Then you will still have had your account compromised, but your systems will remain secure. If you don’t have Admin rights to begin with, then you can’t be the cause of them getting stolen.

What’s the cost to implementing least privilege in your home and office? Zero dollars. A few more clicks for the few times you actually do need to load new software. And a hit to your ego because you’re not given all the keys. So help me make least privilege cool. Brag about how little access your company gives you. Get excited when the malware you stumbled upon fails to execute and gives you an error message instead. Tell your friends and co-workers — It’s cool not to have the keys!

This article was first published on: CSC Cybersecurity Blog

About the author: Currently CSC’s Global GM for Cybersecurity Consulting, Tom Patterson has led the introduction of a new security standard to wipe out counterfeit credit card fraud, run security services for Deloitte & Touche in Europe(EMEA), was IBM’s Chief eCommerce Strategist, and successfully founded a Carlyle Ventures-backed startup in the next generation Internet (IPv6) space. Tom founded the National Security Grid (now a Security Executive Council non-profit project) focused on securing the Defense Industrial Base (DIB) supply chain, has worked on security for the launch of a nuclear aircraft carrier (CVN-73) and space shuttle launch (STS-37), advised the DoD, FBI, U.S. Secret Service, Federal Reserve, National Counter-Intelligence Executive, Congress, components of the intelligence community, and Government and business leaders around the world on the latest threat and countermeasure intelligence.

© 2015 Strategies Telecoms & Multimedia | Contact |  -