I’m back home after a week at RSA 2009. I presented a session on the subject of Least Privilege. Turnout was OK, especially considering the overall down attendance and that there was a session entitled “Is Google Evil” directly across the hall at the same time. Who could pass that up? I wanted to go myself!
There was a DoD guy there who seemed to enjoy my reference to the Walker spy ring. I was born a year before they began spying, and joined the Navy a year after they were finally caught. Just like everyone else I had to deal with the resulting need-to-know doctrine that was implemented throughout the government. The damage they did to the United States and our allies from 1967 to 1985 is incalculable, but some say they actually shifted the balance of power to the Soviets.
What good is a crypto system when a trusted man on the inside is forking over the keys to highest bidder? You never know where such an attack is going to manifest, but what you do know for sure is that it will. Giving anyone with a Top Secret clearance access to all Top Secret information is a plan to fail. There was plenty of recrimination when it all came down; how could we be so blind? John Walker said in one interview that K-Mart had better security than the Navy.
So things are getting better – right? Maybe, but not good enough said the GAO in April 2007:
What GAO Found
Certain information security controls over the critical internal network reviewed were ineffective in protecting the confidentiality, integrity, and availability of information and information resources. Specifically, FBI did not consistently (1) configure network devices and services to prevent unauthorized insider access and ensure system integrity; (2) identify and authenticate users to prevent unauthorized access; (3) enforce the principle of least privilege to ensure that authorized access was necessary and appropriate; (4) apply strong encryption techniques to protect sensitive data on its networks; (5) log, audit, or monitor security-related events; (6) protect the physical security of its network; and (7) patch key servers and workstations in a timely manner. Taken collectively, these weaknesses place sensitive information transmitted on the network at risk of unauthorized disclosure or modification, and could result in a disruption of service, increasing the bureau’s vulnerability to insider threats.
Authorization is the process of granting or denying access rights and privileges to a protected resource, such as a network, system, application, function, or file. A key component of granting or denying access rights is the concept of “least privilege.” Least privilege is a basic principle for securing computer resources and data. It means that users are granted only those access rights and permissions that they need to perform their official duties. To restrict legitimate users’ access to only those programs and files that they need in order to do their work, organizations establish access rights and permissions. “User rights” are allowable actions that can be assigned to users or to groups of users. File and directory permissions are rules that are associated with a particular file or directory and regulate which users can access it—and the extent of that access. To avoid unintentionally giving users unnecessary access to sensitive files and directories, an organization must give careful consideration to its assignment of rights and permissions. DOJ policy requires that each individual be granted access to information only when such access is an operational necessity, sometimes referred to as “need to know.” Also, the policy requires that system security features have the technical ability to restrict the user’s access to only that information which is necessary for operations. Further, FBI policy defines least privilege as determining the minimum set of privileges required to perform job functions, and restricting the user to those privileges and nothing more.
Yet so much of the security focus I see today is about trying to close the barn doors after the cows have been uploaded.