The principle of least privilege: A strategy of limiting access to what is essential

In a recent conversation with our marketing analyst at ESET Mexico, Juan Carlos Fernández, we discussed a story about a scam carried out by a bogus company during his time as a university student. The company, which allegedly recruited students, collected information included on the résumés of those who applied.

No students were actually hired, of course, but their personal information had been provided voluntarily. The incident would be quite irrelevant if it wasn't for the fact that résumés usually include personal information and data, which can compromise people’s safety if it falls into the wrong hands. In the case of university students, data such as their photographs, addresses, contact information, social network accounts, and other information will no doubt be included.

And while this information may be necessary for some recruiters, it is highly likely that it is not essential when finalizing the hiring process. The idea of only providing the required information, and access to it, can be applied to different areas, and cybersecurity is no exception. This good practice is known as the principle of least privilege, and we discuss it in this publication.

Least privilege: A good security practice

In the area of cybersecurity, the assignment of permissions that a user may have to a system or to information is a security practice that is continuously applied. For example, operating systems are developed with different roles (and, of course, privileges), which are designed for different user profiles, based on their activities and responsibilities.

Operating under the principle of least privilege, as the name implies, is based on the premise of only granting necessary and sufficient permissions to users to carry out their activities, for a limited time, and with the minimum rights required for their tasks. This practice can be implemented with respect to technology usage, with the aim of ensuring the security of information, as well as our privacy.

Assigning permissions to users that go beyond the rights necessary to carry out a certain action may allow them to carry out actions that they are not authorized to carry out, such as accessing, obtaining, or modifying information. And privileges must also be considered for entities or services to meet their objectives without compromising privacy or security; however, for this task, an important responsibility of users is ascertaining and only granting necessary and sufficient permissions.

Can least privilege be applied to social networks?

The recent revelations involving Facebook and Cambridge Analytica demonstrate the value of personal data and the responsibility we have as users over how our personal information is handled.

And while the paradigms of privacy change over time, we should not ignore the fact that this is a constant concern, especially in the digital age, where even new legislation seeks to grant more rights to users over their information.

Based on this notion, a good practice would be to only provide the basic information necessary to use social networks and not share sensitive or confidential information with any other users, especially if we do not know those people who may be hiding behind what may be fake profiles.

So, in addition to being careful about the information we post on different social platforms, it is also a good idea to configure the privacy and security options, as well as the restrictions applicable to other users concerning the posts or data on display. We should not become so paranoid that we feel the need to stop using these new forms of communicating and interacting, especially if we advocate their conscious, responsible, and safe use, and this is where we could also apply the principle of least privilege.

The principle of least privilege on mobile devices

The applications we install on our devices must also be limited by privileges on the device. An application may be considered intrusive (or even malicious) due to the permissions it requests when it is installed, and of course, due to the activities it then carries out on the device.

There are countless cases in which applications request permissions that are often not necessary for their intended function on a phone. A classic example of this is flashlight applications. These apps only turn the LED of the device on and off, so do not require access to phone information such as location, contacts, calls, or SMS messages. In this case, the principle of least privilege should also play a prominent role.

In a specific case related to this type of flashlight application, a banking Trojan was discovered that targeted Android users. Once it was installed and executed, the app requested device administrator permissions.

In addition to granting the promised flashlight function, this remotely controlled threat also sought to steal the banking credentials of its victims. No doubt, the principle of least privilege could also be applied to this scenario, by only providing the app with the minimum privileges necessary for its function.

The principle of least privilege: A security strategy applicable to different areas

Touching back on the story we initially discussed, we know that different criteria may be considered when hiring a person, but for reasons of security and also privacy, a recruiter probably should not know all of our information, especially if all that information is not handled securely.

And so, it is about providing only the minimum data, privileges, or resources necessary to perform an activity or fulfill a purpose, regardless of whether it involves an operating system, a social network, an application, or, even as we proposed at the start of this publication, when submitting a résumé.