From the course: Cisco Certified CyberOps Associate (200-201) Cert Prep: 1 Security Concepts
Using the principle of least privilege
From the course: Cisco Certified CyberOps Associate (200-201) Cert Prep: 1 Security Concepts
Using the principle of least privilege
- [Instructor] The principle of least privilege states, assign only the privileges needed to a program, process, or privileged user of a system for the shortest time necessary and in a smaller domain as possible to complete a task without hindrance. Permissions are given in order to perform certain duties, complete operations or access applications and files. And correlates to the military need-to-know rule. Everyone plays a role in keeping an organization's information and systems safe and secure. However, because of the many different groups and individuals that exist within an organization, makes the job of managing permissions difficult. Even if permissions are carefully given, removing the privilege isn't always a trivial task. Over time, individuals in an organization are granted extra rights as their roles and responsibilities change. Permitting permissions beyond minimal rights increases the risk that privileges will be abused and can result in a condition known as permission creep. One example of least privilege is properly using the administrator's role. In any organization, it's best practice to issue an administrator two accounts. One for regular work, and one for an administrator account for administrative work only. When not doing administrative tasks, he or she should be logged in as a regular user. An application should execute with the least privilege needed to complete a job. If administrative privileges are not necessary when running applications, log on as a general user instead of an administrator. This will reduce the risk of malware escalating privileges to the administrator level. If you're confused, because sometimes you do get confused when working with a system, you can run the command whoami to see who you're logged in as. Let's take a look. I'm in the command line interface and all you need to type is whoami. And this will tell you how you're logged in. Within a server operating system, in active directory, security groups can be used to assign role-based permissions to all members of the group according to what is needed to perform functions. And this makes managing permissions easier. As you apply permissions only once for the entire group of users. If someone leaves the group, their permissions are no longer valid. Today's complex multi-user environments make it challenging to successfully implement the principle of least privilege. However, effort should be made to adhere to this rule.
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Contents
-
-
-
-
-
Using the principle of least privilege3m 10s
-
(Locked)
Defining access control3m 33s
-
(Locked)
Comparing access control models5m 19s
-
(Locked)
Summarizing triple-A security3m 19s
-
(Locked)
Verifying authentication1m 57s
-
(Locked)
Granting authorization2m 40s
-
(Locked)
Accounting and logging activity3m 42s
-
(Locked)
Challenge: Network diagram54s
-
(Locked)
Solution: Network diagram4m 39s
-
-
-
-