Question

Discuss the principle of least protection and the principle of least privilege. Then discuss how systems that implement the principle of least privilege can still have protection failures that lead to security violations.

Answer 1

The principle of least privilege is the idea that at any user, program, or process should have only the bare minimum privileges necessary to perform its function. For example, a user
account created for pulling records from a database doesn’t need admin rights, while a programmer whose main function is updating lines of legacy code doesn’t need access to financial
records.
The principle of least privilege works by allowing only enough access to perform the required job. In an IT environment, adhering to the principle of least privilege reduces the risk of
attackers gaining access to critical systems or sensitive data by compromising a low-level user account, device, or application. Implementing the POLP helps contain compromises to their
area of origin, stopping them from spreading to the system at large.

BENEFITS OF THE PRINCIPLE OF LEAST PRIVILEGE:-
There are many benefits of implementing the principle of least privilege:

Better security: Edward Snowden was able to leak millions of NSA files because he had admin privileges, though his highest-level task was creating database backups. Since the Snowden leaks,
the NSA has employed the principle of least privilege to revoke higher-level powers from 90% of its employees.
Minimized attack surface: Hackers gained access to 70 million Target customer accounts through an HVAC contractor who had permission to upload executables. By failing to follow the principle
of least privilege, Target had created a very broad attack surface.
Limited malware propagation: Malware that infects a system bolstered by the principle of least privilege is often contained to the small section where it entered first.
Better stability: Beyond security, the principle of least privilege also bolsters system stability by limiting the effects of changes to the zone in which they’re made.
Improved audit readiness: The scope of an audit can be reduced dramatically when the system being audited is built on the principle of least privilege. What’s more, many common regulations
call for POLP implementation as a compliance requirement.

Systems that implement the principle of least privilege can still have protection failures that lead to security violations are:-
>It is found numerous problems with both permissions and passwords. Issues with permissions include protected folders found in deeper levels of the file system, which "may contain users and permissions
which are not visible at the higher levels, leading an administrator to mistakenly assume that permissions to a folder are configured correctly."
>Unresolved security identifiers are also a problem. These occur when a user on an ACL is deleted from Active Directory. "They can potentially give unauthorized users (like hackers) access to data,"
One of the problems with passwords is the tendency to allow non-expiring passwords, which, warns Varonis, "allow unlimited time to brute force crack them and indefinite access to data via the account."
>It found a total of 48 million folders, or an average of 20% of all folders, accessible to global groups. "Many data breaches are opportunistic or rudimentary in nature, and many originate
from an insider, or an insider whose credentials or system has been hijacked.
>"Excessive user access through global groups is a key failure point for many security and compliance audits."
>It is pointed Panama Papers as an illustration of the dangers. In April 2016, 11.5 million confidential files belonging to the Panama law firm Mossack Fonseca were leaked to a German newspaper,
revealing how its clients hid billions of dollars in tax havens.
>Stale data is another risk highlighted in the report. Varonis defines stale data as any data that hasn't been touched in six months or more. "Stale data represents little value to the business
while it's not being used, but still carries with it risk and potential financial liability if used inappropriately." It also adds a management and cost burden, especially if it is maintained on high-performance storage.