5/01/2009

Hacking – and the Least Privileges Doctrine

Recently we had a forum moderator (which people we pay a nice monthly stipend) get into some issues with drug abuse problems. This individual had to be checked into a rehab clinic to get himself straightened out.  While I was aware of him having these issues in the past, I was not aware that this person was still having such problems. But the bigger problem is that the correct security policy was not 100% in place, and that is 100% my responsibility.

Long story short, due to a lack of security enforcement on our part, my site account and all my articles and such ended up getting deleted. I had to restore them from a most recent database backup. Not a very big deal, but certainly an annoyance.  Needless to say, we now have a new Forum Moderator.

The definition of Principle of Least Privilege is fairly simple and easy to comprehend. The idea is that users will be given only the privileges absolutely necessary to perform any given task. This might be configuring their computer, browsing the Internet, running a financial application, or sending e-mail. Or it could be the permission set you give a Forum Moderator on a web site you run.  You might have also heard the term Least Permission, which is very similar to the Principle of Least Privilege.

When you have employees or contractors who have been given the responsibility to do a certain job, it is extremely important to grant them ONLY the permssions to do that job, and nothing more. Studies show that the majority of hacking attacks are “inside jobs” – meaning that it is usually the work of a disgruntled employee, or even one who is mentally unstable.

Companies, organizations, and others who run websites, databases, or other information stores that could possibly be compromised would do well to examine this doctrine and ensure that they are following it.

Sadder, but a lot wiser…