Election Security Spotlight – Principle of Least Privilege

What it is

The principle of least privilege recommends that users, systems, and processes only have access to resources (networks, systems, and files) that are absolutely necessary to perform their assigned function. By governing the level of access for each user, system, and process, the principle of least privilege limits the potential damage posed via unsanctioned activities, whether intentional or unintentional. The most common application of this principle involves assigning users restricted accounts in lieu of full administrator accounts intended for IT staff.

Many of the approaches we take in information technology mirror those in the physical world. The principle of least privilege is no different. When you hire a new, junior-level employee, they likely get immediate access to their workspace, a conference room, and the cafeteria, but you do not let them waltz into the vault with the secret recipes. The same is true for IT resources. For example, only users that do accounting should have access to the accounting applications, and only HR staff should have access to personnel files.

Why does it matter

One of the most common ways malicious actors get access to systems is by compromising a single user account or system and methodically working their way through a network until they reach—and compromise—their target. The principle of least privilege increases the difficulty of doing this by minimizing the connections between users, systems, and processes to only those needed to perform their job. This prevents the leap-frogging approach that could allow for the theft, modification, deletion, or exposure of sensitive elections infrastructure information without restriction. Implementation of least privilege can also help prevent malware infection as administrative privileges are often required for malware to execute.

What you can do

Form and implement a least privilege policy. Identify what users, systems, and processes are on the network and determine the minimum access level that each requires for their assigned job function. This includes limiting the system privileges of senior officials and administrative assistants as they are frequently targeted by malicious actors because of their high access levels. Election offices should include all stakeholders in the policy process to ensure every user’s needs are addressed when establishing access levels. At minimum, the policy should include best practices 26, 48, and 66 of the CIS’ (Center for Internet Security) A Handbook for Elections Infrastructure Security.

Once the policy is implemented, make sure there are at least annual checks on who has what privileges to prevent “privilege creep.” Privilege creep is when an employee changes roles and keeps their previously assigned privileges, while also gaining new privileges. These checks should also occur after an incident, as part of the remediation process, to ensure that user, system, and process privileges were not modified.

For additional information on this principle, please see CIS Control 4 on the Controlled Use of Administrative Privileges.

The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact [email protected].