The document discusses implementing a "least privilege" approach to network security. It recommends 10 steps organizations can take, including regularly evaluating security risks, minimizing devices on the network, moving to a managed environment, improving the user experience, and maximizing the use of Active Directory to reduce complexity and support costs while improving productivity and security. The overall goal is to balance allowing users to perform their jobs with protecting the network from insider threats.

1. Compiled by Paresh Thakkar CISM, MBA
Based on an original article in CSO FORUM by Paul Kenyon

2. Background
• Computer networks are complicated and keeping them
secure depends on a multitude of factors. However at
the core of these activities are administrative rights
that make it possible to fundamentally alter the
configuration of the desktop PC, its applications and
network linkages
• A slight error by an admin can result in malicious code
getting installed and running on the company server,
potentially compromising the company network.
• Once a problem occurs, it often unravels into a
downward spiral taking your business and reputation –
down with it.
2© Paresh Thakkar CISM, CEH, ECSA, MBA email: pcthakkar@gmail.com

3. Why this presentation?
• These 10 steps would help mitigate your
organisation’s risk that mostly revolve around
taking “Least Privilege” approach, meaning
end-users can perform their jobs with ease,
but without threatening organisation’s
security.
• Here are 10 steps that you can take towards
making “Least Privilege” a reality
3© Paresh Thakkar CISM, CEH, ECSA, MBA email: pcthakkar@gmail.com

4. • Operating systems work based on certain files
and folders that are within the Windows folder,
and registry…If these are modified without IT
department knowledge, the system can become
unstable, and the chances of Data Leakage
increase. IT should be made accountable and
responsible to control what applications a user
can install, or change.
• Regular evaluation of security risks, combined
with application whitelisting is essential in
providing an extra layer of defence.
4© Paresh Thakkar CISM, CEH, ECSA, MBA email: pcthakkar@gmail.com

5. • The proliferation of personal devices into the
workplace has increased complexity and cost of
defence for an organisation. Create a balance of
personal and corporate devices, and even have
role based eligibility model.
• If an employee justifies the use of a device, the
onus is on the organisation to establish its
compliance with company policy, with clear
matrix of support responsibility, and business
continuity in event of loss of device
5© Paresh Thakkar CISM, CEH, ECSA, MBA email: pcthakkar@gmail.com

6. • Lock down machines so users can only change
their desktop config. NOT THE CORE system –
this also reduces support calls and costs.
• Move to managed services, eg. use Microsoft
Group Policy, and Microsoft System Centre.
• These enable effective deployment of services
such as automated patch management and
software distribution/updates
6© Paresh Thakkar CISM, CEH, ECSA, MBA email: pcthakkar@gmail.com

7. • Security is often seen as too limiting for users
if not well-planned and implemented.
• You can actually improve the user experience
and give privilige back to users who were
previously excessively limited.
• Give users feedback on activities, rather than
completely blocking them from resources. This
would lower calls to the helpdesk, thereby
lowering support costs.
7© Paresh Thakkar CISM, CEH, ECSA, MBA email: pcthakkar@gmail.com

8. • Ask yourself – have I maximised the use of Active
directory in my organisation? It can be used very
effectively to derive higher efficiencies and productivity
of employee time.
• More Granular control of user activities is possible,
without adversely impacting them, thereby boosting
productivity.
• Mobile device Management solutions help comply
with company policies even with personal devices. Use
them to ensure personal devices do not leak corporate
data. Have a standard minimum configuration of
devices published.
8© Paresh Thakkar CISM, CEH, ECSA, MBA email: pcthakkar@gmail.com

9. • Excess admin privilege == Lost Productivity
• User who does not understand how much
power his comp+admin rights have, can be a
severe threat to your network…think Denial of
service, flood of traffic, spambot and what
not…
• Least privilege environment increases stability
of the network as well as quality of traffic on
the network
9© Paresh Thakkar CISM, CEH, ECSA, MBA email: pcthakkar@gmail.com

10. • Research about all compliances that your
organisation need to comply with. This will
reduce regulatory penalties. All compliance
directly or indirectly impose the minimum
privilige to complete everyday tasks.
• Eg. PCI DSS [Payment card Industry Data security
standard] states that the organisation must
ensure that privileged user IDs are restricted to
the least amount of privilege needed to perform
their jobs.
10© Paresh Thakkar CISM, CEH, ECSA, MBA email: pcthakkar@gmail.com

11. • Help educate the employee about safe
computing and acceptable use policy.
• Make public posters about possible threats
around them, make them visible in public
areas such as the utilities, pantry, canteen etc.
• This also helps build customer confidence,
increase reputation of the organisation, and
goodwill.
11© Paresh Thakkar CISM, CEH, ECSA, MBA email: pcthakkar@gmail.com

12. • Simply put, secure and managed systems are
cheaper to support, thus making security a
business enabler, rather than a cost/expense
• Publish knowledge base, Process, Work-Flows on
need to know basis, so panic calls to help desk
are avoided. Self Help systems definitely reduce
support costs.
• Continuous incremental approach to security
would see continuous reduction in support costs.
12© Paresh Thakkar CISM, CEH, ECSA, MBA email: pcthakkar@gmail.com

13. • As discussed in Step 1, unauthorised and uncatalogued
config changes can be disastrous. As it is, systems are
complex. Simplify by removing any local administrative
rights, intregate systems in a central active directory,
enforce group policy centrally, without which network
access is disallowed.
• Give flexibility to line of business applications, NOT the
core Operating system.
• Build a centrally available store of approved
applications that can be installed. These can be for all
the types of devices in your organisation: Blackberry,
Android, Iphone, Windows, Java etc.
13© Paresh Thakkar CISM, CEH, ECSA, MBA email: pcthakkar@gmail.com

14. SO, WE REDUCE INSIDER THREAT BY:
1 • REGULARLY EVALUATE RISKS
2 • MINIMISE DEVICES
3 • MOVE TO MANAGED ENVIRONMENT
4 • IMPROVE END-USER EXPERIENCE
5 • MAXIMISE THE ACTIVE DIRECTORY
6 • IMPROVE NETWORK UPTIME
7 • REGULATORY COMPLIANCE
8 • DEMONSTRATE DUE DELIGENCE
9 • ANALYSE SUPPORT COST
10 • REDUCE COMPLEXITY
14© Paresh Thakkar CISM, CEH, ECSA, MBA email: pcthakkar@gmail.com

15. ENDNOTE
Organisations need to leverage least privilege management to
achieve a smart balance for an IT environment where
everyone can be productive while remaining secure.
It all boils down to a logical decision:
Do you want the best of both the worlds, productivity and
security?
15
PRODUCTIVITY SECURITY
© Paresh Thakkar CISM, CEH, ECSA, MBA email: pcthakkar@gmail.com

16. I AM REACHABLE ON
PCTHAKKAR @ GMAIL . COM
16
@pcthakkar/pcthakkar
© Paresh Thakkar CISM, CEH, ECSA, MBA email: pcthakkar@gmail.com