Youattest Logo

The JRTF #StopRansomware Guide and
The Principle of Least Privilege

Ransomware attacks have risen by 13% in the last five years, with an average cost of $1.85 million per incident. There are 1.7 million ransomware attacks every day which means every second 19 ransomware attacks. 

This was the basis for the creation of the U.S. based Joint Ransomware Task Force (JRTF).   The JRTF is co-chaired by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) with collaborating members also including the National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) .   The JRTF coordinates existing interagency ransomware efforts and identifies new initiatives to effectively leverage the unique authorities and capabilities across the U.S. Government and the private sector to address ransomware threats.

The JRTF coordinates, deconflicts, and synchronizes efforts across federal; state, local, tribal, territorial (SLTT); and private sector partners and, when applicable, with international partners. 

The JRTF #StopRansomware Guide

The JRTF created a one-stop resource, encapsulated in a document titled the #StopRansomware guide.  The publication is designed to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks. 

Image #1: The JRTF (Join Ransomware Task Force) has created the #StopRansomware guide to help organizations execute on best practices to avoid being victimized.

The first part of the guide provides comprehensive, relevant, and proven best practices that organizations should continuously implement to help reduce their risk. This section is designed to guide organizations in identifying their critical data and enable forward-leaning actions to mitigate potential ransomware incidents. 

This is the proactive section of the document – the steps and processes that enterprises should implement to prevent a ransomware attack.

This is where the Principle of Least Privilege is introduced.

The Principle of Least Privilege and the #StopRansomware Guide

The principle of least privilege (PoLP) is an information security concept which maintains that a user or entity should only have access to the specific data, resources and applications needed to complete a required task.   

It is quantified in NIST CyberSecurity Framework (AC-6), the principle of least privilege (PoLP) is a crucial identity practice and crucial to a secure enterprise.   It encompasses the practice of:

  • Eliminating Ghost and Orphan Accounts
  • Removing Excess Privileges
  • Regularly reviewing entitlements

And how are we doing on this practice?    Not so good.

According to Palo Alto 99% of cloud accounts are overprivileged.

Why Would the JRTF Emphasize the Principle of Least Privilege?

NIST and multiple regulatory guidances (HIPAA/HITRUST, PCI-DSS, SOX, SOC2, ISO 27001) all emphasize PoLP for security and governance reasons.   

Implementing PoLP ensures:

  • That the Attack Surface is Minimized:   This means reducing actor vectors by minimizing privileges and eliminating superfluous accounts that had entitlements that can result in cyber attacks.
  • Reduces malware propagation: by not allowing installation of unauthorized applications by user accounts. 
  • Stops Lateral Movement:  This means limited network and resource access to accounts by throttling network access to users – best aligned by role based access control (RBAC) enforced by identity groups.
  • Enforces Zero Trust:  By creating multiple enforcement mechanisms that determine privileges based on polices enforced by both static and dynamic entitlement information. 
  • Protects Against Human Error:  Eliminate accidental  exposures to PHI, PII and CUI by human error from over-entitlement of privileges.

User Access Reviews Enforce the Principle of Least Privilege

The industry has recognized the problem of over-privileged accounts – and has created a mechanism to enforce the Principle of Least Privilege (PoLP).   The practice is called a “user access reviews”.  

The goal of an user access review is to ensure that only authorized individuals have access to sensitive data.  The JRTF recognizes that this process identifies  over-privileged and ghost/orphan accounts that can lead to ransomware and other malicious hacker activities.     

The process includes:

  • Quantifying the key resources
  • Quantifying who has access to the resources
  • Quantifying the managers of the users

Messaging the managers of these resources and asking them to:

  • Certify the Privilege
  • Revoke the Privilege
  • Or Delegate the Review to a manager who can better address the recertification of this process. 

The problem of access reviews, though, is doing them.  The above steps all need to be executed to have the process have any value – and most enterprises conduct these processes manually. 

The manual process is painful, error-prone and includes a byzantine flurry of spreadsheets, service tickets and ignored emails.   The result of these “check-box” access reviews  is that that the value of the process, e.g. enforcing the principle of least privilege is missed.

YouAttest Automates the User Access Review Process

YouAttest is designed to help enterprises get a grasp on ALL of their entitlements – cloud, SaaS and on premise by automating the user access review process.

No more:

  • Manual emails
  • Spreadsheets
  • Wasted time collating reports

The entire process is automated for both:

  • Security/Risk Managers
  • And the Reviewers

YouAttest accomplishes this task by automating the user access review process.  Using the YouAttest console the auditor (internal or external), in a single console, automates the entire access reviews process for all resources – on-premise and cloud.   The benefit to the enterprise is more efficient and accurate audit of all entitlements – which leads to increased security and enables the enterprise to conduct the reviews monthly instead of yearly!

Image #2:  YouAttest automates the User Access Review process, thus enabling enterprises to enforce the “Principle of Least Privilege” on all resources..

The YouAttest risk manager creates and disseminates attestation campaigns for certifying, revoking, or delegating the review of the enterprise entitlements in minutes. Designed from scratch by interviewing both IT Security and external auditors – YouAttest has quantified the process and eliminates all of the painful assembling of resources, user, managers and the manual process of writing initial and the ever-dreaded, nag emails.

YouAttest uniquely connects directly to the enterprise IAM (Azure AD, Okta, JumpCloud, Ping) and uses the IAM SSO for reviewing entitlements to BOTH IAM resources and siloed (non-IAM connected) resources.

YouAttest is the only cloud-based IGA platform that deploys in minutes via application SSO into your existing IAM platforms.  Contact us for to learn how YouAttest can automate your access review process and help your enterprise enforce the Principle of Least Privilege.