Sure, Sex is Great But Have You Heard About the Principle of Least Functionality?
*Note: This article was originally published by the author on December 11, 2019.
You’ve undoubtedly heard of the pillars of cybersecurity consisting of Confidentiality, Integrity, Availability, or the CIA triad, as it is otherwise known. Perhaps you’ve also heard of the Principle of Least Privilege, whereby a computer system user is only given bare minimum permissions and accesses they need in order to perform their job. There are several other principles as well, but I’d like to focus on one of the lesser-known and talked-about principles. The principle of least functionality, simply put, is exactly like it sounds. Think of least functionality as a configuration management strategy whereby Information Technology (IT) devices, software, and networks are configured to operate with only the essential services needed to perform the mission and nothing more.
“The principle of least functionality provides that information systems are configured to provide only essential capabilities and to prohibit or restrict the use of non-essential functions, such as ports, protocols, and/or services that are not integral to the operation of that information system” ~Georgetown University
Manufacturers prefer to ship their software and hardware devices in a user-friendly mode, everything is typically wide open and it is up to the user to configure the settings for privacy and security. It is similar to creating a social media account on Facebook or Twitter, if the user doesn’t take actions to enable specific privacy and security settings then their account is basically wide-open.
Got a new Wi-Fi router for Christmas? Sweet, what were the default login credentials? Was it the good, old “Admin/Admin” or “Admin/no password” default login credentials? By the way, it is trivially simple to find default passwords online (See sample list below).
Or perhaps you got a fancy new Internet-of-Things (IoT) device like a home assistant or smart thermostat? Did you bother to look at the security features the product comes with, if there are any, or did you gloss over that part and skip it? Most people tend to skip the security and privacy aspects of setting up new Internet-connected devices. Don’t be like most people! Maybe this Christmas, or Hanukkah, take a few minutes to configure the security and privacy settings of your new devices. Take a few minutes to really explore your device.
Peeling Back the Layers of Least Functionality
Least functionality can be taken to the extent that you need or want to take it, which is to say that you can get very granular with these controls or keep them less rigid. It really depends on your threat model, or in an organization, it might depend more on the mission and information security posture that is predicated on a threat model.
Disabling unnecessary ports, protocols, and services (PPS) is very important in computer systems and this is often performed through the use of a firewall. Are you the type to inspect your firewall settings or do you just accept the default settings it comes with? Windows Defender is actually a very capable ally for Windows users. Most third-party anti-virus software disables Windows Defender by default, but you can reenable it. But wait! There’s more.
You too can become a master of least functionality yourself just by uninstalling all the unnecessary programs and apps right off your home computer and smartphone. The sooner you do so, the better because you’re giving attackers fewer vectors to attack from. User permissions, security groups, and features like User Account Control (UAC) in a Windows operating environment are also useful for maintaining least functionality. The goal, much like least privilege, is to prevent an unauthorized user from launching program executables.
Out-of-the-Box Factory Default Security Settings
If baking security and privacy features into Internet-connected devices were an international legal requirement, do not make the mistake of thinking that the Internet would be such a safer place. It would likely still be a hot mess when it comes to security because the very fabric of the Internet was not built with security in mind. It was built for maximum functionality, kind of like the Windows operating system.
We need more developers and engineers to think in the secure design mode but additionally, we also need lawmakers to pass meaningful technology legislation that helps to make technology more secure. We’re not going to get there as an industry pissing and moaning about how much change is needed. We need to vote for the right people in political office and pass technology reform that forces manufacturers to design new tech products that come somewhat more secure out-of-the-box.
Whether it’s software or devices like computers, routers, smartphones, smartwatches, smart thermostats, or even smart cars, the principle of least functionality can go a long way for a little amount of money and effort towards creating safer Internet-connected technologies. You would do well to consider least functionality in your cybersecurity strategy if you haven’t incorporated it already.