By: Jeremy Moskowitz
The global ransomware attack involving the WannaCry strain has literally become the shot heard around the world this month. Having surpassed $1 billion dollars in revenue in 2016, something big was bound to occur in 2017, and big it was. The sheer magnitude of the scope of the attack was unprecedented, as the self-driven worm propagated and crippled more than 300,000 computers at record speed. Disruptions occurred within every type of organization including hospitals, railways, telecommunications companies, international couriers and governments. There are many technical reasons attributed to the ease at which the attack occurred, but whether it was due to the naïve act of clicking an embedded link or the failure to properly patch devices or comply with the principle of least privilege, the underlying cause can be summed up in one word – apathy.
The Wannacry attack clearly showed just how prevalent apathy is within too many enterprises. The time is now to get serious about ransomware and other malware driven attacks!
Part of getting serious means dealing with the aged old dilemma of allotting admin rights to users. Unfortunately, this practice is implemented today because on one hand it’s easy and because users expect it. In reality, admin rights are a two edged sword. What makes things easy for the user also simplifies the nefarious operations of malware as well. It is the quest of IT today to find the middle ground between friend and foe.
Many users expect admin rights as they claim to be authorities on their own devices and used to working uninhibited. Unfortunately, users do not always make good decisions when it comes to cyber activities.
- According to Verizon’s 2017 Verizon Data Breach Investigations Report, 1 in 14 users were tricked into clicking a link or opening an attachment. Of those, 25% were duped more than once.
- A study was conducted at a university in Erlangen-Nuremberg, Germany to analyze the behavior of 1,700 users when exposing them to obvious phishing attacks using email and social media. The click through rate for email was as high as 56% despite the fact that 78% of the participants stated in the questionnaire that they were aware of the risks of unknown links.
Obviously, education, though an important part of an organization’s security plan, is not enough. Limiting the exposure to poor decisions is essential. Dimensional Research confirmed this in a study last year that showed that the top concern of 73% of the IT professional involved in the study was the installation of malware by careless employees. This is even more of a concern after the realization that the spread of WannaCry was not dependent on email phishing but on the automated behavior of its replicating worm.
The issue of allotting admin rights to users is a duality of simplicity versus security. It is time for security to trump ease of use, a practice endorsed by Gartner as one of the single most effective ways to improve your security. Local admins and other privileged accounts are what the SANS Institute refers to as the keys to the kingdom. They are the top target of hackers, malware creators and other nefarious outsiders who want to install ransomware, keystroke loggers, sniffers, and remote control software within your network. The Center for Internet Security in fact sites that because privilege accounts are a primary method for attackers to spread inside a target enterprise, eliminating the misuse of administrative rights is a critical security control. The concept is simple. When operating under the identity of an admin or privileged account, applications installed with that account take on those privileges. These threats make identity the new security perimeter. Stripping users of privilege access to their devices hinders their ability to download and install unauthorized software. It also prevents them from writing files to places that only administrators can.
However, simply denying admin rights to users is not the be-all, end-all solution. Just as applications such as Google Chrome will install without admin rights, many malware variants do not require admin rights as well. In addition, the elimination of admin rights for standard users requires a great deal of planning and testing. Some organizations supplement their security efforts with the practice of application whitelisting. This can prove a burdensome process as productivity is impacted as users wait for IT to approve needed applications. While blacklisting may not obstruct user productivity, it does relegate IT with the monotonous repetitive task of updating the list, distracting them from valued driven projects that add to the bottom line of your enterprise. Now factor in applications that do require admin rights elevation or UAC bypass, and the need for some type of third party least privilege manager becomes apparent.
For those organization victimized by Wannacry, they were at least fortunate enough to internally identify the breach. Unfortunately today, 70% of security breaches are discovered by outside sources rather than internally. This makes the compromise of an admin identity even more toxic as it proves extremely difficult to uncover an infringement once it has been achieved. When we analyze the case at hand, the verdict is clear. Admin rights in the hands of but a few are less friend than foe.
Jeremy Moskowitz founded PolicyPak Software after working with hundreds of customers with the same problem: they couldn’t manage their applications using the technology they already had. His solution: PolicyPak Application Manager, the flagship product of PolicyPak Software. He’s still busy providing ever-better and more tailored solutions to that basic problem through PolicyPak Software.
He also founded GPanswers.com, a community portal for all things Group Policy. Jeremy’s best-selling Group Policy books are on the desks of happy administrators everywhere. Learn more at www.GPanswers.com/books.
Jeremy holds a Computer Science degree from the University of Delaware, was one of the first MCSEs in the world, and has been designated an MVP in Group Policy by Microsoft for the last several years running.