Page 52 - Cyber Warnings
P. 52
One of the report’s key findings almost reiterated the point: “97% of Critical Remote Code
Execution vulnerabilities could be mitigated by removing admin rights.”
The report explains “mitigation” in stating “a standard user account either nullifies the
vulnerability itself or nullifies the impact of the vulnerability by preventing the exploit from gaining
elevated privilege throughout the user.”
The Avecto report dealt with Microsoft vulnerabilities. But applications like Flash and Java can
be exploited as well. Granting admins right to them, or to any other application with known
vulnerabilities, is to be courting disaster.
Privilege management is not a panacea. If you’ve got sturdy castle walls but the drawbridge is
open, the barbarians will storm through the gate. At that point you’re relying on your guards.
But who is verifying the guard’s activities – the familiar question “Who’s guarding the guards?”
Some guards need access to sensitive areas of the castle. Who is verifying that they’re doing
everything they must be doing, but only what they must be doing. This is where auditing comes
in. Remember the percentage of attacks that stem from human error. Some errors are
inadvertent; others are deliberate. Does an independent party review your logs, daily, of who
accesses production servers? Do you have somebody who is independent of the guards’
function reviewing these accesses? It is similar to the “dual control” of cash practiced by banks,
or the requirement for “four eyes” needed to complete an action.
Limitations
Think about what kinds of applications your employees need in order to do their jobs. Do they
need Flash installed? Or Java? Perhaps you should consider having application whitelist, to
specify what can be installed on company machines, and what will be blocked by default.
Most applications installed by users have little to do with their jobs. They may go onto
Facebook. They may have a Google Dropbox. They will install things to do at lunchtime. If a
company does not know what applications its employees have installed, or how they are using
them, then the company will have no control over the information that is flowing through users’
machines on the network.
Policies And Passwords
In the case of the Philippine Bank breach mentioned above, the bank was using a $25, second-
hand router. It also had no firewalls and used default passwords. Human error, anyone?
By now, it should be obvious to any user of IT that their passwords should be in a format that is
hard to guess or to discover through algorithms. Passwords should also be changed frequently.
Company policies should mandate such approaches. It is a very easy thing to enforce password
complexity. Companies should also routinely test passwords to see if they can be broken easily.
The whole issue is so familiar that we needn’t go through it here. Still, there’s a distressing
proportion of computer users whose password is “password” or “123456.”
52 Cyber Warnings E-Magazine – March 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide