Vulnerabilities / Threats

12/16/2014
12:40 PM
Marc Maiffret
Marc Maiffret
Commentary
50%
50%

2014: The Year of Privilege Vulnerabilities

Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of "least privilege" could limit the impact of malware and raise the bar of difficulty for attackers.

The Target breach in late 2013 and the recent Sony Pictures breach are bookends to a year that saw numerous examples of attackers crossing the bounds between areas normally protected by traditional IT operations and security teams. One pattern in particular seemed particularly prevalent: Attackers leveraged initial vulnerabilities and weaknesses to gain a foothold on the target organization's internal network and furthered their access by taking advantage of privileged accounts and passwords.

Most IT security professionals are quick to agree that allowing users to run with Administrator-level privileges is an extremely bad idea, especially as you flatten any security barriers the underlying operating system might offer. The most common example is in Microsoft Windows environments where each employee's Active Directory accounts are added to the local computer's Administrators group. Even though this is understood to be an unhealthy security practice, it continues to persist -- not only in small, underfunded companies, but also in large, established enterprises.

Part of the challenge is that IT security is a booming area of job growth, and some long-known best practices that seasoned security professionals now take for granted are simply new to those just entering the field. We see this all the time in the failure to implement "least privilege" environments. We all understand that innocent employees with increased privileges can make simple mistakes that waste the help desk staff's time. And, of course, malicious employees can try to abuse their rights for data theft or disruption. However, least privilege is also helpful in limiting the impacts of malware and raising the bar of difficulty an attacker will have to overcome to move laterally from an initially compromised workstation to a server housing sensitive data.

When attackers gain a foothold in an environment, the level of damage they are able to inflict is often dependent on the initial level of privilege they are able to obtain. Environments with employees running as local Administrator are simply not putting up any fight against attackers who can now more easily leverage secondary post-exploitation tools to further embed within an organization and make their way toward servers and data.

Least privilege environments create hurdles that attackers must clear before gaining Administrator-level access. This can both hinder attackers and act as an early warning system that organizational breaches are under way. There are many examples of why it's critical to honor and enable privilege separation via privilege management technologies. More importantly, we can measure to some degree the number and types of vulnerabilities that could have a decreased impact in environments that employ a proper privilege management strategy.

If we look back across all Microsoft Security Bulletins for 2014, we can see just how much privileges can play a role in lessening the impact that attackers and malware might have when capitalizing on known security vulnerabilities within an organization. Microsoft, for example, issued more than 85 unique security bulletins this year, covering a wide range of client and server applications.

  • Of the 85 bulletins, more than half (45) could have played a role in mitigating the potential impact from malware leveraging these vulnerabilities in a least privilege computing environment.
  • Of the 30 security bulletins that were given Microsoft's highest severity rating of critical, 80% (24) involved vulnerabilities where least privilege would have played a role in mitigating the potential impact against systems.
  • Last but not least are the 39 weaknesses enabling remote code execution (RCE), considered to be Microsoft's most important classification. RCE bulletins typically cover vulnerabilities that provide an attacker an initial foothold in an organization. Of the 39 RCE vulnerabilities announced in 2014, 34 (87%) could be mitigated in a least privilege environment.

I've used Microsoft as an example, but Microsoft technologies are by no means the only problem areas where least privilege can help mitigate the practice of handing out root privileges well beyond what is necessary or in any way secure. In analyzing Microsoft's security bulletins, however, we can derive measureable data to better understand how often vulnerabilities have a privilege aspect to them.

It is important to understand that, though attackers have a finite number of ways to break into systems, there are an infinite number of ways they can leverage a compromised machine, use secondary privilege escalation exploits, or craft smarter malware. This point is important to underscore because privilege management practices are a great part of any defense-in-depth strategy. But they are by no means a panacea for preventing attackers and malware outright. The only surefire way to mitigate the impact of a vulnerability is by following a rigorous vulnerability management process.

A security strategy that tackles the well-regarded best practices of vulnerability and privilege management will create a solid foundation to build on. You will greatly strengthen your environment in a way that will douse day-to-day security fires, allowing IT to concentrate on enabling your business and security to focus on tackling even more advanced threats.

In 2015, there will no doubt be organizations still seeking the next silver bullet while ignoring the basics. Will you be the type of organization that still has users running as local Administrator and passwords being managed in spreadsheets?

Marc leads BeyondTrust's Advanced Research labs, responsible for identifying new trends in enterprise security for the benefit of the BeyondTrust product roadmap. He joined BeyondTrust via the acquisition of eEye Digital Security, which he co-founded in 1998 and served as ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.