Vulnerabilities / Threats

12/16/2014
12:40 PM
Marc Maiffret
Marc Maiffret
Commentary
50%
50%

2014: The Year of Privilege Vulnerabilities

Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of "least privilege" could limit the impact of malware and raise the bar of difficulty for attackers.

The Target breach in late 2013 and the recent Sony Pictures breach are bookends to a year that saw numerous examples of attackers crossing the bounds between areas normally protected by traditional IT operations and security teams. One pattern in particular seemed particularly prevalent: Attackers leveraged initial vulnerabilities and weaknesses to gain a foothold on the target organization's internal network and furthered their access by taking advantage of privileged accounts and passwords.

Most IT security professionals are quick to agree that allowing users to run with Administrator-level privileges is an extremely bad idea, especially as you flatten any security barriers the underlying operating system might offer. The most common example is in Microsoft Windows environments where each employee's Active Directory accounts are added to the local computer's Administrators group. Even though this is understood to be an unhealthy security practice, it continues to persist -- not only in small, underfunded companies, but also in large, established enterprises.

Part of the challenge is that IT security is a booming area of job growth, and some long-known best practices that seasoned security professionals now take for granted are simply new to those just entering the field. We see this all the time in the failure to implement "least privilege" environments. We all understand that innocent employees with increased privileges can make simple mistakes that waste the help desk staff's time. And, of course, malicious employees can try to abuse their rights for data theft or disruption. However, least privilege is also helpful in limiting the impacts of malware and raising the bar of difficulty an attacker will have to overcome to move laterally from an initially compromised workstation to a server housing sensitive data.

When attackers gain a foothold in an environment, the level of damage they are able to inflict is often dependent on the initial level of privilege they are able to obtain. Environments with employees running as local Administrator are simply not putting up any fight against attackers who can now more easily leverage secondary post-exploitation tools to further embed within an organization and make their way toward servers and data.

Least privilege environments create hurdles that attackers must clear before gaining Administrator-level access. This can both hinder attackers and act as an early warning system that organizational breaches are under way. There are many examples of why it's critical to honor and enable privilege separation via privilege management technologies. More importantly, we can measure to some degree the number and types of vulnerabilities that could have a decreased impact in environments that employ a proper privilege management strategy.

If we look back across all Microsoft Security Bulletins for 2014, we can see just how much privileges can play a role in lessening the impact that attackers and malware might have when capitalizing on known security vulnerabilities within an organization. Microsoft, for example, issued more than 85 unique security bulletins this year, covering a wide range of client and server applications.

  • Of the 85 bulletins, more than half (45) could have played a role in mitigating the potential impact from malware leveraging these vulnerabilities in a least privilege computing environment.
  • Of the 30 security bulletins that were given Microsoft's highest severity rating of critical, 80% (24) involved vulnerabilities where least privilege would have played a role in mitigating the potential impact against systems.
  • Last but not least are the 39 weaknesses enabling remote code execution (RCE), considered to be Microsoft's most important classification. RCE bulletins typically cover vulnerabilities that provide an attacker an initial foothold in an organization. Of the 39 RCE vulnerabilities announced in 2014, 34 (87%) could be mitigated in a least privilege environment.

I've used Microsoft as an example, but Microsoft technologies are by no means the only problem areas where least privilege can help mitigate the practice of handing out root privileges well beyond what is necessary or in any way secure. In analyzing Microsoft's security bulletins, however, we can derive measureable data to better understand how often vulnerabilities have a privilege aspect to them.

It is important to understand that, though attackers have a finite number of ways to break into systems, there are an infinite number of ways they can leverage a compromised machine, use secondary privilege escalation exploits, or craft smarter malware. This point is important to underscore because privilege management practices are a great part of any defense-in-depth strategy. But they are by no means a panacea for preventing attackers and malware outright. The only surefire way to mitigate the impact of a vulnerability is by following a rigorous vulnerability management process.

A security strategy that tackles the well-regarded best practices of vulnerability and privilege management will create a solid foundation to build on. You will greatly strengthen your environment in a way that will douse day-to-day security fires, allowing IT to concentrate on enabling your business and security to focus on tackling even more advanced threats.

In 2015, there will no doubt be organizations still seeking the next silver bullet while ignoring the basics. Will you be the type of organization that still has users running as local Administrator and passwords being managed in spreadsheets?

Marc leads BeyondTrust's Advanced Research labs, responsible for identifying new trends in enterprise security for the benefit of the BeyondTrust product roadmap. He joined BeyondTrust via the acquisition of eEye Digital Security, which he co-founded in 1998 and served as ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-8298
PUBLISHED: 2018-09-24
Multiple SQL injection vulnerabilities in the login page in RXTEC RXAdmin UPDATE 06 / 2012 allow remote attackers to execute arbitrary SQL commands via the (1) loginpassword, (2) loginusername, (3) zusatzlicher, or (4) groupid parameter to index.htm, or the (5) rxtec cookie to index.htm.
CVE-2018-14825
PUBLISHED: 2018-09-24
A skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges. This could enable the attacker to obtain access to keystrokes, passwords, personal identifiable...
CVE-2018-17437
PUBLISHED: 2018-09-24
Memory leak in the H5O_dtype_decode_helper() function in H5Odtype.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (memory consumption) via a crafted HDF5 file.
CVE-2018-17438
PUBLISHED: 2018-09-24
A SIGFPE signal is raised in the function H5D__select_io() of H5Dselect.c in the HDF HDF5 through 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. It could allow a remote denial of service attack.
CVE-2018-17439
PUBLISHED: 2018-09-24
An issue was discovered in the HDF HDF5 1.10.3 library. There is a stack-based buffer overflow in the function H5S_extent_get_dims() in H5S.c. Specifically, this issue occurs while converting an HDF5 file to a GIF file.