Vulnerabilities / Threats

12/16/2014
12:40 PM
Marc Maiffret
Marc Maiffret
Commentary
50%
50%

2014: The Year of Privilege Vulnerabilities

Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of "least privilege" could limit the impact of malware and raise the bar of difficulty for attackers.

The Target breach in late 2013 and the recent Sony Pictures breach are bookends to a year that saw numerous examples of attackers crossing the bounds between areas normally protected by traditional IT operations and security teams. One pattern in particular seemed particularly prevalent: Attackers leveraged initial vulnerabilities and weaknesses to gain a foothold on the target organization's internal network and furthered their access by taking advantage of privileged accounts and passwords.

Most IT security professionals are quick to agree that allowing users to run with Administrator-level privileges is an extremely bad idea, especially as you flatten any security barriers the underlying operating system might offer. The most common example is in Microsoft Windows environments where each employee's Active Directory accounts are added to the local computer's Administrators group. Even though this is understood to be an unhealthy security practice, it continues to persist -- not only in small, underfunded companies, but also in large, established enterprises.

Part of the challenge is that IT security is a booming area of job growth, and some long-known best practices that seasoned security professionals now take for granted are simply new to those just entering the field. We see this all the time in the failure to implement "least privilege" environments. We all understand that innocent employees with increased privileges can make simple mistakes that waste the help desk staff's time. And, of course, malicious employees can try to abuse their rights for data theft or disruption. However, least privilege is also helpful in limiting the impacts of malware and raising the bar of difficulty an attacker will have to overcome to move laterally from an initially compromised workstation to a server housing sensitive data.

When attackers gain a foothold in an environment, the level of damage they are able to inflict is often dependent on the initial level of privilege they are able to obtain. Environments with employees running as local Administrator are simply not putting up any fight against attackers who can now more easily leverage secondary post-exploitation tools to further embed within an organization and make their way toward servers and data.

Least privilege environments create hurdles that attackers must clear before gaining Administrator-level access. This can both hinder attackers and act as an early warning system that organizational breaches are under way. There are many examples of why it's critical to honor and enable privilege separation via privilege management technologies. More importantly, we can measure to some degree the number and types of vulnerabilities that could have a decreased impact in environments that employ a proper privilege management strategy.

If we look back across all Microsoft Security Bulletins for 2014, we can see just how much privileges can play a role in lessening the impact that attackers and malware might have when capitalizing on known security vulnerabilities within an organization. Microsoft, for example, issued more than 85 unique security bulletins this year, covering a wide range of client and server applications.

  • Of the 85 bulletins, more than half (45) could have played a role in mitigating the potential impact from malware leveraging these vulnerabilities in a least privilege computing environment.
  • Of the 30 security bulletins that were given Microsoft's highest severity rating of critical, 80% (24) involved vulnerabilities where least privilege would have played a role in mitigating the potential impact against systems.
  • Last but not least are the 39 weaknesses enabling remote code execution (RCE), considered to be Microsoft's most important classification. RCE bulletins typically cover vulnerabilities that provide an attacker an initial foothold in an organization. Of the 39 RCE vulnerabilities announced in 2014, 34 (87%) could be mitigated in a least privilege environment.

I've used Microsoft as an example, but Microsoft technologies are by no means the only problem areas where least privilege can help mitigate the practice of handing out root privileges well beyond what is necessary or in any way secure. In analyzing Microsoft's security bulletins, however, we can derive measureable data to better understand how often vulnerabilities have a privilege aspect to them.

It is important to understand that, though attackers have a finite number of ways to break into systems, there are an infinite number of ways they can leverage a compromised machine, use secondary privilege escalation exploits, or craft smarter malware. This point is important to underscore because privilege management practices are a great part of any defense-in-depth strategy. But they are by no means a panacea for preventing attackers and malware outright. The only surefire way to mitigate the impact of a vulnerability is by following a rigorous vulnerability management process.

A security strategy that tackles the well-regarded best practices of vulnerability and privilege management will create a solid foundation to build on. You will greatly strengthen your environment in a way that will douse day-to-day security fires, allowing IT to concentrate on enabling your business and security to focus on tackling even more advanced threats.

In 2015, there will no doubt be organizations still seeking the next silver bullet while ignoring the basics. Will you be the type of organization that still has users running as local Administrator and passwords being managed in spreadsheets?

Marc leads BeyondTrust's Advanced Research labs, responsible for identifying new trends in enterprise security for the benefit of the BeyondTrust product roadmap. He joined BeyondTrust via the acquisition of eEye Digital Security, which he co-founded in 1998 and served as ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Intel Says to Stop Applying Problematic Spectre, Meltdown Patch
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/22/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.