The Target breach in late 2013 and the recent Sony Pictures breach are bookends to a year that saw numerous examples of attackers crossing the bounds between areas normally protected by traditional IT operations and security teams. One pattern in particular seemed particularly prevalent: Attackers leveraged initial vulnerabilities and weaknesses to gain a foothold on the target organization's internal network and furthered their access by taking advantage of privileged accounts and passwords.
Most IT security professionals are quick to agree that allowing users to run with Administrator-level privileges is an extremely bad idea, especially as you flatten any security barriers the underlying operating system might offer. The most common example is in Microsoft Windows environments where each employee's Active Directory accounts are added to the local computer's Administrators group. Even though this is understood to be an unhealthy security practice, it continues to persist -- not only in small, underfunded companies, but also in large, established enterprises.
Part of the challenge is that IT security is a booming area of job growth, and some long-known best practices that seasoned security professionals now take for granted are simply new to those just entering the field. We see this all the time in the failure to implement "least privilege" environments. We all understand that innocent employees with increased privileges can make simple mistakes that waste the help desk staff's time. And, of course, malicious employees can try to abuse their rights for data theft or disruption. However, least privilege is also helpful in limiting the impacts of malware and raising the bar of difficulty an attacker will have to overcome to move laterally from an initially compromised workstation to a server housing sensitive data.
When attackers gain a foothold in an environment, the level of damage they are able to inflict is often dependent on the initial level of privilege they are able to obtain. Environments with employees running as local Administrator are simply not putting up any fight against attackers who can now more easily leverage secondary post-exploitation tools to further embed within an organization and make their way toward servers and data.
Least privilege environments create hurdles that attackers must clear before gaining Administrator-level access. This can both hinder attackers and act as an early warning system that organizational breaches are under way. There are many examples of why it's critical to honor and enable privilege separation via privilege management technologies. More importantly, we can measure to some degree the number and types of vulnerabilities that could have a decreased impact in environments that employ a proper privilege management strategy.
If we look back across all Microsoft Security Bulletins for 2014, we can see just how much privileges can play a role in lessening the impact that attackers and malware might have when capitalizing on known security vulnerabilities within an organization. Microsoft, for example, issued more than 85 unique security bulletins this year, covering a wide range of client and server applications.
- Of the 85 bulletins, more than half (45) could have played a role in mitigating the potential impact from malware leveraging these vulnerabilities in a least privilege computing environment.
- Of the 30 security bulletins that were given Microsoft's highest severity rating of critical, 80% (24) involved vulnerabilities where least privilege would have played a role in mitigating the potential impact against systems.
- Last but not least are the 39 weaknesses enabling remote code execution (RCE), considered to be Microsoft's most important classification. RCE bulletins typically cover vulnerabilities that provide an attacker an initial foothold in an organization. Of the 39 RCE vulnerabilities announced in 2014, 34 (87%) could be mitigated in a least privilege environment.
I've used Microsoft as an example, but Microsoft technologies are by no means the only problem areas where least privilege can help mitigate the practice of handing out root privileges well beyond what is necessary or in any way secure. In analyzing Microsoft's security bulletins, however, we can derive measureable data to better understand how often vulnerabilities have a privilege aspect to them.
It is important to understand that, though attackers have a finite number of ways to break into systems, there are an infinite number of ways they can leverage a compromised machine, use secondary privilege escalation exploits, or craft smarter malware. This point is important to underscore because privilege management practices are a great part of any defense-in-depth strategy. But they are by no means a panacea for preventing attackers and malware outright. The only surefire way to mitigate the impact of a vulnerability is by following a rigorous vulnerability management process.
A security strategy that tackles the well-regarded best practices of vulnerability and privilege management will create a solid foundation to build on. You will greatly strengthen your environment in a way that will douse day-to-day security fires, allowing IT to concentrate on enabling your business and security to focus on tackling even more advanced threats.
In 2015, there will no doubt be organizations still seeking the next silver bullet while ignoring the basics. Will you be the type of organization that still has users running as local Administrator and passwords being managed in spreadsheets?