Estimated Reading Time: 5 minutes
Consider for a moment the business lines that drive your company’s revenue. If the president of that business unit had an 85% assurance that a new business venture would be successful, would they pursue it? Likely they would.
Neil Armstrong, one of America’s greatest heroes, once commented that they had a 90% chance of returning safely to Earth but only a 50% chance of pulling off a successful Apollo-11 lunar landing – but yet we still went and achieved one of mankind’s greatest missions.
So, if the experts on the Apollo team felt there was only a 50% chance of a successful lunar landing, and yet, we still accomplished this amazing feat, why wouldn’t you leverage a security control that, by all accounts, has a 100% chance of an 85% reduction in attack surface?
Let’s face it – although many of us despise using F.U.D. to drive our programs, we do rely heavily on statistics and probability (and gut instinct) to drive our risk decisions. We evaluate the complexity of the attack, the susceptibility of our individual infrastructures to the threat, and finally, the level of effort and time required to mitigate the risk. And while we make these critical decisions virtually every day, far too many choose to turn a blind eye to the 800-pound gorilla lurking in our enterprises.
Local Admin Rights.
There… I said it. Publicly. Not in the back alley of the latest InfoSec conference; not in a hushed whisper to trusted colleagues; not over some secret encrypted covert channel.
No – It’s time that we collectively fix this problem. And yes – I completely understand the gravity and impact of what I am saying.
Let’s face it, giving the average end user Local Admin Rights to their corporate PC or laptop is tantamount to giving the babysitter the keys to the liquor cabinet – nothing good can ever come from it.
According to a recent analyst’s report, we spend billions of dollars each year, about $75 billion in 2016, throwing technical solutions at people problems, and yet not a day passes without another breach making headlines. Sure, there are fundamental solutions we need to have in place to secure and monitor our infrastructures, but after that, what tools are really going to fix our problems? We will always have users who click on email phishing links, or malicious ads being delivered through well-known sites, and malware-laden open source delivered by trusted partners.
The reality is that any CISO who’s been in the seat for more than a few weeks knows, in their gut, that the Local Admin Rights issue is one of the biggest risks we face, and concurrently, one of the most intimidating to address. User revolt, executive outrage, and inundation of the help desk are just a few by-products one can expect when tackling this topic in the corporate enterprise.
But I ask you this – How long until that breach occurs? How long before you’re standing in front of your board of directors trying to explain why you need to buy some cryptocurrency to payoff an unknown figure to decrypt your files? How long until you’re the headlines in tomorrow’s news?
Tell me – How long until you step up and fix the single biggest exposure in your company?
Remember, this is the Anti-FUD zone, so before you answer, perhaps a little research project is in order. Before you pass this off as a CISO’s bucket-list dream accomplishment, do this one thing for me. Go back over all of your incident reports for the last 12 to 18 months and see how many of them would have been mitigated – even to a small degree – if the user had not had Local Admin Rights. Would the malware have even installed? Would the malicious actor have been able to bounce from host to host almost invisibly? Would they have been able to open a command shell and scoop packets off the wire? Seriously – don’t take my word for it. Use your own empirical evidence to provide the foundation for the argument.
All this being said, I readily admit this is likely to be one of the biggest challenges any CISO will face, but I also firmly believe that it’s one that will make the biggest impact. I also believe that we are beginning to see a ‘return to center’ when it comes to what employees are allowed to do on their corporate workstations and the acceptable risk that accompanies it. After all, if we don’t control the endpoint, someone else will.
If you decide to undertake such a mission, here are a few approaches you may want to consider. Most are self-evident, but worth highlighting.
- Start small: Pick strategic groups and test on a small subset of your user base. Get buy-in from the teams and engage them early and often. This is an effort that needs to be done in partnership with your IT support and help desk teams – not in spite of them.
- Eat your own food: Make the InfoSec team a model example of what’s possible. You control your own destiny – have your team lead the way by giving up their admin rights and prove to everyone else that it’s possible.
- Leverage the deployment of a new OS: Many are, or soon will be, considering a full Windows upgrade. Why not leverage that deployment as an opportunity to lock down the user rights?
- Consider alternate accounts: Do you have some power users that you don’t want to pull the rug out from under them? Why not provide them with a special account to ‘Run As’ that will give them the occasional elevated privileges when needed? This also will enable you to monitor those accounts and follow up with the users as to why they needed to elevate privileges in the first place.
- Be cost conscious: While you could deploy a solution to address some of the potential process changes from removing a Local User Admin, there isn’t a requirement to do so. Yes, there will likely be an FTE expense to get the work done and possibly an uptick of a headcount or two at the help desk, but you do not need to drop seven figures on an Identity and Access Management solution (IAM) to solve this problem.
Finally, in keeping with the Apollo Mission theme…
[We choose to rid ourselves of Local Admin Rights]… not because it is easy, but because it is hard, because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one which we intend to win.
In the event you need context and metrics around the overall risk that a Local User Admin introduces, you’ll be able to find a few data points in these reports:
- Verizon 2015 Data Breach Investigations Report: http://www.verizonenterprise.com/DBIR/
- Avecto 2015 Microsoft Vulnerabilities Report: http://learn.avecto.com/2015-microsoft-vulnerabilities-report
For more on Identity and Access Management, view these articles.
Originally posted on SecurityCurrent.com.
Copyright © 2002-2020 John Masserini. All rights reserved.