2014: The Year of Privilege Vulnerabilities
Following is an excerpt from BeyondTrust CTO Marc Maiffret’s article, “2014: The Year of Privilege Vulnerabilities” published by Dark Reading on December 16, 2014.
Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of “least privilege” could limit the impact of malware and raise the bar of difficulty for attackers.
The Target breach in late 2013 and the recent Sony Pictures breach are bookends to a year that saw numerous examples of attackers crossing the bounds between areas normally protected by traditional IT operations and security teams. One pattern in particular seemed particularly prevalent: Attackers leveraged initial vulnerabilities and weaknesses to gain a foothold on the target organization’s internal network and furthered their access by taking advantage of privileged accounts and passwords.
Most IT security professionals are quick to agree that allowing users to run with Administrator-level privileges is an extremely bad idea, especially as you flatten any security barriers the underlying operating system might offer. The most common example is in Microsoft Windows environments where each employee’s Active Directory accounts are added to the local computer’s Administrators group. Even though this is understood to be an unhealthy security practice, it continues to persist — not only in small, underfunded companies, but also in large, established enterprises.