Computer security is a field where the goal posts are constantly moving, as malware morphs in an attempt to outsmart the defenses you put in place. While security professionals have recognized for a long time that unwanted software, often in the form of Trojans and worms usually installed by users when tricked by some form of social engineering, presents the biggest risk to security, it’s only now that compliance mandates are catching up and being developed using real-world attack data.
Australia’s Department of Defense Intelligence Agency produced a report of mitigation strategies using research on attacks carried out in 2010, and later updated in 2011. It concluded that 85 per cent of attacks could have been prevented if its top 4 recommendations had been followed. These top 4 recommendations are known as the security ‘sweet spot’:
- use application allow listing to help prevent malicious software and other unapproved programs from running.
- patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers.
- patch operating system vulnerabilities.
- minimize the number of users with administrative privileges.
The Australian government has already implemented the report’s recommended strategies to good effect, allowing only allow listed applications to run and removing administrative privileges wherever possible. Application allow listing and privilege management are the core features of Avecto Defendpoint. Defendpoint helps avoid the inconvenient tradeoff in usability that security measures often impose by allowing IT administrators to remove administrative privileges and block restricted applications while ensuring that users have the flexibility to work as required.
The UK government’s Public Services Network (PSN) has a new set of standards that replaced the Government Secure Intranet Code of Connection (GSi CoCo) in November 2012. Based on ISO 27001, the new controls are outcome based so that government departments can comply how they see fit rather than check a list of technical requirements. The PSN Standards list of configuration controls includes preventing the execution of unauthorized software, best achieved through application allow listing, and explicitly states that administrative privileges should be removed where possible.
Not all the latest security mandates are coming from government. The SANS institute has created its own list of 20 controls in consortium with government and industry bodies. As expected, included in the controls is the removal of administrative privileges, and though application allow listing isn’t explicitly mentioned, the secure configuration of workstations and servers is a key priority.
Most current security mandates imply that least privilege should be deployed rather than state it explicitly. But as the importance of least privilege becomes better understood, that’s starting to change. Whether you need to comply with current or future mandates, least privilege security is a defense strategy that cannot be ignored if you need to meet basic compliance requirements.
We’ve written a white paper which goes into more detail on the latest updated on Government compliance. You can access it here.
Russell Smith, IT Consultant & Security MVP
Russell Smith specializes in the management and security of Microsoft-based IT systems. In addition to blogging about Windows and Active Directory for the Petri IT Knowledgebase, Russell is a Contributing Editor at CDW’s Biztech Magazine.
Russell has more than 15 years of experience in IT, has written a book on Windows security, co-authored one for Microsoft’s Official Academic Course (MOAC) series and has delivered several courses for Pluralsight.