We often get questions from our clients asking about common security issues that we find during engagements. In this article, we want to share with you the top five common issues we encounter and recommendations to help secure your environment. As we mentioned in a previous article, some of these recommendations with not help your IT department win a popularity contest, as security almost always comes at the cost of convenience.
Local Administrator Rights
Granting end-users local administrator rights is by far one of the most prevalent, and dangerous issues that we commonly observe. This is a configuration in which an end-user has been granted complete authority on their local machine. Did you know that 80% of all data breaches involve the use of privileged credentials of some manner? See Forrester’s 2016 Wave on Privileged Identity Management for the full study.
This dangerous configuration creates numerous risks, including the few below:
- Every program that an end-user executes, or inadvertently executes, runs with administrator privileges. This potentially includes malicious software, allowing it to infect a workstation more easily and possibly propagate more quickly across the network.
- Security tools can be more easily unloaded, such as antivirus software, DNS security and monitoring software, web reputation filtering (if controlled locally), and so on.
- Group policies applied to the machine can be overridden, allowing the end-user access to functionalities or the ability to make changes that would not normally be permitted.
- End-users can install any software they choose, including software that your organization may not be properly licensed for, possibly resulting in substantial financial penalties for the company. Further, not all software plays nicely together, and installing software that has not been properly tested can result in other programs not functioning properly.
The common reason we hear that local administrator rights are granted to end-users is that an application “requires” this level of access. However, from our experience, this is hardly ever the case. Software companies know that most organizations will not want to take time to explicitly define user account permissions for their software to function properly. Therefore, with a broad brushstroke, they will often state in the software requirements that end-users must have local administrator capabilities as they know this will most easily provide user accounts with all the permissions needed for the program to function. Unfortunately, their focus is often not on security but rather to avoid customer complaints.
We recommend organizations ensure that end-users do not have local administrator rights on their workstations. Should an application legitimately require local administrator rights to function, a separate user account should be created with those privileges for use only when accessing that particular application. This practice of least privilege applies beyond end-users as well! Commonly, the IT team will grant their personal user accounts “domain administrator” rights, which have complete authority over every workstation and server on the network. This is commonly done to save time, but we always recommend that IT have separate user accounts for administrative and non-administrative duties for similar reasons.
By default, most workstations’ hard disks are not encrypted to prevent unauthorized access to data. If a hard disk is not encrypted, then all an attacker generally needs to gain access to that data is physical access to that machine. This represents a large problem for organizations, especially those who choose to deploy laptops that can easily be transported off-site. Thanks to the global pandemic and the need for remote work options, we see this security issue more and more.
In the past, one of the more frequent reasons that disk encryption was not enabled was due to performance issues. This was a legitimate concern, especially on platter-style hard disks where there would be a noticeable decrease in the speed at which encrypted programs and data would open. Today, particularly with the prevalence of solid-state drives, this concern has been virtually eliminated as the performance impact of data encryption is barely noticeable to the end-user.
Another concern was cost, previously disk encryption software could be quite expensive, and not all versions of Windows included disk encryption. Nowadays, encryption capability is available at no additional cost on all current versions of Windows and is very simple to deploy. Some older machines may run into hardware compatibility issues they will need to address, but business-grade devices purchased in the past few years will usually come equipped with the hardware necessary to support encryption.
We recommend companies ensure that all workstations being deployed are done so with disk encryption enabled, and that legacy workstations are likewise encrypted if possible.
Social Media Access
Allowing your end-users unfettered access to social media sites creates additional risk for your organization. There is a common misconception that anything posted on a social media site is inherently safe to click on. Social media companies are not able to fully vet every link posted on their site, and malicious software spreads easily this way. Even when the link appears to be from a trusted source, there is always the possibility that the poster’s account was compromised by an attacker who will then post a dangerous link. There are many examples of organizations being infected through this attack vector. According to a recent article, up to 40% of the malware infections on social media sites stem from malicious ads, and 30% come from rogue apps and plug-ins.
Exceptions do exist, for example, your marketing and business development teams may need access to social media sites to manage campaigns, create posts, and so on. This is a legitimate business function and many web filtering packages allow IT to define different security groups, each with its own set of websites that are allowed. Individuals that have been granted access to these sites should receive additional training on how to be vigilant when accessing social media while using company assets.
We recommend organizations carefully consider which social media sites they permit their end-users to access and ensure there is a valid business need to allow access to a particular site. Most people carry smartphones nowadays, and it is not unreasonable to ask that your employees utilize their own devices for personal social networking. Providing your employees with a “Guest Wireless” network to connect to is a nice perk to encourage the use of their own devices for this purpose.
Personal Email Account Access
Allowing employees to access their personal email accounts on company assets is likewise a dangerous security threat. There is potential for them to click on malicious links or perhaps download harmful attachments onto their workstation. Data loss prevention is a topic that we will be delving into in a future article, but there is also the risk of confidential company or client information being sent through their personal email accounts.
Similar to social media access, we recommend organizations carefully consider their posture on this issue and restrict access to these sites accordingly.
Device Default Passwords Unchanged
Do you have a big multifunction copier in your office? Is it also a scanner, fax machine, and espresso maker all-in-one? Most multifunction machines have a lot of… functionality, which enables us to be quite productive. If not properly managed, these devices can pose an enormous risk to your organization. For example, many of these devices may have access to shared resources on your company’s network, and therefore a network username and password may have been stored on the device. Depending on the model of the device, it may be possible to retrieve those stored credentials in a number of ways and then use them for nefarious purposes.
One of the most common methods of retrieving stored credentials is by accessing the device via the default administrative password that it came with from the factory, as many times this password is not changed after the device has been installed. If an attacker can access the device with the default password, it is sometimes then possible to retrieve the stored plaintext network username and password. What other pieces of equipment has your organization stored a set of network credentials on? Do you have an electronic outdoor sign, equipment that manages electronic badges, a closed-circuit surveillance system, conference room equipment, or even HVAC systems that have been set-up with network credentials?
We recommend that you keep an accurate technology inventory, understand which devices may have default passwords set at the factory, and reset those passwords to something different.
These were just a few examples of common security issues that we come across on a routine basis. We at Calvetti Ferguson are here to help! If there are any questions that you might have, or if you are simply in need of a sounding board, please contact us.