Modern environments are in a constant state of flux; new systems are being commissioned, and old systems decommissioned, to meet new requirements and increase efficiency in all sectors. Managing those changes takes strategy and labour, and every change has an overhead in both of those resources.
What do you do when your users want new software, or to be able to update their apps without waiting for the next patch window?
It’s the perfect solution, your users can now:
And all this without taking up IT resources for changes that may only affect a single endpoint. Sure, everyone needs email but how many users need software for CAD, tax reconciliation, or even software development?
Many businesses decide that the cost to the business, and frustration of users, is too high and provide admin access to users over their own machine. Some may even give functional groups admin to all the endpoints in their team via security groups.
A significant downside of this strategy is loss of both control and visibility over endpoints. You don’t have to patch applications now, but are your users doing it? Maybe they’ve installed chrome and they’re keeping it up to date, or maybe they’re using a portable Firefox on a USB they bring from home – the same one they use to clean up viruses on their parents’ home PC.
If you’re letting users install their own software, answering these questions is going to be hard:
Let’s have a look at ACSC’s Essential Eight Controls to mitigate exploitation. These are the Australian Government’s recommendation for the 8 most important controls to protect your business.
Let’s see how they align with allowing:
At this point, allowing Local Administrator access has weakened or invalidated the most effective controls we have.
OK, so we’ll get EDR to detect malicious activity. At least this way attackers can’t use tools to exploit other machines.
Oh, yeah that. We can’t stop the tools from running because we can’t get visibility and execution control within a virtual machine. Ok, we’ll get a vulnerability scanner to detect exploitable vulnerabilities – even if we can’t control the applications, we can scan for vulnerable installs to fix.
Oh, we made the scanner service a domain admin to have one account to scan all our machine. Now we need privileged account management anyway to detect and prevent the scanner account being used outside scanning schedules.
The basic answer here is – administrative privilege is a risk. One of the best ways to prevent exploitation is to limit its usage for administrators, any expansion pollutes your environment.
Giving users administrative access is giving away your control, and it’s hard to get that back.
The Conti group have been featured across many news outlets lately both inside and outside the cyber security community. It is well known that this specific threat actor is mainly operated from within Russia, and with the recent events within Russia and Ukraine we thought it would be a good idea to do a recap […]Read More
Modern environments are in a constant state of flux; new systems are being commissioned, and old systems decommissioned, to meet new requirements and increase efficiency in all sectors. Managing those changes takes strategy and labour, and every change has an overhead in both of those resources. What do you do when your users want new […]Read More
Part of performing an effective and successful penetration test requires gathering as much information about the target as possible. The more information you have on your target, the more likely you are to discover an exploitable service or land a successful phish. For example, through OSINT you may discover that the target is openly advertising […]Read More
Recently in the news it was revealed that a member of an “APT” group that utilises the “Conti” ransomware became disgruntled at the state of their relationship with the group and leaked a large majority of the groups “Tools, Techniques and Procedures” documents. Conti was first discovered in 2020 and is used primarily by the […]Read More
Advanced persistent threats come in many forms ranging from your crime groups, activists all the way through to your state sponsored groups. While some of these threat actors such as crime groups are seen on a regular (if not daily..) basis, state sponsored attacks are less common and more sophisticated. While most state sponsored groups […]Read More
The Windows Name Resolution Flow You may be under the impression that turning host names into IP addresses is simple. You check: The Hosts file; then Your system’s DNS (Domain Name System) resolver That’s it right? If you don’t get a response from your local file or DNS, then the system doesn’t exist. Well, no; the name resolution flow in Windows looks something like this: Well, that’s a […]Read More
Red teaming is not a new concept within the cyber security community. However in Australia, Red Teaming is a relatively new term for most organisations. In this blog post we'll take a dive into: What differentiates a Red Team engagement from a Penetration Test. Why you shouldn't consider a red team engagement (You totally should.) […]Read More
When adding a “Password Reset” function to your application it is especially important to ensure this has the same security considerations as any other critical function within the application. Due to the nature of resetting a user’s password, along with many security considerations being overlooked, it is not uncommon for attackers to spend extra time […]Read More