Beyond granular privilege escalation: endpoint protection today
Few seasoned IT professionals can attest, with 100% honesty, that they have never clicked a suspect or rogue link in an email or on a webpage. Yet the people we would expect never to fall for that initial probe of cybersecurity sometimes do. If a cybersecurity analyst has (and will) expose their own organisation to the risks of malware and ransomware, is there any hope for mere mortals?
The costs of ransomware are growing at a tremendous rate (up 46% YOY according to McAfee), driven at least in part by the fact that many organisations pay up in the (often vain) hope that they will be able to retrieve encrypted files. In addition, ransomware crews are also exfiltrating data prior to encryption, allowing them to sell the stolen, confidential information on the black market. Whether or not you think stumping up the cash is a wise move (hint: it’s not wise at all), there are two considerations here. Firstly, what measures are in place to help prevent attacks, and second, what might an organisation do in a malware-related disaster.
The space available to this article limits our answers to the first question only – what to do when an attack is successful will be the subject of a future article. But to address the issue of how best to protect a workforce, we need to look at how ransomware works.
When malware first gets a foothold on a user’s computer, it has execution privileges that allow it to successfully execute and ultimately encrypt the user’s data, in the process requesting a demand for Bitcoin. Yet, according to BeyondTrust, over 80% of published Microsoft vulnerabilities would not cause any issue if users didn’t have full admin privileges.
Many organisations have tried locking down privileges before, without much success. The common outcome has been an inundated helpdesk dealing with disgruntled users, asking for more rights to use software to do their jobs. This is particularly the case for dev teams. So to keep the peace, IT departments have seceded to users’ needs, to the detriment of security.
The everyday tools
Most of the software in daily use in organisations of all types across the globe falls into common categories: email applications, office suite, messaging apps, a web browser or two, and, often, specialist software relevant to a job role, such as financial or HR applications, for example, some of which no longer reside locally but in the cloud.
In common IT environments, there are various power-user tools that often run in the background and are key to the day-to-day running of enterprise organisations. Macros and PowerShell are two important tools used to automate tasks, including the management of systems. For many organisations, neither can be readily disabled due to the business impact. Yet, they can also be exploited by hackers looking to score a payday.
The buck stops at the endpoint
While modern endpoint protection methods have a place, they are still vulnerable to cleverly-crafted phishing emails and attacks that exploit unknown vulnerabilities.
This is where modern privilege access management (PAM) solutions play a part. A subset of PAM is privilege elevation and delegation management (PEDM). PEDM applies granular privilege elevation activities controls on a case-by-case basis. Privilege management can be applied not only to traditional endpoints such as desktops, but can also be extended to servers, protecting Linux or Unix environments from cryptomining software or worse.
It used to be easier for harried support staff to allow the user full access privileges to their work hardware and software to keep the phone from ringing. But by leveraging quick start policies, endpoints can be quickly secured, with users given the needed privileges to get their jobs done with minimal impact on productivity. Privileges can be elevated for the time needed to complete a task, minimising the window of time that any privilege can be misused. Modern PAM solutions actually never elevate the user; instead privileges are constrained to the security context of the executable.
It is a testament to the user-friendliness of modern PAM solutions that many users will be oblivious to a PEDM solution running in the background of their device. They no longer need to find workarounds, nor have productivity lost through regular calls to the IT helpdesk.
For organisations on the zero-trust journey, managing privileges in this way supports the principle of least privilege: at the heart of zero trust.
Beyond the Whitelist
Whitelisting applications’ capabilities, as well as an application in its entirety, means those pieces of software that users need to get their daily jobs done will continue to work safely. Preventing PowerShell from running might seem like a wise move, but once a blanket ban is emplaced, you can be sure that a vital script or shim for an application will stop working.
The bottom line is the auditing of everyday practice and ensuring security policies support and protect accordingly.
As the instances and costs of ransomware ramp up significantly worldwide, it’s time that companies remove themselves from the “low hanging fruit” category of potential victims. An assiduous combination of whitelisted applications with carefully chosen limits placed on execution privileges is the organisation’s best solution. It combines user operability (allowing a degree of endpoint personalisation, for instance) with the outright prevention of any code from a definition of what’s normal that can be as wide or narrow as your organisation needs.
The end goal is to stop malware and ransomware from running if it’s got past all other elements of the cybersecurity stack. As any cyber professional knows, it’s a case of when, not if, and protection policies have to be mindful of that unpleasant reality.
To learn more about finding your balance between usability and 100% security and take a significant stand against the ransomware-as-a-service providers that lurk out there, get in touch with the sector’s market leaders today.
- NVIDIA and NTT DOCOMO revolutionize telecom services with world’s first GPU-accelerated 5G network
- Sony battles new hack: ‘Is my account safe?’ Echoes among concerned customers
- GlobalFoundries opens Malaysian office, seeks funding from U.S. CHIPS act
- Can we expect a new AI from Amazon soon, given its up to US$4 billion investment in Anthropic?
- Oracle Fusion Data Intelligence pioneering the change in analytics