It is the start of a new year - that time in which we break down the complexities of life into more manageable elements in order to strategize for the year ahead and attempt to improve upon our efforts of the year prior. This also applies to your company’s enterprise cybersecurity strategy. According to Gartner, worldwide cybersecurity spending reached $90 billion in 2017. Despite the record amount of money thrown at this monolithic threat, 2017 was another worst year ever for data breaches. Top that off with the two global ransomware attacks in May and June that disrupted operations and negatively affected quarterly earnings for some of the biggest corporations in the world, and one can debate just how much we got for our money. A recent article in Forbes magazine estimates global spending for cybersecurity at $101 billion in 2018, soaring to $170 billion by 2020. It is obvious that spending alone will not curtail the threat of hackers and their deployed malware. We need to get down to the fundamentals of how to secure the enterprise and establish core principles that govern our everyday operations. In part one of this blog series, we will examine two core principles that every company and organization should implement in the coming year.
1. Least Privilege
Local admin rights are a constant struggle for many organizations today. Let’s face it, many of us allow local admin rights to user devices because it’s convenient. What’s more, due to the consumerization of IT, users expect admin privileges on company devices. At the same time, local admin rights are the source of so many helpdesk calls due to users meddling with configurations that they should not. Even worse though is the fact that local admin accounts are the top target of hackers, malware creators, and other nefarious outsiders who want to install ransomware, keystroke loggers, sniffers, and remote control software within your network. It is no wonder that the SANS Institute refers to local admin accounts as the keys to the kingdom.
Companies should practice the principle of least privilege when it comes to client devices. The concept is nothing new. As early as 2005, Microsoft outlined the concept of least privilege in a Microsoft Windows Resource Kit, which stated:
"Always think of security in terms of granting the least amount of privileges required to carry out the task. If an application that has too many privileges should be compromised, the attacker might be able to expand the attack beyond what it would if the application had been under the least amount of privileges possible.”
The fact is that the people behind the keyboards are your weakest endpoints and the apathy in recognizing that fact is the biggest security threat of organizations today. Users are not known for making good decisions when it comes to cyber activities. Case in point, according to Verizon’s 2017 Verizon Data Breach Investigations Report, 1 in 14 users were tricked into clicking a link or opening an attachment. Of those, 25% were duped more than once.
When operating under the identity of an admin or privileged account, applications installed with that account take on those privileges. These threats make identity the new security perimeter. Stripping users of privilege access to their devices hinders their ability to download and install unauthorized software. It also prevents them from writing files to places that only administrators can which is a principle objective of malware. The concept of least privilege is more than simply denying local admin privileges however. Some applications such as Chrome, as well as many malware variants, do not require admin rights for installation.
In the end, you should only allow users the minimum necessary access needed to perform their job and nothing more. In similar fashion, all system components should be allowed only the minimum necessary function needed to solely perform their purpose.
The days of plain text data storage is over. In fact, IT executives and managers can take a cue from hackers themselves. There is a reason why they encrypt their files to protect themselves from law enforcement. There is a reason why companies pay extortion demands of tens or hundreds of thousands of dollars following up a ransomware attack. It is because without the decryption key, encrypted data is unreadable.
When it comes to encryption, there are two basic ways to encrypt data, either in transit or at rest. The most prevalent example of encrypting data in transit is a website that accepts logon credentials and other sensitive information. You should also encrypt data when synchronized to the cloud or another location. Emails containing high value data should be encrypted as well, if not all SMTP traffic. Data at rest not only includes data on premise, but cloud storage as well, including personal cloud storage. While file encryption is suitable for these instances, Internal IT should protect mobile devices such as laptops with full disk encryption in case of theft.
In Part 2 we will look at the remaining core principles that every organization should incorporate into their 2018 enterprise cybersecurity strategy. In the meantime, sign up for a security and threat prevention assessment.