Category Archives: Institutions

Why Removing Admin Rights Closes Critical Vulnerabilities in Your Organization

First of all, let’s clear up any confusion the title might have brought on: this is not about removing admin rights forever, for everyone but yourself or anything like that. This is about making the removal of admin rights the default setting in your organizational network.

After making sure every employee but a few system administrators have a user profile instead of an admin one, the administrative rights should be managed by a case by case basis.

Since we recently launched our automated admin rights privilege management software, Thor AdminPrivilege™, I decided it would be the perfect time to dive in-depth into this topic.

Here is our best guide on how removing admin rights improves your security on all counts and how to be effective about it (regardless of whether you use our software or not).

What you can expect to find in the following guide:

  • Why free admin rights are dangerous (for both internal and external threats)
  • The vulnerabilities which get closed by removing admin rights
  • How risks are minimized by closing admin rights
  • Data and real-world examples
  • Best practices for minimizing risks derived from admin privileges

Ready? Let’s go!

Managing Admin Rights for Neutralizing Insider Threat

You may already be familiar with the concept of neutralizing insider threat by managing admin rights.

First of all, as a disclaimer, you should know that removing admin rights for regular users inside your organization doesn’t completely eliminate risks associated with insider threat. You can’t control for everything a user might be doing which is dangerous just by deescalating their administrative rights on their endpoint.

There are still plenty of risky things which an employee can do, both intentionally and unintentionally, even without admin privileges. These include:

  • Setting a weak password or a password they also use for other personal accounts;
  • Sharing their password with others, who might be targeting the employee for malicious purposes;
  • Clicking unsafe links from emails or the web;
  • Giving protected information to malicious third parties, because of a scam (like CEO fraud) or intentionally;
  • Snooping through the files on a colleague’s workstation when they leave it unattended (risky especially if the colleague has access to more sensitive data than they do);
  • Inserting an infected USB stick or external hard drive into a work station.

Still, removing admin rights by default is often a bare minimum for reducing insider threat considerably. While not a lot of people know that removing admin rights still doesn’t prevent all insider threat risks, almost everyone knows it’s a good thing to do, security-wise.

Here are just some of the risks derived from granting everyone admin privileges. As you’ll see, a user can do even more harm to your organization if they do have access to full administrative rights. Such things include:

  • Installing malicious apps like spyware or malware meant to steal money, data or disrupt activities;
  • Creating back-doors for third parties to install malicious apps or to hijack the systems;
  • Access or export sensitive data which can then be further mishandled;
  • Creating changes to lock legitimate users out of the systems;
  • Publishing misleading or embarrassing content in order to cause a PR crisis etc.

Of course, this doesn’t mean that the user would willingly do all of these things, but it’s something which hackers could accomplish by tricking a user with admin privileges. The trick could be accomplished by almost anything – a spam email, a USB stick which the hackers replaced with one of their own and so on.

So why then do some organizations still allow default administrative rights to their users? Because they are still succumbing to some dangerous myths about admin privileges:

  • Only employees who hate us could cause harm and we get along well with all employees;
  • We have anti-virus and a firewall installed so we’re fine, there’s no harm they could do;
  • If admins need to approve all requests they will lose a ton of time;

I have to admit that there may be a grain of truth in some of the myths above, but not in the way people who buy into these myths may think. For example, it does indeed help to have an anti-virus solution and firewall installed, but it’s not enough.

Also, it is true that admins lose a bit of time approving admin rights requests but that’s nothing compared to the risk they help avoid and, more importantly, the time waste can be completely avoided by using an admin rights management software (like our Thor AdminPrivilege™).

Managing Admin Rights for Neutralizing External Threat. Vulnerabilities Closed by Removing Admin Rights

Few people know this, but removing admin rights and granting them only upon request and within a specific time frame can help close external threats too. It’s not just about managing insider threat. It’s also about closing security gaps which are often found in common B2B software, operating systems and so on.

Such systemic vulnerabilities are often discovered and patched without a breach having to happen for security researchers to become aware of the threat. But other times, unfortunately, the vulnerabilities are discovered by hackers and exploited before they can be patched up.

So, what can you do to avoid your company becoming the next news-worthy example of a breach?

Removing admin privileges from your organization is the immediately effective, most powerful protective measure you can take.

Examples of data breaches done by hackers exploiting system vulnerabilities

Just to give you a better idea about the scope of the danger, here is what you should be aware of.

  • 63% of all data breaches come from weak or stolen passwords – if users didn’t have admin privileges, this would not be so dangerous;
  • 74% of all data breaches come from the abuse of accounts with admin privileges;
  • In a notoriously bad decision, Equifax used ‘admin’ as the username and password of a database, leading to a huge data breach;
  • Deloitte had a data breach in 2017 by having accounts with admin privileges compromised;
  • Facebook has been all over the news with scandals and data breaches and leaks derived from mishandling of admin rights;
  • Linksys routers leaked all historic records in May 2019 because that was their default admin setting;
  • Marriot had the financial data of over 400 million users stolen over a time window of 4 years – if unauthorized access was tracked better through admin rights management, the breach would have been discovered sooner;

I could go on, but I think you have a better picture now of what happens when administrative rights are mishandled. You can probably see news of data breaches pop up in the news all the time, but while you learn the tech details and methods used by hackers (DNS hijacking, a Trojan, good old malware, etc.), you rarely hear how it all began and how the hackers gained access in the first place: through abusing an account with administrative privileges.

Systemic vulnerabilities which can be closed by removing admin rights from users

Besides classic insider threat scenarios, there are also system vulnerabilities which can be easily abused from a fully-privileged account.

An analysis over Microsoft security revealed that the number of Microsoft vulnerabilities ranked as ‘critical’ is up and running, increasing by 29% over a period of 6 years (from 2013 to 2018). In 2018, there were over 700 vulnerabilities reported for various Windows OS versions.

Only 272 vulnerabilities are reported for 2019 at the time of me writing this article (June 2019), but it’s still a huge figure. This doesn’t mean that Microsoft products are bad or unsecure, on the contrary. But system vulnerabilities are inevitable in products with this kind of a user pool and with hackers working tirelessly to find loopholes in them.

Since risk is inevitable, the only way to mitigate it is to remove admin privileges for regular users and only grant them upon request and for a limited time frame.

Best Practices for Managing Admin Rights Securely

Here are a few best practices for managing your admin rights safely and in a most productive way for both your users and your system administrators.

#1. Nurture an environment of ‘least privileges’ possible

Important: Please note that we encourage you to create a security stance of ‘least privileges’, but not necessarily a company culture of ‘need to know basis’. Internal transparency makes employees see beyond their own little grid, understand the purpose of their individual tasks and contribute toward the end goals more effectively. So, except the cases where you are dealing with really sensitive info, don’t fall into the trap of creating a company culture based on secrecy or your overall productivity will drop.

#2. Automate the escalation and de-escalation of admin privileges

Automation is by far the most effective way to escalate and de-escalate admin privileges for all endpoint users within the organization, without occupying most of the sys admins time with these tasks.

A reliable admin rights management software (such as our Thor AdminPrivilege™) not only automated the process of requesting admin rights permission (from the user’s side) and granting or not granting them (from the admin’s side), but it also uses intelligence from our cybersecurity suite to flag down endpoints with suspicious activity and to make endpoint quarantine easier.

#3. Make sure administrators follow up on each case unless de-escalation is automated

If you’re going to stick to the manual work for escalating and deescalating admin rights, at least make sure that whenever admin rights privileges are granted to a user, the admins then follow up to deescalate the rights shortly.

The recommended time window is 5 to 15 minutes since that’s enough for the user to install whatever software they need. We also recommend that the system administrator oversees exactly the software that will be installed, because since the admin rights management is not automated there is the risk of unwittingly installing a corrupted file.

#4. Make sure there are procedures in store for endpoint quarantine

What happens if an account gets breached by insider threat? Can you ensure that there’s no way that account can perform any actions which could have consequences for the security of your company?

Make sure your internal policy and technical safety measures allow your system admins to deescalate any privileges fast and further quarantine the compromised endpoint. Of course, an automated admin rights management software can do that faster and more effectively, but it’s not impossible to be done manually either.

#5. Make sure the super-user accounts are also secured

By super-user accounts I mean the accounts of system administrators who have the privileges to install any software, access any data, escalate or de-escalate the admin rights of other users and so on.

While it’s important to have one or more system administrators to manage the rights of the other users in the organization securely, you must set in place procedures for securing their accounts as well. In the event that one of the admins has their own account hacked, how well will your organization be able to handle the crisis?

The best way to go about it is to talk with your CTO and sys-admins about establishing a crisis management procedure especially for this kind of scenario. Include priorities such as making the activity of system admins transparent for other system admins, allowing the system to trace back their steps (leave breadcrumbs) for accountability, preventing administrative tasks from being done remotely, and allowing the other admins to de-escalate the compromised admin account fast in case of a breach.

Wrapping it up

If you’re currently offering admin privileges to all users or some users within your organization, go review the status of these rights ASAP. Create a map of user admin privileges and a procedure for granting them. Removing admin rights by default is the bare minimum you need to do to secure your organization from critical vulnerabilities related to insider threat.

Use a specialized software for managing admin rights securely, like our Thor AdminPrivilege™. Be vigilant: while trusting your employees, limit the damage that a hacker could do if they breach an employee account.

Have more than one admin account and allow admins to contain the damage if one of the super-user accounts gets compromised. Stay up to date with the latest threats and practices (for example, by checking back here and reading our blog). Make sure the rest of your cybersecurity system is ready for any challenge by setting up a multi-layered approach.

Removing admin privileges is but a first step to getting more secure, but it’s an essential one. As long as you do it ASAP and create a coherent internal policy for admin rights escalation, you’re definitely on the right track!

The post Why Removing Admin Rights Closes Critical Vulnerabilities in Your Organization appeared first on Heimdal Security Blog.

Heimdal™ Security acquires BasicBytes and launches Thor AdminPrivilege™

In a move that will change the work lives of sysadmins for the better, Heimdal Security A/S has acquired the BasicBytes IVS. All shares of BasicBytes is now owned by Heimdal™ Security, as part of Heimdal’s long-term strategy of changing the standard of endpoint security.
Heimdal has spotted great potential in BasicBytes’s fast-growing technology and aims to capture significant market share by offering innovative and mind-changing technologies. Heimdal™ plans to further develop the technology and will launch unique technology combinations with Endpoint security technology and Privilege Rights Management working in tandem; and is now working on Thor AdminPrivilege™, a new product for system administrators, to be launched soon.

Morten Kjaersgaard, CEO Heimdal Security details:

“While pursuing Heimdal Security’s expansion plans, AccessDirector (previously developed by BasicBytes) will be developed into AdminPrivilege™. As part of the acquisition of AccessDirector, we will expand its abilities within administrative rights management and combine it with our existing Proactive and Reactive protection technologies, to deliver a unique, highly advanced and yet simple product offering, that to the furthest extent possible will run autonomously.

We want to offer a groundbreaking change in the way system admins handle security tasks and simplify security in organizations.

Our strategy of making advanced endpoint security made simple and our ambition to expand our portfolio, is what made us to see that BasicBytes deserved a place in the Heimdal Security family. The technologies developed by BasicBytes so far will be enhanced to the Heimdal standards and aligned with our cybersecurity agenda.

Together with AccessDirector, the following products have also been added to the Heimdal Security resource vault following the acquisition of the BasicBytes company: RunAsHandler, Easy Click Assistant and CM Tray Tools.

The first on our development roadmap is the AdminPrivilege™. This new product will first be integrated into the Heimdal Dashboard, available for the users of Thor Enterprise products. The expected release date for the new AdminPrivilege™ integration is November 2019. Still, until the new product is launched, the existing BasicBytes product will still be available for sale.”

How will AdminPrivilege™ work?

The new functionality will allow system admins to manage privilege permissions for users in their organization easily and securely. From the Heimdal™ Dashboard – AdminPrivilege™ tab or on mobile, system administrators will be able to view what permissions the users in their organization are asking for and grant (or deny) their privilege requests. Furthermore, this can even be run in “Auto-mode”, so that users actions are logged with a full audit trail, but can run without individual approval of actions – even combined with the protection suite offering, so that high-risk users are blocked from escalation automatically. No more manual enabling and disabling, no more time waste – that’s the AdminPrivilege™ promise.

The level of permissions which will be managed by AdminPrivilege™ will also be granular, stratified and complex enough to allow admins to maintain a secure level of control over what happens. As indicated, it will have a unique market offering, giving the option of denying requests coming from a specific endpoint in their organizational network if Thor Vigilance (Next-Gen Antivirus) or the VectorN Detection engine (Thor Foresight’s machine learning detection) has flagged that endpoint as displaying suspicious behavior during a past number of days.

AdminPrivilege™ will give granular control to user rights such as:

  • Allowing or Stopping “Run as administrator” or “Administrator Rights” privileges;
  • Specify a written reason for each permission request (or not);
  • Get permission to run their processes as admin or not;
  • Get a limited time window for admin privileges on their endpoint;

Based on all the insights provided by the other tools within the Thor Enterprise security suite, admins will be able to:

  • Remove permissions fast and quarantine the endpoint;
  • Block elevation of system files;
  • Enable email and/or Application alerts for each pending approval;
  • Enable approval via Dashboard or via mobile

The history of each user and endpoint will be securely tracked and available to view in the dashboard so that admins can keep an eye on things and potential security incidents can be better documented.

We’re anxious to embark on this journey, starting from the base technology layer from our new acquisition, BasicBytes, and moving forward into plenty of other applications for a more granular vigilance and control over security.

“The AdminPrivilege™ functionality and dashboard is just a first step into this journey. After this launch more innovations are to follow on the Heimdal Security roadmap for the rest of 2019” – Morten Kjaersgaard, CEO of Heimdal Security.

You can read more about the new AdminPrivilege™ product here.

You can find the Danish version of this announcement here.

About Heimdal Security: Heimdal Security is an emerging cybersecurity company, founded in 2014 in Copenhagen by winners of the world ethical hacking competition Defcon CTF. Since then, the company has grown spectacularly, earning awards for both its proactive security suite (Anti-Malware Solution of the Year in 2018) and for its blog, providing intelligence to security outlets worldwide (Most Educational Security Blog in 2016).

The post Heimdal™ Security acquires BasicBytes and launches Thor AdminPrivilege™ appeared first on Heimdal Security Blog.

How to Secure your PC after a Fresh Windows Installation [Updated 2019]

 

You chose to install Windows operating system on your computer or, maybe, for various technical reasons, you had to reinstall it. No matter your reasons, it’s important to keep in mind various security layers after this procedure, so your computer is safe from threats.

How to secure your PC after a fresh Windows installation

After finishing the Windows installation, whether it’s Windows 7, 10 or another operating system, we encourage you to follow these security measures below to enhance protection:

1. Keep your Windows operating system up to date

Probably the most important step to do is checking for the latest security updates and patches available for your Windows operating system.

To get the security updates automatically, go to “Control Panel” and check if your automatic updating system is enabled or follow these steps:

  1. Access the search box in your Windows operating system, type Windows Update.
  2. Select Advanced options.
  3. Click on Automatically download updates in case it is not already selected/turned on.

After checking for available updates for your Windows operating system, keep the automatic update turned on in order to download and install the important updates that can help protect your PC against new viruses or next-generation malware.

Always remember to keep your OS up to date with the latest security available. Software patching remains an essential key to improve online safety and security experts make a good case of emphasizing its importance. Cybercriminals still try to benefit from security holes found in users’ systems and PCs. That’s one of the reasons why cyber attacks still work and they make a lot of money of it.

 2. Update your software

You don’t have to update only the Windows operating system, but your software as well. Therefore, make sure all the latest updates and security patches for your main programs and apps are installed.

Needless to say that most popular pieces of software (such as Java, Adobe Flash, Adobe Shockwave, Adobe Acrobat Reader), especially the outdated ones, are always under threat from malicious actors who exploit them to get easier access to your sensitive data.

Since these pieces of software are always under threat from criminal minds, don’t just rely on your memory to manually update every program or application you have installed.

A better option would be to start using a dedicated cyber security solution for you and keep your software program up to date.

3. Create a restore point

If you already installed the security updates for Windows OS, the next step recommended is to create a restore point in Windows.

You can do this by clicking on the Start button, then select Control Panel -> System and Maintenance (or System and Security) -> System. Then select System protection and click the Create button.

After installing Windows, you can create the Restore Point and name it Clean installation, and continue installing drivers and applications.

If one of the drivers causes issues on the system, you can always go back to the Clean installation restore point.

system_restore

 4. Install a traditional antivirus product

When you consider installing an antivirus program on your PC, make sure you use one from a legitimate company, because there can be fake software programs out there. It is important to have a reliable security solution on your system, which should include real-time scanning, automatic update, and a firewall.

To find the best antivirus that suits your needs, read this ultimate guide that will teach you more about antiviruses, its main features and what should you look for.

If you choose to install a security product that doesn’t have a firewall, make sure you have turned on the Windows firewall.

To turn it on, go to Control Panel, select System and Security, then Windows Defender Firewall and turn it on or off.


Super useful guide on how to secure your PC after a fresh Windows installation:
Click To Tweet


5. Install a proactive security solution for multi-layered protection

On our blog, we explained on many occasions why traditional antivirus is no longer the go-to solution, simply because it cannot keep up with the rise of new and advanced online threats. Financial malware especially is created to steal sensitive data and confidential information and it uses sophisticated methods to do so.

Next-gen malware usually has the ability to evade detection and bypass antivirus software that users have installed on their PCs to keep their data safe. We recommend reading these 12 examples of spam campaigns behind the scenes indicating a low detection rate for AV engines during the first stages of a cyber attack.

With the help of a proactive cybersecurity solution, you get the best protection against financial and data-stealing malware, such as Zeus or Cryptolocker.

To improve the financial control of your online banking account, you can always set banking alerts to track your account activity and apply these simple and effective financial protection tips.

 

6. Back up your system

You updated the operating system and your system applications, you have installed additional security products for your system safe and even created a Clean installation restore point for your Windows.

The steps above are meant to keep you safe from malicious software and online threats, but you may still encounter hardware issues that could endanger your private information.

To make sure your data stays safe, you should be using a twofold strategy, which should include combining an external hard drive usage with an online backup service.

We need to emphasize the importance of having a backup solution which provides stability (look for a big company name), it’s easy to use (so you won’t have a headache backing up from files), allows you to synchronize your files with the online backup servers and provides some sort of security, such as encryption capabilities.

Online Backup

Our guide on how to do a data backup includes more information on most popular backup solutions available and what the best ways to keep your data safe are.

At the same time, you could simply use your Windows Backup system. To set it up, access your Windows Control Panel and then click Backup and Restore to access the location. From this place, you can set an automatic backup, create a schedule and even choose a network location for your backup files.

7. Use a standard user account

Windows provides a certain level of rights and privileges depending on what kind of user account you have. You may use a standard user account or an administrator user account.

To secure your PC, it is recommended to have a standard account to prevent users from making changes that affect everyone who uses the computer, such as deleting important Windows files necessary for the system.

With a Standard user account, you have limited rights and cannot do things like changing system settings, or installing new software apps, hardware or changing the username and passwords. Here’s why you should use an account like this one and how to create it.

If you want to install an application or make security changes, remember that you will need an administrator account.

We also recommend that you set a strong password for your Windows user account.

Use this security guide that will help you set unique and strong passwords and manage them like an expert.

Top Security Tip:
Using a standard account ensures that a piece of malware which infects a limited-user account won’t do much damage as one infecting an administrator account.

Windows account

8. Keep your User Account Control enabled

User Account Control (UAC) is an essential security feature of Windows that prevents unauthorized changes to the operating system. Many users have the tendency to disable it after installing/reinstalling the Windows operating system.

We don’t recommend to turn it off. Instead of disabling the UAC, you can decrease the intensity level using a slider in the Control Panel.

UAC monitors what changes are going to be made to your computer. When important changes appear, such as installing a program or removing an application, the UAC pops up asking for an administrator-level permission.

In case your user account is infected with malware, UAC helps you by keeping suspicious programs and activities from making changes to the system.

 

UAC

 

9. Secure your web browser before going online

Here’s another thing to do after installing Windows: pay attention to browser security. Since our web browser is the main tool used to access the Internet, it is important to keep it safe before going online.

The vulnerabilities in your web browser are like open door invitations to cybercriminals who find creative ways to harvest your most important data. For example, if you are using Adobe Flash, be aware of its security flaws and how it can expose you to attacks.

To stay safe while accessing various web pages, follow these steps:

  1. Choose the latest version for your browser.
  2. Keep it updated.
  3. Choose a private browsing session when you access a website you are not sure about. Choosing this mode will prevent authentication credentials (or cookies) from being stored and steal by attackers.
  4. Since data-stealing malware spreads through malicious code embedded in pop-up windows even in legitimate websites, make sure your web browser can block pop-ups:

And there’s, even more, you can do. Use these step-by-step instructions to enjoy the best secure browsing.


On my next Windows install, I’ll follow these security tips to improve my data safety:
Click To Tweet


10. Use an encryption software tool for your hard drive

Even if you set a password to your Windows account, malicious actors can still get unauthorized access to your private files and documents. They can do this by simply booting into their own operating system – Linux, for example – from a special disc or USB flash drive.

A solution for this case is to encrypt your hard drive and protect all your sensitive files. It is recommended to use this level of security if you have a laptop, which can be very easily stolen. The same thing applies to a computer.

A free encryption tool you can use is BitLocker, which is available on the latest Windows operating systems and you can enable it at any moment. Even after you have enabled the BitLocker protection, you won’t notice any difference because you don’t have to insert anything else but your normal Windows user account password. The benefits of using this encryption tool:

  • It encrypts your entire drive, which makes it impossible for malicious actors stealing your laptop to remove the hard drive and read your files.
  • It’s also a great encryption software if it happens to lose your PC/laptop or get it stolen.
  • Easy to use and already integrated into your Windows OS, so there’s no need to add another encryption software.

If you’d rather want to use another solution, here’s a full list of encryption software tools you can choose to protect your data.

 11. Be careful online and don’t click on suspicious links

To make sure you won’t be infected by clicking on dangerous links, hover the mouse over the link to see if you are directed to a legitimate location. If you were supposed to reach your favorite news website, such as “www.cnn.com”, but the link indicates “hfieo88.net“, then you probably shouldn’t access it. Chances are you’ll be infected with malware and cybercriminals steal your sensitive data.

It’s worth trying shortening services, such as goo.gl or tinyurl. But in some cases, an unknown link may send you to a malicious site that can install malware on the system.

So, how can you know where you’ll arrive if you click it?

To make sure you are going to the right direction, use a free tool such as Redirect Detective that will allow you to see the complete path of a redirected link. Another tool which can provide very helpful in checking suspicious links is the reliable URL checker, VirusTotal.

For more information on how to maximize your financial data protection, check out this article.

 Conclusion

It’s not just about staying safe. 

This guide above is meant to keep you safe online. But, at the same time, following these security measures mean that you also set up your system to work smoothly for online browsing and financial operations, activities you do every day.

Since there are many other solutions to protect a system after a Windows installation, we would like to know your opinion on this.

How do you increase your security after a Windows installation?
Do you have a particular routine?
We’d love to add your tips to the list, so share them in the comments below.

Spend time with your family, not updating their apps!
Thor Foresight Home anti malware and ransomware protection heimdal security
Let THOR FREE Silently and automatically update software Close security gaps Works great with your favorite antivirus

INSTALL IT, FORGET IT AND BE PROTECTED

Download Thor FREE

The post How to Secure your PC after a Fresh Windows Installation [Updated 2019] appeared first on Heimdal Security Blog.