One of the most dangerous threats to IT security is abuse of privileged access. Preventing the exploitation of administrator privileges first requires knowledge of who has administrator access whether local or domain based. This is not only good practice, but also driven by many security standards.

One such security compliance standard is the Payment Card Industry Data Security Standard (PCI DSS) which outlines many security requirements to protect consumers’ credit card data. Requirement 8.5.1 states: Control addition, deletion, and modification of user IDs, credentials, and other identifier objects, which clearly identifies the need to monitor and maintain control of the administrators group.

The Center for Internet Security (CIS) releases security configuration guidelines for each Operating System. For Windows 7 section 1.8 defines User Rights and who should have access to certain system capabilities. The key to the user rights defined by CIS is which users are in the administrators group. Similar to CIS security configuration guidelines, the United States Government Configuration Baseline (USGCB) also defines several security rules around user rights.

Domain administrator accounts in a Windows Active Directory environment are often the main focus for account auditing. This can be a good starting point as Domain Admins have access to GPO policies, domain utilities, and many assets as they are often a member of local administrator groups. One of the challenges in monitoring Domain groups is quickly and regularly identifying who has access due to nested groups and frequent account changes. Nested groups can be problematic as one must identify accounts that have access via a group that is granted access via membership to another Active Directory group. Additions and deletions of accounts can occur frequently and be missed through manual audits.

Unfortunately, administrator access is too often focused on Active Directory resources and fails to look at individual systems administrator access. This is understandable as local systems can require a lot of time to audit without a scalable and automated tool. Too often, systems share the same local administrator account name and passwords making it easy for someone to access any system if they know the credentials. This too can happen through malicious intrusions if local accounts passwords are cracked and those credentials used to access other systems. Finally, there is the challenge of administrators or end users creating additional local administrator accounts exposing those systems to unapproved access.

If regular administrator account discovery does not happen, there is no way of knowing if users have added either themselves or others to the administrators group. Not knowing the current status of the administrator access can lead to failed security audits and risk privilege exploitation.

Arellia Local Security Solution enables IT administrators to monitor local users/groups and domain users/groups as well as domain group auditing. Arellia can also assist IT administrators in maintaining compliance by continually enforcing group membership. By using administrator group discovery, membership enforcement, and randomizing the local administrator password organizations are compliant to security standards and secure against security threats.

The post Administrator Account Discovery appeared first on Arellia.

Password strength is a core component to many security standards. There are many different regulatory standards available to IT administrators that provide specific guidance for password strength. These standards include such as USGCB, FDCC, PCI-DSS and NERC. The password length, cycle time, and complexity requirements of these standards vary widely. Here’s a look at just a few of the standards for password strength.

As we can see, some computer security standards require that passwords only need to be 6 or 7 characters long and cycled infrequently. Weak password standards for password length and complexity make it easy for passwords to be compromised quickly with today’s password cracking tools and high performance computers. Infrequent password cycling means that cracked passwords may be available for hackers to use for weeks or months. For example, a password meeting the NERC password standards can be easily cracked because hackers are given a year to attack a relatively short password and then have the remaining time before the next password cycling to exploit that machine using the cracked password.

A further vulnerability is common accounts with shared passwords. Often this comes in the form of the local administrator account which has the same name and password for all or many other systems in an organization. Should this password be cracked, it becomes easy to move from system to system using that common credential.

Standards often must be met to meet compliance requirements, but organizations shouldn’t stop there. Password strength should be set in a manner that will prevent easy cracking: see Arellia’s previous article on Password Strength and Age Considerations for some insights on setting a strong password. Furthermore, shared passwords should be eliminated to limit potential password cracking exploits. Arellia addresses these and other privileged user challenges with Arellia Local Security Solution.

The post Password Strength Standards appeared first on Arellia.

Application whitelisting software is often perceived as an all-or-nothing approach to application security. Unfortunately, there is great benefit in using application whitelisting software to identify and monitor untrusted applications providing greater visibility into what is occurring in an enterprise.

Application whitelisting is usually thought of allowing good software to run and blocking everything else. The good or trusted software can be established through reference systems, digital certificates, inventoried software packages, and many other methods. Typically the next step is to blacklist or deny execution to everything else. Now, there are other methods such as Arellia’s Orangelisting^TM where applications are restricted or one could simply monitor the exceptions. The challenge with blacklisting exceptions is that organizations often don’t know all of the applications in their environment and could potentially disrupt their end users ability to work. Monitoring provides an option that gives insight into what applications are executing from which decisions can be made around whether those applications are appropriate.

With monitoring, there are a few things to observe. What applications are out there that I don’t trust? This could be open source or free software that users use to do their jobs. This could be individually purchased software that a department or individual is using. This could be an advanced persistent threat that is starting to creep into an organization. By first identifying the applications that are in an environment and the details around that application (vendor, digital certificate, etc.), one can begin to understand what is occurring and if that application has some concerning attributes.

Second to identification of untrusted applications is measuring how often the application is running. With executions, there are two key metrics: frequently executed programs and programs that are infrequently executed. With frequently executed applications, you will see software that is being used in your organization that you may not have known about. It could be a software package that you may want to validate is licensed or it could be malicious program that is spreading across the organization. Infrequently executed applications are also very interesting as they may indicate an advanced threat. Advanced threats may infiltrate one computer and hop to a high value asset such as a database server. These infrequently executed applications deserve to be investigated.

Finally, the ability to see where an application is executing is paramount. An advanced threat may have a name and attributes that make it appear to be a legitimate application. The infrequent execution may raise some concern. Finding that the application executed on a laptop and then the database server should be a red flag that something isn’t right.

Parsing the data from exception applications can be managed by making decisions monitoring information. If an application is deemed trusted or allowed, put it in a whitelist or separate monitoring policy and continue to focus the analysis on everything else. Segmenting of application monitoring data can allow better focus on potential threats.

Application whitelisting software is a great tool for security monitoring. Be implementing these practices, an organization can achieve better security even if blacklisting is never implemented. Arellia Application Control Solution can be used to accomplish monitoring and bring new insights on applications in an organization.

The post Security Monitoring with Application Whitelisting appeared first on Arellia.

Application whitelisting by digital certificates is an efficient method to trust applications that are digitally signed with one or more certificates. This method can make it easy for organizations to trust internally developed applications without having to individually add applications to a whitelist. It can also be an effective method for trusting third-party software applications without requiring individual application file management.

Best Practices

Arellia Application Control Solution makes it easy to whitelist applications that are signed with certificates. As part of the application inventory process, digital certificates will be identified with correlating information on what application files are signed. This information can be reviewed in a report to determine what certificates should be trusted. Be aware that vendors will often use multiple certificates so it may require having more than one certificate trusted to include all applications from that vendor in a whitelist.

A good example where application whitelisting of certificates is useful is with internally developed applications. Many organizations have developed internal applications that are used throughout an enterprise. If an organization takes the additional step to sign their internal applications, all currently and future signed applications can be automatically whitelisted by simply adding the certificate to a whitelist policy.

Considerations

Application whitelisting by certificates tends to be an all or nothing method. If a certificate is added to a whitelist policy, all applications that are signed with that certificate will be automatically whitelisted. This can be a good thing in the case of internally developed applications where simply signing an application will mean it will be whitelisted. It can be problematic if there are applications, signed with the same certificate, that are not meant to be whitelisted. In those scenarios, a different methodology such as reference system whitelisting, whitelisting by file package, or exclusion\inclusion criteria with digitally signed applications should be considered.

Finally, in this age of compromised trust authorities, one should be careful about what digital certificates are whitelisted and those certificates should be periodically reviewed and updated before they expire.

The post Application Whitelisting Best Practices: Trusted Digital Certificates appeared first on Arellia.

At RSA’s 2013 Conference San Francisco last week, there were references to the Australia Defence Signals Directorate’s (DSD) top 4 mitigating strategies and their ability to protect against 85% of cyber intrusions. The top 4 strategies are worth considering to improve endpoint security in any organization.

For those that are not familiar with the Defence Signals Directorate (DSD) “provides foreign signals intelligence, known as Sigint, to the Australian Defence Force and Australian Government to support military and strategic decision-making.” The DSD is similar to the United States National Security Agency.

The DSD top 4 mitigating strategies are:

1. Use application whitelisting to help prevent malicious software and other unapproved programs from running
2. Patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers
3. Patch operating system vulnerabilities
4. Minimize the number of users with administrative privileges.

Application Whitelisting

Application whitelisting provide an approach to more effectively block many malicious threats. The benefits come when properly configured whitelist software is implemented on endpoints. The results are that untrusted processes are denied execution or restricted in a manner that prevents them from doing damage to other applications or the operating system.

Patch Applications and Operating Systems

Patch management is a well-accepted practice for most organizations. Most malware exploit vulnerabilities in software. Those soft vulnerabilities are eliminated easily by patching and this has become a best practice for years. The need to patch continues to expand from operating systems to applications such as Adobe Flash, Adobe Reader, and browsers as malware looks for new entry points.

Minimize Administrator Privileges

The fourth item of the DSD top 4 is the limitation of administrator privileges. Too many users run or compute with administrator accounts. When an exploit occurs, malware often runs in the context of the user and if the user has an administrator account that means the malware runs with administrator privileges. By limiting the amount of administrator privileges for users and applications, one can minimize the impact that malicious software would have on a system.

Arellia’s focus on application whitelisting, privilege management, and configuration security aligns very closely with the DSD top 4 resulting in better endpoint security. Using Arellia Endpoint Security Suite, organizations can apply whitelisting, minimize administrator privileges, and many other mitigating in DSD’s broader top 35 mitigating strategies.

The post Endpoint Security and the Australian DSD’s Top 4 Mitigating Strategies appeared first on Arellia.

In previous articles, we discussed why users want administrator rights and why they need them. Now let’s explore why they shouldn’t have them. In today’s increasingly dangerous threat landscape, every organization’s security strategy should include the goal to remove administrator rights. Here are the reasons.

1. Zero-Day Threat Protection: Arellia research has proven that running with reduced privileges can mitigate a majority of software vulnerabilities in Microsoft, Adobe, and Mozilla products. Any vulnerability has the potential to be a zero-day: meaning it is exploited before the vendor or security vendors know about it and have a chance to stop exploits with patches or antivirus \ intrusion prevention signatures. Running software with reduced privileges protects commonly software when exploited by vulnerabilities that take advantage of the privileges of the running user.
2. Regulatory Compliance: When an organization does not remove administrator rights, users can change system settings, which affects compliance to regulatory standards. Failure to meet standards can result in more audits and remediation work.
3. System Stability: Every time a user adds a new piece of software, installs a driver, or changes a setting, the stability of the system is affected. Forrester Consulting published a paper in 2009 finding that 1 out of 7 helpdesk calls were due to users corrupting their system with unauthorized software. If you can take away the user’s ability to make changes, systems will be more stable.
4. License Compliance: The Business Software Alliance (BSA) estimates that 1 in 5 pieces of software in the United States are unlicensed. When users have full control over what is installed on their computers, there is nothing to prevent them from intentionally or unintentionally using unlicensed software. In the BSA’s 2010 Piracy Study, they noted, “Many PC users lack a clear understanding of whether common ways of acquiring software are legal or illegal, especially in high-piracy markets.”
5. Cost Savings: This reason is as much of a summary of all previous reasons as it is a reason alone. Successful vulnerability exploits often result in lost time, intellectual property, productivity, brand value and customers’ trust. System instability results in lost productivity. Lack of license compliance can result in unbudgeted expenses not to mention costly fines.

An organization can remove administrator rights most commonly by moving users from an administrator to a standard user account. This can create problems around applications that require administrator rights. Some benefits can be achieved by or only with removing rights from applications with a privilege management tool.

Arellia Local Security Solution and Application Control Solution help organizations find users with administrator accounts, find applications that require administrator rights, transition users to standard accounts and elevate applications that require administrator rights, and remove privileges from applications to mitigate vulnerability exploits. The end result is improved protection, compliance, and stability with decreased liability and costs.

The post Top 5 Reasons To Remove Administrator Rights appeared first on Arellia.

1. System Utilities: many of the control panel applications require administrator rights including driver installation, disk defragmenter, and backing up the.
2. System Settings: changing system settings such as the date\time or network configuration settings require administrator privileges.
3. Software Installation: software that tries to install into the Program Files or Windows directory needs administrator rights to do so.
4. Software Updates: application updaters require administrator rights in order to make changes to the applications in the Program Files directory. This includes updaters for Adobe, Java, and iTunes.
5. Legacy or Poorly Coded Software:  some applications simply require administrator rights to run normally.

The reasons listed above may or may not be good reasons for why users need administrator rights; however, those reasons usually lead to users being granted administrator rights and granting those rights create a huge threat to IT security as well as increased manageability costs. Most companies are left in a bind: do they remove administrator rights and limit the productivity of their employees or do they let their users keep admin privileges?

Most companies choose to let their users keep administrator privileges because they can’t afford to hinder employee productivity, thus gambling their IT security. What if there was another option that would enable system utilities, options, installers, updaters, and legacy applications to run with admin privileges AND enforce IT security by removing administrator rights from users? Well there is. Application and user privilege management enables companies to remove administrator rights from users while also adding administrator rights to applications that need them to run normally.

Arellia Application Control Solution and Local Security Solution assist businesses concerned with security by protect their assets from security threats, mitigate zero-day vulnerabilities, control system stability, and enforce software compliance by using application and user privilege management capabilities.

The post Top 5 Reasons Why Users Need Administrator Rights appeared first on Arellia.

1. Freedom: Users want administrator privileges so they can install or modify anything and everything on their computer. They may or may not view themselves as computer experts, but believe they know enough about computers to be able to make changes to their system without any negative repercussions. Unfortunately they are usually wrong, causing the IT department to spend countless hours fixing the issues.
2. Control: Users also want more privileges on a computer because of the control associated with being able to call your own shots. Control leads to even more headaches for the IT department as they clean up the mess left by users who make changes without understanding implications. Installing a software package without proper licensing can result in costly audit expenses. Changing the security configuration might make life easier, but it can result in expensive breaches.
3. Time: Most people hate to wait – we want everything done instantaneously. It’s the same for computing. Most users fear that if they don’t have administrator rights, they’ll have to wait for someone in the IT department to install or update a piece of software that could take them minutes to do if they had administrator privileges.
4. Entitlement: Some users believe that they deserve administrator rights because they started the company, make more money than the IT department employees, or because they are just special for one reason or another. These reasons aren’t good enough though. They might be the reason that the company is making a profit right now, however with administrator rights they could be the reason the company suffers a loss next quarter when their computer is compromised and key data stolen.
5. Habit: For some companies, users have always had administrator rights. It has become the standard of how users operate their computers in the company. However with increasing cyber threats, this habit simply does not provide enough security to organizations any more.

The reasons listed above may or may not be good reasons for the desire of users to keep administrator rights. However, administrator rights are a huge threat to IT security. Users may think that if they lose administrator privileges that their lives will become harder, but this is not the case. If privilege management is implemented the right way, users will be able to continue to work as before and will most likely not even notice the change.

So how do you implement privilege management successfully? It’s really a two-step process, requiring knowledge of what applications will need administrator rights to work correctly and which users have administrator rights. After that knowledge is obtained companies create application privilege management policies for applications that need admin rights. Then companies remove administrator privileges from their users by using user privilege management software. It’s that easy.

Arellia Application Control Solution and Local Security Solution assist businesses concerned with security protect their assets from security threats, mitigate zero-day vulnerabilities, control system stability, and enforce software compliance by using application and user privilege management capabilities.

The post Top 5 Reasons Why Users Want Administrator Rights appeared first on Arellia.

Cyberwar has begun or it began years ago. The past few weeks have included a flood of security news around compromised organizations and multiple serious security threats. We must now consider our online experience to occur in a combat zone and change our approach to security accordingly.

MIT Technology Review’s article Welcome to the Malware-Industrial Complex summarizes previously documented activities of the US government purchasing zero-day vulnerabilities for offensive uses. It indicates that over 100 countries have cyber-war units of which around 20 are formidable. We have already learned about the results of known actions from Stuxnet, commonly attributed to the US and Israeli governments. One can surmise that other visible activities such as the Estonian cyberattacks of 2007 and operation Aurora which targeted Google and other large companies, had government backing although attribution is difficult. Today’s reality is that we live and have lived for years at risk from government organized or backed cyberattacks.

Unfortunately, these attacks are not just government to government: businesses are in the crossfire too. The recent compromise of the New York Times, Wall Street Journal, and Washington Post are all being attributed to Chinese hackers due to those media companies involvements in investigative reporting. The sophistication and coordination of many of these attacks leads many to believe governments are involved either directly or indirectly. Regardless, businesses are being targeted either for political reasons (in the case of the media companies) or economic reasons (it is easier to steal that to recreate). Organizations will need to change their approach to security to adapt to today’s security environment.

Over a decade ago, mail viruses, network worms, and spyware made antivirus product ubiquitous. I remember cleaning up many a friend and family members computer when they had been infected and installing antivirus so that I wouldn’t have to do a return visit. In the case of the New York Times, the failure of antivirus has been called out. The reality is that we are not seeing an end to the effectiveness of antivirus, but reactive security technologies in general. Antivirus, intrusion prevention, and patch management are all common technologies designed to address known bad applications, behavior, or vulnerabilities. The challenge we face is the unknown threats.

A shift must occur and that shift must look at new approaches to security that assumes programs and behavior are malicious by default. In reference to the New York Times attack, Gartner’s Neil MacDonald noted, “…application control (also referred to as whitelisting) solutions likely would have stopped this attack in its tracks.” This approach is representative of the overall shift that will need to occur to survive constant attacks in a cyberwar landscape.

The post Cyberwar Has Arrived and There is No Turning Back appeared first on Arellia.

Pain: we all feel it. Whether physical, financial, mental or otherwise, pain is a motivator like no other. I am recovering from shoulder surgery and see parallels to my decision to have the procedure and decisions to improve endpoint security. To summarize, nothing motivates like pain or the avoidance of it.

Over 10 years ago, I decided to pick up snowboarding. I had a crash on my 3^rd time and hurt my shoulder. A few years later, I dislocated the same shoulder wakeboarding. The pain was unbelievable and rivals any broken bone I had experienced (and I have broken a few). I decided to have shoulder surgery that year and was told all would be well. After a long recovery, things were good. I dislocated it again 2009 while boogie boarding and my doctor gave me the choice to have an exploratory scope, the same repair, or see how things went. I decided to wait. Then I dislocated it twice in 2012 – the last time while jumping over a wave at the beach. The pain of a recurring shoulder dislocation was too great and I decided to move forward with surgery.

Herein lies the analogy. Nobody wants surgery just as nobody wants to spend money on endpoint security – until the pain is too great. Everyone thinks security is motivated by risk, but I really believe it is motivated by pain. When the pain of cleaning up infections becomes too great, it is time to invest in some endpoint surgery. Risk is ambivalent – the thing of actuaries while pain is something tangible. Reading about the cost of cyber attacks in 2012, there is a lot of pain going around. It is that pain that motivates organizations to move forward.

Adapting to changes in endpoint security can be difficult just as my recovery from shoulder surgery. Before I had the procedure, I would sometimes imagine the feeling of my shoulder out of the socket and it would send chills down my spine. Is that the same feeling you have when you think about your next successful cyber attack or insider abuse? In the end, the pain of fixing my shoulder was better than repeated pain of dislocations. Is the pain of improving your endpoint security better than what you’re living with today.

Unfortunately, there are no silver bullets in life. I have no guarantee that I won’t dislocate my shoulder again, but I was guaranteed to do so if I didn’t have surgery. Are you experiencing that with your endpoints? Does the latest zero-day vulnerability send shivers down your spine? Are you worried about your employees? Are you worried about your IT staff and what they can do?

Arellia believes in a proactive approach to security that prevents attacks from being successful instead of defending them when they occur. Our approach of hardening users, applications, and configuration is designed to make systems more resilient and protect against attacks. Are we guaranteed to prevent the pain? No, and anyone who tells you their solution will eliminate all your pain is not being realistic? Can we eliminate pain? Absolutely. How bad are you hurting?

The post Endpoint Security and Pain appeared first on Arellia.