Risks of Unnecessary Admin Privileges Continue to Increase

Excessive access has been an acknowledged risk since the earliest days of distributed data-communication networks in the 1970s.  One key way that some organizations attempt to ‘keep things moving’ is to grant administrative privileges to ranges of individuals & groups who may need some small subset of those permissions in the course of normal operations or in dealing with troubleshooting requests.  In most situations, it would be possible to grant only those permissions required to perform truly required tasks. In the most of the rest of the situations, broader administrative access can be protected with strong two-factor authentication (which will resist many threats that depend upon stolen user credentials).

Constraining and/or hardening administrative access has also been one of the easier ways for large enterprises to materially reduce their attack surface which results in a lower overall risk profile.

A core risk management principle — ‘least privilege’ — reasons that users should be granted only enough rights to support performing the tasks required for their role, and no more.

This is not only a Windows issue,  but Antone Gonsalves (CIO OnLine) passed along today that a review of Microsoft’s Windows vulnerabilities in 2013 (333, of which 147 ranked ‘critical’), showed that fully 60% of them would be mitigated by removing user’s admin rights. Gartner has also argued that 90% of security threats could be eliminited by removing user’s administrative permissions.

Hostile uses of malware and social engineering continue to advance. This results in increasing the gravity of Financial Services organization’s excessive administrative access issues.  The key message is that the risks associated with malware infection could be materially-reduced if we tamped down granting of administrative privileges.

RESOURCES:

“Time to drop unnecessary admin privileges.” By Antone Gonsalves, 02-18-2014.
http://www.csoonline.com/article/2134396/privacy/time-to-drop-unnecessary-admin-privileges.html

“Trends (and other things) Learned at the Gartner IAM Summit.” By Mark Weiner, 12-11-2014
http://blog.centrify.com/trends-learned-at-gartner-iam-summit/

Completosec on Risks of Malicious Code:
https://completosec.wordpress.com/category/malicious-code/

Predictable Techniques Succeed in Big Bank Theft

In a report to be published on Monday, and provided in advance to The New York Times, Kaspersky Lab says it has seen evidence of $300 million (or much more) stolen from more than 100 banks and other financial institutions in Russia, in Japan, the United States, and in at least 27 other nations.

The attack appears to have been initiated via a phishing campaign, followed by long-running surveillance malware, remote access trojans (low and slow), and finally exfiltration of large amounts of money — part via manipulation of bank accounting systems.  …Nothing new there, the story highlights the scale of cyber-crime successes.

The rest of the story will be outlined by Kaspersky on Monday.

Or you can watch a condensed version via YouTube.

This should also be a reminder that there are no security ‘ruby slippers.’  We need to keep rejecting vacuous vendor and pundit preaching about replacing our security perimeters with (pick your hot solution-of-the-moment) ‘the cloud,’ ‘an appliance,’ or some other replacement for common sense, intelligence, and hard work.  Optimizing a layered defense on top of active resistance to phishing (along with all other types of social engineering) and malware remains our primary path to risk-reasonable due diligence.  Announcements of cyber-thefts like the one mentioned above are reminders that there are still tough challenges for all of us in financial services security and risk management.

 

REFERENCES:
“Bank Hackers Steal Millions via Malware.”
By David E. Sanger and Nicole Perlroth, 02-14-2015
http://mobile.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html

Updated 02-16-2015:

Report from Kaspersky:
http://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/
and the full report at http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2015/02/Carbanak_APT_eng.pdf (downloaded 02-16-2015 @ 1 PM CST)

Video: “The Great Bank Robbery: Carbanak cybergang steals $1bn from 100 financial institutions worldwide.”
https://www.youtube.com/watch?v=ez9LNudxRIU

For some context, see:

The Great Bank Heist, or Death by 1,000 Cuts?, By Brian Krebs, 02-15-2015
https://krebsonsecurity.com/2015/02/the-great-bank-heist-or-death-by-1000-cuts/