Tuesday, February 25, 2014

No, You Can't Have Local Admin!

   If you have responsibility for security and/or access management for an organization, then there is a "simple" request that you have received, and will always receive... Users request local admin access to systems.

   Most of you know what I mean.  I'm referring to the local administrator or root account on a system.  When a person has local admin, they can access any part of the system, change or disable settings (including deactivating anti-malware or other security software), and, perhaps most importantly, install and run any software.  This last item is probably the primary reason people request this level of access.

   We're talking about Minimum Necessary... the idea that everyone should have exactly the level of access needed to do their job, and no more.  In most, if not all, organizations, far more people have local admin than really need it.

   Security vendor Avecto recently released a new study showing that over 90% of the most serious vulnerabilities in Microsoft software products in 2013 could have been mitigated by simply removing administrator rights.  Put another way, this means that only your systems administrators were vulnerable to all of the most critical Microsoft software vulnerabilities!  And these are the people who have the most access on your systems!  Here are a two good articles on the subject and here is a link to the full report.

   Let's break this down...

Tuesday, February 11, 2014

Bad Policies = Bad Passwords

   It seems that passwords are in the news again.  In the past I've discussed a number of aspects of the password dilemma.  Among the key issues are:
  • good passwords are hard to remember, and;
  • passwords you can remember are easy for attackers to guess.
   Adding to this mess is that many organizations do a poor job of protecting their storage of your password.  And now we have some new information...
Many organizations allow you to pick poor passwords on their websites by enforcing few or weak password construction requirements.
   We call these password policies, and these specify things like: how long the password can be; the minimum length it must be; what kinds of characters can or must be used; if the password needs to change, and; if there are some passwords that can't be chosen.