Enterprises are notoriously slow at migrating to new operating systems – in fact, Nomura Securities’ analyst Rick Sherlund has recently lowered his projection for Microsoft revenue in the current year from $80 billion to $79.6 billion primarily because of a lack of enterprise interest in the latest OS, Windows 8. Nevertheless, business will have to migrate sooner or later – whether that is to Windows 8 or the expected next version, currently codenamed ‘Blue’ and expected sometime in the summer.
The advice from Gartner’s Neil MacDonald can then be reconsidered: “If you are struggling with malware infestations and are considering switching out vendors, take a look first at removing administrator rights.” The reasoning is clear. Administrator rights on endpoints allow users who may have little understanding of computing and security to install whatever software they want, change the Registry settings “and generally do whatever they want on the device,” explains George Tubin, senior security strategist at Trusteer. The implication from MacDonald is that wanton administrator rights is the single biggest threat to enterprise security.
Not so, says Tubin. Firstly, “in today’s environments that support BYOC policies and ‘Consumerization of IT’, removing administrator rights is often unfeasible.” But beyond that, one of today’s biggest threats requires no user interaction, whether the user is standard or administrator. “Drive-by downloads,” explains Tubin, “which exploit browser vulnerabilities and browser plug-in vulnerabilities, can infect the endpoint when the user simply views a compromised web-page (with or without administrative rights).”
He uses a specific example of ‘malvertising’, the process of embedding a malicious advert into a legitimate website, as an example. “The attack utilizes a Java zero-day vulnerability (CVE-2013-0422) to automate the exploitation of the Java virtual machine. Embedded into ads that are displayed on legitimate websites, the exploit is able to automatically infect users with unpatched browsers when visiting these sites (without the users ever clicking on the ad).”
The point he makes is that it is irrelevant whether the user is standard or administrator: today’s “advanced malware can infect an endpoint when running under the context of either ‘administrative’ or ‘standard’ user rights, and in both cases, the malware can survive a reboot.”
His conclusion is that while limiting administrator rights is good practice, it is not as effective as it used to be. His recommendation is to use “an Application Control/Whitelisting technology to effectively protect vulnerable endpoint applications.”