July 26, 2022
Good morning, everyone!
This week’s critical vulnerabilities:
Patch all the things! |
Restricting Administrative Privileges
Removing Microsoft admin rights from employees mitigates 92% of critical vulnerabilities and 60% of all vulnerabilities reported by the software firm in the past year, a study has revealed.
This quote is from a study done in 2014, but a new study from 2020 showed similar results.
It’s pretty simple, really. If you have administrative privileges, you can install software, right? That includes malware. If you can’t install software, you can’t install malware. So if you are logged in as a standard (not administrative) user when you get hit by a drive-by on an infected website, or click on a bad link, you get a popup asking for the admin password to install something to the system. You know right then that you’ve been attacked! And your standard (not admin!) user permissions blocked the attack. (NOTE: standard users can install software that runs on their local account only, so this isn't a 100% block, but installers typically ask to install to the system, not just your account, so this will block the most common attacks.)
So how do we manage life as standard users?
Everywhere. Most operating systems and applications have an automatic update option that will keep the software updated without an admin having to log in to approve updates. Turn this on.
At Home. The best practice for home computers is to have two admin accounts where only parents have the passwords, and everyone (even the parents!) have standard user accounts. If children need to install software for school or want a new game, they have to ask a parent to log in as admin and install it for them. Parents need to log in at least once a week to check for updates, to keep all software on the computer patched. This simple strategy will greatly increase the security of your home computers.
At Work. Think carefully before granting admin privileges to all employees on their work computers. Do they really need admin privileges? Sometimes it is required by certain software, but most of the time it isn’t. In particular part-time and seasonal employees probably don’t need to be admins, likewise interns and other temporary employees, and this group tends to be higher risk (less training, less experience, less personal commitment to the company’s best interest).
If you can control patch management via your network, then it’s a great idea to have all employees work as standard users only. This means even IT people! Only log in to an admin account when you actually need to do something that requires admin access. Otherwise work as a standard user.
If you must grant admin privileges to employees, train them to mitigate the risk! Explain why administrative access increases risk. Be specific, use statistics (like those in the articles referenced above) and tell stories. Make the training personal, valuable at home as well as the office, and your employees will develop a heightened security awareness that will go with them everywhere:
Businesses should focus on educating employees on how to protect their personal data, therefore encouraging employees to enact further security-orientated practices in the workplace
Stay safe and secure!
Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab.
Talk to you again soon!
Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months
ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺