April 14, 2011

Article in The Guardian’s Information Security 2011 supplement

I wrote an article to be published in the The Guardian’s Information Security 2011 supplement.

Picture this scenario. You walk into your local supermarket to buy your weekly groceries and just before you drop an item of produce into your trolley, you quickly scan it over for freshness and check its expiry date. You wouldn’t knowingly choose something that was marked out-of-date. And if you did notice it was past its expiry date, you would automatically select a new, fresher version of the same produce instead. After all, you wouldn’t want to experience any unpleasant side-effects or risks to your health.

Now picture another scenario – this time at your private home PC or sat somewhere in front of your laptop browsing the internet or logging on to a corporate network while working from home. Did you know that the programs installed on your PC pose a significant risk to the health of your PC and the safety of your private data if left to go past their ‘expiry dates’ and not updated in a timely manner?

Make sure you’re not compromised by PC programmes that are past their expiry date and could expose your system to attacks. The power to reduce the window of opportunity for cyber criminals is in the hands of all PC users.

To read the article in full (page 41), click here

April 8, 2011

Cybercriminals do not need administrative privileges

For years the software industry has promoted reduced privileges for user accounts as a key security best practice to prevent misuse and successful exploitation of end-point systems. There are two main rationales/assumptions that back up this strategy:  A) malware requires administrative access to successfully exploit and compromise a system, and B) users without administrative access are prevented from bypassing the organisation’s security policy as they cannot install and run unauthorised programs on their own.

Unfortunately, user accounts with reduced privileges do not provide protection from attack, misuse, or compromise. Reduced privileges for end-users can only be regarded as one part of an effective security strategy that should not be solely relied on.  Organisations should know the limitations of this approach to prevent them from getting a false sense of security and under-investing in complementary security layers. This blog discusses the limitations of security by denying users administrative access to their systems, and highlights how cybercriminals can achieve their goals without administrative access.

In any organisation, staffs work on their end-points to carry out daily tasks. By definition, and irrespective of the privileges they are granted on their systems, they need and have access to all business relevant data and internal networks required to get the job done. Thus, even when working with reduced privileges, any program or process running with the same set of privileges also has full access to all of this data. This very fact highlights that the valuable information which cybercriminals are eager to "acquire" is present regardless of users’ privileges and justifies cybercriminals' interest and investment in finding ways to compromise end-users’ systems.

Attack Surface
In every organisation, the number and complexity of pre-installed programs and plug-ins found on typical end-points alone provide plenty of opportunities for attack and compromise. Running as a non-admin user mainly helps to limit what a user can install and configure on the system, it does not prevent an attacker from gaining control of the user's account. A single exploitable vulnerability in one of the many installed programs (or plug-ins) is all cybercriminals need to run their malware in the context of the local user. Furthermore, as the user has access to the internal network, the malware can use the user’s account to relay attacks against other systems.

Recent research shows that the number of vulnerabilities affecting typical end-points (with Microsoft Windows XP and the Top-50 most prevalent programs installed) increased from 225 in 2007 to 729 in 2010. From 2009 to 2010 alone a more than 70% increase in the number of vulnerabilities affecting typical end-points was recorded . This represents an enormous opportunity for cybercriminals and also helps explain why Damballa found up to 9% of the end-points in large enterprises to be bot infected, despite the implementation of best of breed security policies and perimeter protection .

Figure 1: The number of vulnerabilities affecting a typical end-point with Windows XP and the Top 50 most prevalent programs increased from 225 in 2007 to 729 in 2010, or by 71% in the last year 

Furthermore, many of the vulnerabilities are of the “Privilege Escalation” type that allows the attacker to gain elevated privileges, thereby nullifying the protection sought in restrictive user permissions. In 2010, about 14% of the vulnerabilities affecting a representative end-point with Windows XP and the 50 most prevalent programs installed were of this type. Exploiting this type of vulnerability allows an attacker to escape the stringent permissions of the user and execute its code with administrator or system privileges.

No Installation Required
The fact that many programs do not need to be installed or require administrative privileges to be run on an end-point is often overlooked. For example, there is a growing list of so-called “Portable Applications”; programs that do not require installation. The user simply starts the program after downloading it from a USB stick or a Flash drive. for example, features more than 200 types of programs (productivity, networking, instant messaging, file sharing, graphics, games, etc.) that can be executed without requiring any installation. Most of these programs do not even require administrative rights to run. Furthermore, there are many tricks that allow users to bypass restrictive user rights to run and install programs on their own. There is a rich body of step-by-step instructions on the Internet that shows users how to bypass user restrictions to run their own programs.

End-Point Exploitation
Over recent years, and in the face of more restricted environments, cybercriminals have developed successful technologies and strategies to make exploitation and system compromise independent of administrative access on end-points. An increasing number of recent exploits and malware does not require modifying a system file or the registry; just running in memory is sufficient to access and steal sensitive information or infect other internal systems. For example, hijacking browser traffic or communicating with an external host for data exfiltration does not require administrative access. Malware does not even need to be persistent and survive a reboot. A couple of minutes on the end-point are enough for malware to identify and steal most of the sensitive data, and for it to spread further. Additionally, today’s end-points are typically left powered on for extended periods of time between reboots, thereby decreasing the need of the malware to take extensive action and privileges to stay persistent. Zeus or Carberp are good examples of recent and prevalent malware that are able to compromise a host without administrative rights

Limiting users’ privileges on end-points is a recommended and effective means to reduce the risk of host exploitation and limits the capabilities of malware upon successful compromise. However, it should not be seen as a replacement for vulnerability management and expedited patching of software, nor is it a replacement for anti-virus or other protection technologies.

These days, cybercriminals systematically obfuscate malware to bypass anti-virus and other defence technologies with increasing success by creating a large number of obfuscated serial variants . Limiting user privileges on end-points is a best practice to complement, not replace, additional layers of security. A process to identify vulnerable programs, including programs not authorised by the organisation, paired with effective patch management is an absolute must to reduce the window of exposure and eliminate the root cause of potential compromise.

Download this blog as PDF