Which of your endpoints is most likely to let an attacker inside?

Is your organization trying to reduce the risk of malware or ransomware in 2018?  Knowing where to start can be the hardest part.  The following risk factors can increase the odds of a cyber attack, and being aware of them can help you focus on and secure your most vulnerable endpoints.

Any machine that users check their email on is a high-risk endpoint

Malware and ransomware email attacks are becoming more sophisticated each year, with even trained IT professionals falling victim to genuine-looking email attachments and links.  For untrained end-users, the situation is even more dire.  In 2016, two thirds of malware attacks were installed via email attachments.  According to Verizon’s Data Breach Investigation Report, 7.3% of users will open a malicious attachment, with some sectors like healthcare seeing rates over 10%.

In 2016, two thirds of malware attacks were installed via email attachments

Any machine that is connected to the internet is a high-risk endpoint

The best way to secure a computer or server is to cut it off completely from the internet and strictly limit access.  Windows computers with unpatched vulnerabilities can be infected with ransomware within three minutes of being turned on, sometimes as often as every fifteen minutes.  Couple this with fake download buttons or compromised downloads, and the risk escalates even further.

Any machine that shares a local administrator password with other machines is a high-risk endpoint 

Once attackers manage to obtain a privileged account, the first thing they do is try to spread laterally through your network to other endpoints.  If multiple machines have the same local administrator password, those attacks can rapidly spread across your entire network until the intruder finds what he or she is looking for – customer data, credit card numbers, intellectual property, or the credentials to other privileged accounts like service accounts and domain admins.

The worst case scenario

While it’s fairly typical for IT administrators to have local administrator rights on their own machines, some organizations have business-critical applications that must be run as an administrator to function.  This means that every single user has administrator rights on every single machine.  Malware from malicious email attachments or websites will now be run as an administrator, increasing the chances of infection and more compromised endpoints.

Can anything be done?

Thankfully, software solutions have been created to address the security issues of vulnerable endpoints.  Thycotic’s Privilege Manager allows security administrators to blacklist, whitelist, and greylist applications and reduce the risk of an attack.  Whitelisted applications can be configured to run as an administrator even if the user is not.  This means that a user can do his or her job without exposing their computer to unnecessary risk.  Administrative functions like installing printers or modifying network settings can also be whitelisted, so that a user may not even realize their administrative rights have been revoked.  Privilege Manager can also enforce policies around Local Administrator group membership, or even rotate local admin passwords on non-domain joined machines.

FREE Privileged Account Management for Dummies book

Get smart about Privileged Account password security with this quick read



This is a Security Bloggers Network syndicated blog post authored by Dan Ritch. Read the original post at: Thycotic