When we consider the volume of security incidents and breaches we can see a picture that a large volume of these is hitting the endpoint. The reason is twofold;
1. Where the weakest link is = the user.
2. Administrative Rights – That asset is typically logged in with administrative rights.
If the endpoint is breached, it can be used to obtain credentials to databases, applications, data repositories, files shares, and other assets that exist as part of the technology ecosystem.
With the goal of making the greatest impact of decreasing risk with the lowest amount of effort or cost, we have identified our top security recommendations and gone a step further and detailed out the first three.
- User Security Awareness Training
- Remove administrative rights
- Don’t store sensitive data
- Implement a solid security patching program
- Install and run a good endpoint protection product
- Label external emails
- Always on VPN
User Security Awareness Training
Training all employees, contractors, vendors, and partners on your security policies and procedures can feel overwhelming. The concern of investing all this time and resource to have people sit through hours of training that they won’t remember and retain can seem like a loss.
Several things that can help are:
- Focus on the biggest returns
- Measure results
- Train them to refer to resources, not memorize material.
The secret to a successful user security awareness training is to make it as short and impactful as possible.
Start by asking what are the biggest risks to your unique business?
Of those risks which ones do the end users have any impact or control over preventing?
Take those top three risks and focus the user awareness training on them specifically. Number them, and be transparent on setting the expectation.
Skip training on security controls, product operations, and alerts that the end users never see or can impact. By focusing on what they can control you increase the applicability of the training.
Include personal stories. Stories incredibility help people remember training. Try to make it personal from your experience if you can. If not, go out and find something in the news relevant to what your training on.
I was recently training kids on the security risks of social media and was able to share this local Minnesota news story on how kids were asked to model without their parents’ permission. This lead to extortion attempts, and unfortunately even suicide. This story really got their attention and helped them feel the seriousness of this threat.
The threats are real.
From the foundation of a story talk about what they can do to reduce the risk such as identifying external emails, identifying malicious emails and attachments, not visiting questionable websites, not downloading applications and executables.
If your business supports it, take the opportunity to talk about the consequences. This can be a sensitive issue but still needs to be brought up. Start by ensuring there are consequences supported in the information security policy. If there are, cover them lightly. You want to share them in a way that makes them feel like you don’t want these consequences to happen to them because you care about them (I hope that’s true). You want to exude an attitude of partnership with security, and a culture that security is everyone’s responsibility, not just the security department. Help them feel accountability.
The next thing that can really help support the user security awareness is measuring the success and impact of it. This can start by performing a security baseline with an internally supported phishing exercise. Measure the number of employees it was distributed to, how many opened the email, and how many followed the hyperlink. If you have a mature program, you can even measure how many people click ‘report’.
After this baseline, perform training. Measure how many people take the training and successfully pass. Then perform the assessment exercise again and measure how impactful it was.
This is often overlooked and considered too much overhead. But this extra investment can really help differentiate between worthless training, and impactful training, reveal what areas need the most continued training, and if tracked correctly show who the repeat offenders are that really don’t care about security.
Lastly, train them to refer to a resource, not memorize material. One of the biggest successes I’ve seen from user awareness training is creating a ‘security’ portal for the company. An easy to remember URL, and put the link on the internal default website where employees can go to reference all the material they need to make good security decisions.
What I’ve witnessed, is most employees make bad security decisions not because they want to, but because they don’t know how to make the right decision. These are employees that do care and do want to do the right thing, but they need to get their work done. And that feeling, accountability, and responsibility override taking the time to do the right thing. Instead, they get frustrated and do what they have to do to get the job done.
The security portal should contain infographics on how to identify a phishing email, how to send sensitive files securely, how to report a security issue.
(If you need help with these resources, reach out and we can provide some samples.)
Anything you’re asking the employee to identify, process, or perform should be referenceable here. If you can’t create or support a resource, at least have a direct number to the security group that will pick up the phone and help users when they have a question.
Remove Administrative Rights
This tactic gets a lot of push back. Before you skip this one over I just ask you to think about ‘why’ you want to skip it?
Often times the reason is that there are applications running on the endpoint that ‘require’ administrative rights. The idea is that removing the user from the local admin group will create a production outage and increase support costs, thus making the decrease in risk not worth it.
From my personal experience, there are two types of businesses. Ones that think there are endpoint applications that require administrative rights, and the ones that know what applications require endpoint administrative rights. If you’re in the first group and motivated by fear, I challenge you to push into that a little bit and perform an assessment to identify exactly what applications require it.
When the applications are known, there are few things you can do about it. But this article won’t dive into how to support endpoint applications that require administrative access while not giving the user admin access.
But even just knowing what applications require it allows you to create a group of users that need local admin and opens the opportunity to remove the local admin rights from the other users that don’t.
Our goal working with clients on their cybersecurity programs is to decrease the business risk and decrease the cost of the cybersecurity program.
If you can even remove some users from local admin, you decreasing your risk. That is a win.
The threats that exploit the end user are many. If the user has local admin, the local workstation and all the credentials that on stored on it are exposed. All the shared assets across the environment are vulnerable. If the service account for an application, database, or file share are captured, game over. The whole network will be owned.
Removing local administrative rights from the users greatly reduces the risk to the business.
Finally,
Prevent sensitive data from being stored on the endpoint.
Before we review this step let’s review where we’re at.
First, we reduced the risk by training users on the specific risks attackers will try to use to exploit the endpoint. We pointed them to resource repositories and gave them your number for on-demand support. There will be some users that don’t care, but when complemented by policy and culture that supports disciplinary actions and a feeling for the responsibility you should a risk decrease of upwards to 60%.
Next, we removed local administrative access from the users that didn’t explicitly require it for productivity. By doing this, you’ve null and voided most of the exploits hackers are using to take over the endpoint. The malware attachments and web hyperlinks with malicious code running are going to be greatly decreased in their measure of impact. Depending on the percentage of users you can remove local administrative access of you can see an additional decrease in incidents and breaches by another 40%.
Now that we enabled the user to detect, and we’ve reduced the privileges so that the impact is less, we now remove sensitive data from the endpoint. That way even if and when the endpoint is breached, there is nothing there of value.
Hardware is cheap (in relative respect), data is where the value is. When combined with the first two tactics, this machine sits alone and the attacker is not able to get data and neither are they able to pivot to other machines to get remote data.
Because you removed local administrative access, the attacker can’t get to the SAM database and crack the master ‘Admin’ password, and they will not be able to expose all the other endpoints.
Following these three endpoint security controls, you can greatly reduce the risk to your business.
After these security controls are implemented we recommend you keep going and continue to push the envelope to zero risk by:
Implementing an endpoint patching program
Implementing a regular security patching program will greatly help reduce the risk of malicious exploits. This is probably the greatest thing you can do to reduce ransomware from being introduced to your assets, network, and data. Here is an article on how you can reduce malware:
5. Install and manage a good endpoint protection solution
6. Label all inbound external emails with an ‘EXTERNAL’ tag in the subject
7. Support an ‘Always-On’ VPN for remote endpoints.
We hope you found this article helpful. For more helpful security resources and training, please subscribe to our newsletter or reach out to us to discuss your cybersecurity program and challenges.
Howdy, i read your blog occasionally and i own a
similar one and i was just wondering if you get a lot of spam remarks?
If so how do you stop it, any plugin or anything you can recommend?
I get so much lately it’s driving me crazy so any support is very much appreciated.
Wow, superb blog layout! How long have you ever been blogging for?
you made blogging look easy. The whole glance of your site is wonderful, as neatly as the content!
Hello my loved one! I want to say that this post is awesome, nice written and
include almost all significant infos. I’d like to see more posts like this .
Tremendous issues here. I’m very satisfied to see your article.
Thank you a lot and I’m looking ahead to contact you.
Will you kindly drop me a e-mail?
Hi friends, good piece of writing and good arguments commented at this
place, I am really enjoying by these.
It’s really a great and useful piece of information. I’m happy that you simply shared
this useful info with us. Please stay us up to date like this.
Thanks for sharing.