The recent zero-day exploit targeting a use-after-free vulnerability in Internet Explorer highlights one thing: how important it is to use the least-privilege principle in assigning user profiles.
Imagine if most user accounts are configured to have administrator rights or root access on their endpoint. (This is surprisingly frequent with older OSes, like Windows XP.) A simple social engineering trick can allow a threat actor using this (or a similar) vulnerability to gain the same user rights as the current user. This may include anything from modifying system files, installing a new program, or managing other configuration settings.
Network administrators must make it incredibly hard for threat actors to ever gain administrative rights. After all, a user profile that is not allowed to install and run downloaded programs on his system is, conversely, less impacted in our example. This will cause some inconvenience for users and administrators, but the tradeoff in increased security is worthwhile. Because of the risks of threat actors gaining elevated rights, Microsoft recently introduced in Windows 8.1 certain measures to prevent this from happening and allows users better control of privileged account.
Jim Gogolinksi’s earlier paper titled Suggestions to Help Companies with the Fight Against Targeted Attacks is a solid and much-needed treatise on why enterprises should take the time to review how their network infrastructures are set up. The paper focuses on five avenues: infrastucture, data, incident response teams, threat intelligence, and performing penetration testing.
According to Gogolinski, a secure infrastructure is largely dependent on three factors: proper and logical segmentation of the network, the ability to log and analyze logs, and secure configuration of user profiles and workstations. The inability to lay the groundwork for security can be fatal to an enterprise. Our latest enterprise primer titled The Enterprise Fights Back: Securing Your Network Infrastructure Against Targeted Attacks talks about the security repercussions in relation to targeted attacks of not finding the time and resources towards this endeavor.