Hybrid work was, up until recently, billed as the future. However, post-Covid it has quickly been embraced by organisations and their employees who are wanting and demanding more flexibility. Work is no longer about place, and ‘more about people’s potential’ according to a recent Accenture study, which also found that 63% of high-growth companies have already adopted ‘productivity anywhere’.
While this has had a hugely positive impact on the work-life balance of many people across the globe, the move puts employees workstations at the edge, far beyond the ‘walls’ of the traditional corporate network. This makes them one of the easiest ways for attackers to compromise identities, launch ransomware attacks, exploit privileged credentials, and make their way into sensitive corporate networks.
This is a vastly unsecure situation for organisations to be in, and, often, during an endpoint attack, by the time incident response specialists are called in, the environment has already become overrun by threat actors.
Endpoints – especially workstations – must be protected before inevitable assaults. To do this, and speed up recovery efforts, the following fundamental Identity Security rules and safeguards should be adhered to:
1. Remove admin rights and ensure least privilege:
Employees frequently need to carry out an action which requires administrative privileges. While these are usually legitimate and necessary tasks, just-in-time privileged access enables teams to safely carry out work, but only in accordance with policy, at an appropriate time, and for the appropriate cause. This way, users don’t have to be given local administrative rights that could be abused by an attacker.
2. Secure local admin accounts:
Administrator accounts are used to install and update workstation software, set up system preferences, and manage user accounts. These are privileged accounts which attackers target with the aim of running ransomware and other malicious software, disabling antivirus software, and blocking disaster recovery tools. Moving local admin powers away from normal users and into a secure digital vault with credential rotation is the quickest and most straightforward way to secure employee workstations. Doing this reduces an adversary’s ability to move through a network and also lessens the impact of employee mistakes, such as falling for a phishing scam.
3. Application control policies:
The endpoint must be able to defend against attacks, as well as allow or deny known applications. To lessen the risk of ransomware, organisations must be able to “greylist” apps and implement advanced control policies to ensure workers only use secure and trusted applications.
4. Protect cached credentials:
Credential theft is one of the greatest risks to organisations today. They can be saved in memory by many common business apps, and many web browsers and password managers store application and website credentials locally. Because threat actors can frequently get cached credentials without ever requiring admin capabilities, having an endpoint security layer is essential.
5. Setting traps:
Endpoint protection technologies that support privilege deception functionality, such as the capability to generate phoney “honeypot” privileged accounts, can help identify potential attackers right away.
6. Monitoring privileged activities:
Attackers often fly under the radar while they test a network’s defences. By proactively monitoring privileged workstation activity, organisations can automatically identify and stop adversaries before they move laterally, elevate privileges, or do significant harm.
Unfortunately, inadequately protected employee workstations are the perfect vulnerability for attackers to exploit, and often become just that. For the organisations looking to prevent against this and strengthen their security against harmful assaults, it’s vital they act swiftly to protect endpoints.
This is where the previously mentioned safeguards come in to play, and by adhering to the key mitigation steps, and embracing a layered defence-in-depth strategy, businesses can better isolate attacker activity, reduce the impact of a breach, and also regain control of their environments.
EMEA Technical Director
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.