Removing 24x7 administrator rights to break the attack chain

Presented by

JD Sherry, Chief Strategy Officer, Remediant

About this talk

The average ransomware spreads as follows: (1) attacker phishes their way onto an employee workstation.; (2) attacker extracts admin credentials from employee’s workstation and (3) attacker uses admin credentials to move laterally. So why were admin credentials present on an employee’s workstation? JD Sherry of Remediant explores the role of administrator privileges in a breach and how securing 24x7 admin rights can sustainably prevent the spread of a breach beyond the first point of intrusion. 24x7 administrator access on endpoints can be used by attackers to spread ransomware and move from one machine to the next. This is an important concept to understand because 1. A lot of 24x7 administrator access exists and each account creates a point of exposure. For example, Remediant sees that the average employee workstation has 480 admins with 24x7 access to it 2. This access is business justified (needed by systems administrators, IT helpdesks) and spreads over time 3. Easy for attackers to find: These accounts are easy targets for attackers because they are easy to find, provide powerful access and always available 4. Not easy for security teams to fix: Finally, 24x7 access is very hard to find and clean up for security or IT operations teams It’s no wonder 74% of breached organizations admit to the involvement of a privileged account.

Related topics:

More from this channel

Upcoming talks (12)
On-demand talks (3529)
Subscribers (181889)
This channel features presentations by leading experts in the field of information security. From application, computer, network and Internet security to access control management, data privacy and other hot topics, you will walk away with practical advice for your strategic and tactical information security initiatives.