How to protect the company VIPs

Question

Environment: small engineering company (<50 employees) and everyone is local administrator on their computer, including everyone in the management group.

Setup: Some standard security features are in place: NGFW, (N)IDS, (H)IDS, DLP, segmented network, anti malware on each client, local FW, Windows update, automated third pary software updates on each client, lock out policy, OSSEC agents on all servers.

Problem: when malware hits (and it does!) infection is much worse when user is admin.

Sought solution: protect the VIPs in the management group from malware infection (or rather: malware infecting the entire computer). Since they are in high risk of being "spear fished"

First step is of course to make them standard users. So far so good, but they demand admin rights in case they need to (without calling helpdesk). I'm willing to give this to them in a transaction period but it can't be as easy as to give them a local admin account as well since they will most probably only use that account all the time. I'm thinking some kind of OTP solution or similar to give them a big enough hurdle to get over if they absolutely need to be admin. Suggestions?

I realize that malware infections will still be a problem for the engineering group but that's a future project.

Answer 1

This is a common issue, and the one thing that you have to keep in mind is that InfoSec serves the company. Your management team runs the company, so their needs are the company's needs.

Your job is to educate, educate, educate, not only with technical detail, but with financial impact and risk analysis. But, in the end, it's their call.

If they still decide to maintain local admin rights, then you need to have a plan in place to mitigate the risks of that happening, and educate them on the costs and risks of that plan.

It can be easy, as technical folks, to preach the "best practice", but the company's interests need to be served, even if you don't agree with it. Educate, build relationships, and create backup plans, but in the end it is the management's call.

Answer 2

Issue them two laptops: general purpose, and high-security.

The general purpose laptop is somewhat like you describe, a balance between security and usability. In fact, your security steps are pretty good, certainly better than average. Hopefully you will keep common viruses off, but you'll never stop an advanced attacker.

The high-security laptop is only for accessing internal systems, and performing sensitive work. There is no web browsing access, so no scope for browser-based malware. You firewall it completely, except for a VPN connection back to base. Allow access to an internal document store that is only for the VIPs. Potentially also have a secure encrypted email system (ask a separate question for more details).

Essentially, this is air-gapping the laptop, although it's not quite a 100% air-gap. You can potentially do this on a single laptop, using virtualisation or thin-clients. Such deployments are rare, but I am starting to see them in commercial environments.

Answer 3

If you work somewhere with someone at the top willing to back you when you say "no" the answers of restricting management is the best. On the other hand if it's the owner/CEO insisting and they can't be dissuaded then less effective strategies may be needed.

Most of the other answers are better but I'd like to add one nice approach I was told of.

The CEO has their normal user-level accounts which they can log in with and they also get an admin account and password with login disabled(to prevent them using it as their normal account) but which can be used for when the user wants to elevate something.

The accounts and passwords were variations on this theme:

Username:"This is a Virus" Password:"RunVirusNow!-&FDK£)S*SJK"

In the case of the person telling the story, problems with infections dropped dramatically as users had to have this in their face before they could run anything which did in fact make them think for a moment.

Answer 4

I agree 100% with most of the other answers that state you must protect the VIP's from themselves; the worst problems I've ever seen come from director or C-level management doing things like clicking on the "I Love You" virus on their work email account.

That said, there's a fine line on the road to securing the company's data that, when crossed, triggers the resume update process. You must educate them, and help them, and try to solve the business goal within the business constraints.

So far so good, but they demand admin rights in case they need to (without calling helpdesk).

This "in case they need to", do they (formally) expect it to be often? If they expect it to be rare, then they should not need their main logon to have them, which leaves you with a variety of options. You'll need to use your knowledge of them and your company to make a case for anything other than "Just give our main accounts domain admin rights all the time".

• If they only need this when they're in the office, and perhaps when only one of them is available, then put a domain admin username and password in a safe, perhaps with an old-fashioned wax seal on the envelope, labelled "Break in case of administration" or whatever your company likes.
  • Audit logins for that use regularly; preferably, set up an automatic email on use.
  • Audit the envelope regularly.
  • Advanced class: Two keys required, not just one, perhaps an Apricorn encrypted thumb drive or similar.
    • You guessed it, STILL put the thumb drive in a sealed envelope.
• If they need this remotely, and when only one of them needs it, BUT when they can contact another one (phone, email, etc.), then you have an exotic option (with other benefits)!
  • Read Is there an algorithm to securely split a message into x parts requiring at least y parts to reassemble?
  • Implement one of those algorithms, and let management decide what X and Y need to be.
    • Encourage them to make Y strictly greater than two.
    • Note that they do NOT need to contact helpdesk, but if one of them does need domain admin rights to do something, this technique requires at least Y-1 other members of the management team to approve of their access (or lose their key part, whichever).
    • In the ideal case, it also means that whoever's dealing with the critical issue has at least Y-1 other people to bounce an idea off of, or to help them out, or at least know something about what the blazes happened the next morning.
  • Audit logins for that use regularly; preferably, set up an automatic email on use.
  • Note that high end encryption products like Vormetric use this technique to split up the encryption key for their own HSM (Hardware Security Module) backups.
• If all else fails, give them each two accounts; a normal account with the normal, probably very weak 8 character minimum password... and a domain admin account with a "more secure" 15 to 20 character password.
  • Read Dedicated password policy process for domain admin accounts
  • The goal here is simple; make it enough more annoying to use the domain admin account than their regular account that they're materially less likely to log in with their domain admin account all the time.
  • You have to drink the Kool-Aid; ALL domain admins must follow the policy
• Mix and match.

I am a little curious about the "without contacting the helpdesk" part of their requirement; is the helpdesk understaffed, is there a silo/fiefdom mentality, personal friction, or something else? You may want to try addressing this as well.

Answer 5

In this situation what i would do is:

Make an AD Domain, Linux equivalent is Kerberos and OpenLDAP. Make the whole infrastructure, and also give Users right to install and uninstall Software. but have a Firewall that has IP blocking. implement Policies that would be best fit in regards to how Tech smart people are with their computers, ofcourse you would need to push the Active Directory domain Join which you could do with this script: http://portal.sivarajan.com/2010/04/add-workstation-to-domain-batch-file.html . Also have a Endpoint Antivirus and do constant Backups of Desktops. I personally feel this is the best and most Long Term solution ;)

Solution Numero 2:

Deploy Virtual Machines (Look into P2V) to All Computers, and make automatic Snapshots, Every hour, and roll Back if any virus happens. in my humble opinion the best hyper visor for this is Hyper-V.

Answer 6

I would suggest a dual-boot machine here, where a read-only, encrypted Linux live partition contains Everything you need to access sensitive things, and a general purpose windows partition where you have full admin access, but no access to sensitive things.

Since the sensitive partition is read-only, it does not matter which virus you get, nothing can affect the encrypted partition.

I would suggest giving your employees this, preloaded with and a linux live OS and eventual static sensitive information (like passwords and such). http://www.apricorn.com/products/hardware-encrypted-drives/aegis-secure-key-3-0.html this USB memory can be configured to only allow read-only access unless a admin PIN is used. You can also specify timeouts and such. Then the memory will be completely invisible to the host OS unless a PIN is entered, and when PIN is entered, only read-only access is allowed. Then enter-PIN -> Start computer = boot into secure mode. Just start computer = Boot into insecure mode.

Then you are 100 % secure. Since nothing can affect the read-only memory, you can be sure that even if the Windows partition is filled to the brim with viruses, nothing can affect the secure partition.