A record number of Microsoft vulnerabilities were discovered last year and most could have been mitigated by removing administrative rights.

That’s according to BeyondTrust’s new Microsoft Vulnerabilities Report, which includes an annual breakdown of security vulnerabilities facing organizations today, as well as a five-year trends analysis aimed at better equipping organizations to increase their IT security, and keep networks and systems safe.

Morey Haber, BeyondTrust‘s CTO and CISO, tells us it’s a safe assessment that most organizations do not have the staff or experience to remove administrative rights, implement least privilege and report on risks accordingly.

BeyondTrust’s Morey Haber

“In general, most businesses lack the IT/IS staff to get all of their risks under control, period,” he said. “The report highlights the benefits of when administrative rights can be removed and if a business cannot do it themselves, leveraging an MSSP with experience across multiple organizations provides a robust strategy to realizing the benefits highlighted in the report.”

Now in its seventh edition, this year’s report identified the following highlights:

Further analysis shows on average over the last five years, 83% of all critical vulnerabilities published by Microsoft could have been mitigated by security teams removing administrative rights from users, according to the report.

“Most organizations are not removing administrative rights due to FUD (fear, uncertainty and doubt),” Haber said. “They are under the impression everything will break and [the] end user will revolt if they do. In addition, they may be unaware of the security benefits they gain if they do. So most organizations continue to make the same mistakes they have done in the past and even follow obsolete security guidance of providing users two accounts: one as a standard user and one as a local administrator. The truth is, there are tools to solve this problem – even within the native OS – that make the removal of administrative rights possible. IT/IS teams just need to learn how to do it safely and without impacting productivity.”

Removing administrative rights is a top priority, and even analyst firms like Gartner have been recommending privileged access management as a CISO top priority, he said. It is up to the business to embrace the concepts, and implement technology and procedures to overcome the challenges. Therefore, it is not a matter of priority, but rather just getting it done, Haber added.

“Threat actors are always searching for the easiest method to exploit a resource,” Haber said. “The vulnerabilities themselves may be trivial, but if a threat actor can gain administrative rights through exploit code, phishing or even poor credential management, they will compromise an asset. Therefore, it is in the hacker’s best interest to find any method possible to hack a system and then leverage credentials to continue their activity.”

There has been a slight decrease in the number of vulnerabilities that can be mitigated through the removal of administrative rights, he said. In addition, key applications also are highlighted and prove that if they are not executed with administrative rights, document vulnerabilities also are mitigated. This is yet another reason people should not …

… log on and use administrative privileges on a daily basis.

“Removing admin rights is not just about security,” said Sami Laiho, Microsoft MVP and ethical hacker. “Removing admin rights will also allow your computers to run faster, better and longer, with [fewer] reinstallations. My larger customers have measured a 75% reduction in the amount of help-desk tickets after removing admin rights, resulting in a more secure and productive environment for extended periods of time.”

Also Tuesday, WatchGuard Technologies‘ Internet Security Report for Q4 2019 shows evasive malware grew to record-high levels with more than two-thirds of malware detected by WatchGuard’s Firebox security appliances evading signature-based antivirus solutions. Evasive malware is becoming the rule, not the exception, and companies of all sizes need to deploy advanced antimalware solutions that can detect and block these attacks, it said.

In addition, WatchGuard found widespread phishing campaigns exploiting a Microsoft Excel vulnerability from 2017. This “dropper” malware downloads several other types of malware onto victims’ systems, including a keylogger named Agent Tesla that also was used in phishing attacks in February that preyed on fears of a coronavirus outbreak. 

“Our findings from [the fourth quarter] show that threat actors are always evolving their attack methods,” said Corey Nachreiner, WatchGuard’s CTO. “With over two-thirds of malware in the wild obfuscated to sneak past signature-based defenses, and innovations like Mac adware on the rise, businesses of all sizes need to invest in multiple layers of security. Advanced AI or behavioral-based antimalware technology and robust phishing protection like DNS filtering will be especially crucial.”