The Bundesamt für Sicherheit in der Informationstechnik (BSI), the German government’s office for information security, had issued an advisory asking Windows user to keep their machines up to date through updates and patches, as well as using multiple browsers, and avoiding the Java programming language wherever possible.
Java in particular, says the German IT agency for security is potentially problematic, owing to the number of security issues it creates.
To illustrate the problem with unpatched systems, the BSI two Windows 7-based systems which were fully patched.
One system used Google Chrome 21, Adobe Reader X, Libre Office 3.6 and a standard user account. The second system uses Internet Explorer 9 plus an older version of Adobe Reader (v9.4) and Libre Office 3.4, as well as 12 month old version of Java plus an older versions of Adobe Flash, all running on an admin account.
Commenting on the results of the study – which found the second system was significantly susceptible to attacks – security vendor Avecto says the German IT security agency has recognised that the effective management of user rights is a very important part of building a secure desktop.
Paul Kenyon, chief operating officer with the Windows privilege management specialist, said that the test system, which followed the BSI guidelines, did not suffer an infection, but the second, less secure system, suffered security flaws and infections to the machine.
“What is worth noting here is that the agency seems to favour the better protected desktop as the one that was up to date with its security patches, but our take-out is that the better protected desktop was running as a standard user, whilst the desktop that was compromised was running under admin rights,” he said.
“This reinforces our long-standing advice to IT security professionals that careful control of privileged account management is central to the security strategy of any organisation, as least privilege translates to least risk when it comes to the security profile of a given system or group of systems,” he said.
Kenyon went on to say that Windows users should also keep their systems up to date, as well as reducing the levels of risk still further by avoiding the use of Java wherever possible, and user different Web browser software for specific applications where possible.
More than anything, Kenyon says, the results of this German security agency test confirms that defending an IT system now requires multiple layers of security, as well as a firm handle on which features of the machine – the level of privileged access to high-level administration features – the user account gains access to.
The bad old days of using a single IT security application across all computers and using a `set it and forget it’ strategy are now giving way to a more refined approach centering on patch management, use of multiple security applications and an effective Windows privilege management approach, he adds.
“Effective Windows security in the Year 2012 is a lot more complex than many IT users realise. The tests carried out by the BSI are an excellent confirmation of this, but IT security managers should not ignore the key issue of Windows privilege management,” he said.
“It only takes the failure of a single element of a security strategy to allow malware in and, as this BSI test shows, the results can be quite devastating. Security requires a holistic approach, and our observations are that IT security professionals clearly need to factor in Windows privilege account management alongside their other defence strategies,” he added.