Previous chapters in the Moving to a Least Privileges Environment eBook series highlight the feature and functional values that an organization sees when using a privilege management product. The new chapter (Chapter 7) ties in the final puzzle piece that explains in detail the business benefits derived by utilizing a privilege management solution to manage administrative privileges for standard and privileged users.  The chapter makes the business case for ROI when deploying a privilege management solution.

Chapter 7 and the entire eBook series can be downloaded here.

It’s always a boost to have a day to dedicated to spreading awareness about best privacy practices.  Every day, peoples’ personal information is digitally shared and collected and everyone has the right to be concerned with exactly how the information is being collected and shared. Data Privacy Day is meant to do just that- let people know how their information is being collected, stored, used, and shared.  The awareness of privacy doesn’t just apply at the consumer level but also at businesses, state and federal government levels.  They need to rethink and question if they are doing enough to protect data privacy and if they are complying with consumer protection laws. 

In today’s highly vulnerable online corporate environments, implementing IT security has become a top priority and companies take the matter of protecting and securing their customers’ data quite seriously.  Embarrassing security breaches not only prove costly to a company’s reputation and bottom line, some can even go out of business.  Protecting personal data is not just a corporate responsibility, it is also up to individuals to be aware of what they can do personally to keep their personal data safe and secure.  For many of us, clicking on that link in our online banking web session that advertises the latest and greatest in identity protection is too often seen as just that – an advertisement.  Just like in the corporate environment where data protection is of utmost importance, and ever evolving, this mindset needs to reach to us as consumers as well. After all, the most probable help to drowning people is expected from drowning people themselves.

More information on Privacy Data Day can be found at http://www.staysafeonline.org/dpd/about

Four-part Webcast Series to Focus on Least Privilege Management as a Fundamental Layer of IT Security Protection

The first webinar in the series, "Top 10 tips for Removing Administrator Rights," will be held on Thursday January 26, 2012 at 11 a.m. Pacific / 2 p.m. ET.   This webcast will prevent tips for removing administrator rights on endpoints without impacting user productivity.  The tips will be followed by an actual use case presentation by Monique Sendze, associate director of Information Technology for Douglas County (State), who will share the proactive steps they have taken to secure their computers by removing admin rights and managing privileges for standard users via automated policies.

To register for this webinar, visit the registration page 

Cindy Meinke of Coretek Services wrote about application virtualization with User Account Control (UAC) challenges.  Cindy mentions that Viewfinity Privilege Management is one solution to handle the UAC prompt challenge.

With the migration to Windows 7 the introduction of UAC prompts can be somewhat of a disruption to end users.  Viewfinity helps IT admins manage UAC prompts by suppressing or customizing the UAC dialog. This solution to handle UAC prompts available through Viewfinity Privilege Management provides for a critical requirement by customers—a better user experience.

Here’s a more technical explanation that is tied to the issues presented in the Coretek article.  While it is true that application virtualization may simplify the issue of managing UAC and elevated rights, not all applications and tasks can be effectively virtualized. For example, applications with embedded manifest “requestedExecutionLevel” containing admin rights or browser based ActiveX controls cannot be virtualized. UAC and the management of general Windows administrative tasks is a separate issue which cannot be easily addressed without third party tools such as Viewfinity Privilege Management product.

Here are just a few examples of administrative tasks that will cause a UAC prompt:

• Installing and uninstalling applications
• Installing device drivers
• Installing ActiveX controls
• Changing settings for Windows Firewall
• Configuring Windows Update (XP)
• Adding or removing user accounts
• Changing a user’s account type
• Running Task Scheduler
• Restoring backed-up system files
• Viewing or changing another user’s folders and files
• Running Disk Defragmenter

Drilling into the Viewfinity Privilege Management product, it not only elevates privileges and/or reduces permissions on individual applications, admin tasks, or ActiveX controls, but also provides a policy automation workflow that automatically generates policies based on approved applications or on-demand self-elevation.  Viewfinity Privilege Management fully integrated with UAC management can suppress UAC prompts and/or replace it with a Viewfinity justification dialog box.  The dialog box is where the end user can submit his justification for requesting elevated rights. Bringing it full circle, our audit report feature captures events with UAC usage stats and collects important information for security audits such as the use of unauthorized credentials in UAC and which actions were performed as result of unauthorized activity.

Ericka Chickowski, Contributing editor for Dark Reading published the Top 10 PCI Compliance Mistakes. Ericka outlines the top 10 common mistakes organizations need to avoid when trying to be PCI compliant in 2012.

The number 1 mistake as agreed by Ericka Chickowski and Leonid Shtilman, CEO of Viewfinity is “Not Following Rule of Least Privilege.”

“No More, No Less--- Only the least privileges required,” says Leonid.  This is important because when organizations are making efforts to comply with PCI compliances, they should make sure they are following the rule of least privileges in every step.  Not every user needs to access all data which means they should only be granted administrator rights to those applications and processes needed to accomplish their job.

Viewfinity interviews Phil Lieberman of Lieberman Software on IT Security: 

  Mr. Lieberman has more than 30 years of experience in the software industry. In addition to his proficiency as a software engineer, Mr. Lieberman is an astute entrepreneur able to perceive shortcomings in existing products on the market, and fill those gaps with innovative solutions. He developed the first products for the privileged identity management space, and continues to introduce new solutions to resolve the security threat of privileged account credentials.

1. It seems like a week doesn't go by without an IT news story describing a high profile data breach at a large company or government agency. Why is this such a frequent occurrence? And what are the most common mistakes that IT groups make when it comes to protecting their organizations' against security threats?

Fundamentally most companies provide too much access for too long to too many people with no monitoring or controls.  There is also little thought given to limiting damage that can occur with super user credentials that are never changed and widely used.

2. What should IT groups be doing to better secure access to their sensitive data? What security products and/or processes are involved?

The first step is to identify sensitive resources and classify who has access and how this can be controlled and monitored.  Organizations also need to identify direct access methodologies as well as side channels to access.  It is also a good idea to consider the introduction of silos that separate data by both physical and logical means.

3. You've been in the security software industry for more than 30 years. Based on your experience, what new or emerging IT security threats do today's IT groups need to be aware of, and why?

Cutting corners to save money and the general attitude that security is a commodity are the greatest security threats today.  This goes in line with the idea that outsourcing myth that says that external entities located off-shore provide the magical properties of reducing IT costs as well as access to superior security and technology at bargain basement prices.  The threat is simply that security requires vigilance and effort as well as money and smart people that must be part of your own organization.

4. On January 12 you're co-hosting a webinar with Leonid Shtilman of Viewfinity. What are the key advantages that you hope the attendees will gain from the session?

It is now practical to achieve enterprise-wide superuser password management quickly (less than a week) and permanently with the right technology solution.  When possible, it is best to not disclose superuser credentials, but instead escalate applications to a super user privilege when appropriate. 

With both our technologies we allow end-users to achieve their business objectives that require super user access, but we also provide real security by proactively managing the actual superuser credentials where they are stored and where they are used.

Our combined solutions provide fully automated password management and privileged account auditing along with elevation of privileges for applications or to reduce permissions for privileged users on specific applications and tasks in a least privilege environment.  This help companies increase security by achieving least privileged access to programs, as well as the removal of shared knowledge of superuser credentials and their anonymous use.

Sign-up for the Lieberman Software and Viewfinity webinar on January 12, 2012 by clicking here.  

Wednesday January 11, 2012 2:00PM EST

In this joint webinar, Viewfinity and PolicyPak will demonstrate how to best protect your endpoints with true desktop and application lockdown, and manage the lockdown environment so that user productivity is not impacted.  

Alex Shoykhet, VP of Product Management at Viewfinity, will demonstrate a best practice approach for using Microsoft Active Directory and Group Policy to manage administrator rights for standard users.  The demo will kick off with tools for removing administrator rights and then segue into how to manage privileges for standard users with zero impact on user productivity.  This is done via Viewfinity's end-to-end approach for managing admin rights such that end users don’t need to involve the help desk every time a user needs admin rights.

Next the PolicyPak team will demonstrate how to lock down individual applications by controlling settings within the application.  PolicyPak prevents users from manipulating important settings, but also quietly reapplies misconfigured settings if a user or application happens to work around them. You’ll learn how to answer questions such as “How are you able to guarantee key application and operating system settings for users?” and “How can you prevent users from messing up their apps?” and “How can we prevent application pop-ups and application questions?”

Register for a seat here. 

Info Security Products Guide, the industry's leading information security research and advisory guide, has named Viewfinity a finalist in the three top categories applied for in the  2012 Global Excellence Awards Products and Services Excellence nominations. The categories for which we applied are directly related to the value we provide to our customers. The fact that our product is a finalist in categories that are based upon actual use case scenarios distinguishes our success and validates our relentless drive to provide tangible value.  More information related to why our customers were chosen can be viewed in our online case studies, which explains how we have align our product to meet their needs.

The finalist categories for Advanced, Ground-breaking products are:

·         Security Products and Solutions for Education

·         Best Deployment and Case Studies in the USA

·         Policy Management

Do the terms “hacker” or “cyber attack” catch your attention?  They should and if they don’t then you should definitely read “Experts to business owners: Beware of hackers” by Charles McChesney of The Post-Standard. While there are endless attempts from cyber criminals to compromise your network, there are ways to significantly mitigate these attempts. 

A fundamental approach and best practice is implementing and enforcing the “principle of least privilege” at your company.  Employees will be limited to only parts of the network and to applications they need to perform their daily work functions.  This means employees cannot install suspicious software or manipulate system settings.  This reduces the risks of viruses entering your network such as “crimeware” that captures keystrokes similar to what happened to the Central New York Business owner in the article. 

Be proactive, remove administrator rights from your end users and manage the permissions standard users require through automated policies.