CONTROL: Minimize the number of users with domain or local administrative privileges. Such users should use a separate unprivileged account for email and web browsing.
This control is misunderstood and doesn’t solve the sensitive data protection problem. The real issue today is not “a machine has been compromised”. It’s “data on a machine has been exfiltrated out of my network”. In this case, it doesn’t matter whether a user is admin or not. The data stored by the user is the key. The Infostealing class of malware (32% of our malware infections) searches your system for PII like SSN, CCN, Passport #, DMV #, bank account info. It runs in the user context and that’s where the data is. Full Disk Encryption (FDE) aka Whole Disk Encryption (WDE) is an example of a misunderstood data protection control. Typical WDE products include Truecrypt, BitLocker, PGP products. Users believe their data is protected by FDE all the time. FDE is effective only if the device is powered off. FDE protection comes into play only when the device is powered up. Infostealing malware running in a user’s context will be able to decrypt any file the user is able to access an open. FDE provides no protection in this case. File level encryption (FLE) in conjunction with FDE provides the best level of protection of sensitive data files.
This focus on the device rather than the data is outdated. I used to say “there’s nothing on your computer that a hacker wants except your computer so they can attack others”. I no longer say that. They are after DATA. Users having admin privileges or not isn’t the defense against sensitive data theft. FLE plus FDE are effective layers of sensitive data protection.
It also solves the BYOD issue. We EDUs are amused by the commercial world’s panic over BYOD. We’ve been in that world since 1984. In 1984, we required students to purchase their own computers for their schoolwork. Yes, personally owned computers have been using our network since 1984. This forces the security model to be more like an ISP where monitoring of network traffic is a primary defense tactic. If you focus on protecting the data rather than the device then who cares where it’s stored (smartphone, mainframe, cloud, etc.).
The “restrict user administrative privileges” is based on protecting the device and not the data on the device. It solves a 1990’s problem not the real 2013 problem of sensitive data protection.