Explain issues surrounding responsibility for operating system security flaws.

Security has traditionally been a secondary consideration when innovation is the primary driver for a technology. This has not changed since the mid-90s. Innovation of the operating system and its features is still hailed as the most important thing because perception insists that technology needs to exist at the bleeding edge of its industry if it is going to stay relevant.

With the above said, some vendors, like Apple, appear to develop and market security and innovation on par. Microsoft, however, loosely considers security a feature. While this a debatable opinion, the history of products from each vendor suggests this conclusion, and their marketing reinforces this sentiment. Remember when Apple marketing stated that macOS could not get a computer virus? We all know better now. Microsoft Windows has never embraced security marketing in any type of similar manner – regardless if it was true or false.

Consider the transition to the cloud or digital transformation, both of which were accelerated by the work-from-anywhere requirements normalized during the pandemic. But also consider features like autorun for CD/DVDs and USB removable media, guest file shares, and even access to the root operating system via C#. At the time, these where great ideas—innovations that lent a necessary competitive advantage. But the rapid-fire nature of innovation also lends itself to risk. If the security for this innovation is an afterthought, threat actors can quickly learn how to exploit and use these innovations as conduits for malicious activity.

An analysis of what could go wrong and how to secure these innovative features only appears after a vulnerability is discovered and an exploit is determined to present a risk to the business. After all, with all the cloud capabilities of OneDrive, DropBox, Google Drive, etc., why do we even use server-based file shares in an environment? Additionally, with all the advanced remote access solutions on the market, why do we still use RDP? It is because we have technical debt and other solutions like back up utilities that are dependent on them. These were all developed and released with innovation in mind and security added as an afterthought.

Administrative privileges are not always and inherently a bad thing – the problem exists where organizations fail, or are unable, to enforce granular control over their admin privileges. Going back to the earliest versions of Windows with built in networking, administrative rights allowed you to do and access anything within your network. Back then, the operating system itself did not have security built-in to control granular access and provide role-based access and segregation of duties. In those times, most IT professionals just gave everyone administrative rights to their local system because it was the easiest way to ensure everyone had the varying levels of access they needed to do their jobs. The risks of provisioning blanket admin rights were not well understood, and the basic feature of being a local administrator was adopted almost everywhere.

Lack of granular control over administrative privileges remains a problem for many organizations today. This is especially true for environments that tried to mitigate the risk by handing out two credentials: one as a standard user for daily work and one as an administrator for tasks that need elevated privileges. When these two are operating together on the same workstation, the risk to the environment is high due to memory-scraping attacks, like pass-the-hash, and password-stealing tools, like mimikatz, that can pilfer secrets from active processes. Currently, the innovation of the operating system is still behind the security risk, and even techniques like EMET, were bolted-on.

Once an application, malware, or user gains administrative rights, they can effectively do anything to the system. Imagine what happens when a superuser account is breached. A threat actor could have unlimited access to your entire network for as long as it takes for your organization to detect the breach. The threat expands further in scope if that credential is valid across multiple systems. Even tools designed to protect against administrative rights can be thwarted with some creativity and hacking using lateral movement and the exploitation of vulnerabilities (i.e. privilege escalation).

Microsoft Windows today – has the threat pattern continued?

In the past, Microsoft Windows has allowed their Windows security concerns to lag behind those of their operating systems. However, Windows security has matured significantly in recent years to better address some of these issues. According to data compiled by the BeyondTrust Microsoft Vulnerabilities 2022 report:

• The number of vulnerabilities across Windows operating systems dropped to 507 (from 907 in 2020).
• Windows vulnerabilities decreased by 40% YoY
• Windows server vulnerabilities decreased by 41% YoY
• Windows Critical vulnerabilities decreased by 50% YoY

That Critical Windows vulnerabilities have halved over the past five years reflects Windows Microsoft’s continued investment in building a more secure operating system. The overall vulnerability picture, however, remains mixed as the reasons for the vulnerability reductions remains slightly elusive. The decrease could be a result of:

• Better security and coding practices
• The end of life for products like Windows 7
• The shift of services to the cloud
• Or, most likely, a combination of all three.

While most of the Microsoft Windows vulnerabilities for 2021 have indicated the high risks of on-premises technology, the fact that most organizations are shifting to the cloud represents a notable potential alteration to the threat pattern. A shift to the cloud could potentially improve an organization’s security by providing a more efficient way to mitigate risks and removing the burden of remediation from the IT security team. This does not mean cloud vulnerabilities do not exist, but rather they are being remediated by the SaaS provider.

Important to note is that, as of the writing of this article, SaaS vendors are not obligated to publish CVEs like their on-premise counterparts. This ultimately makes it difficult for anyone to gather statistics on the impact of vulnerabilities in the cloud, unless they are actually exploited. This reinforces the importance of removing administrative rights to help mitigate the exploit, regardless of the asset on-premise or in the cloud.

Microsoft has provided a solution for the threats the operating system faces every day, when being controlled by the average person. One of the most profound threats, administrative rights for end users, can be solved by simply making everyone a standard user.

In the 2022 Microsoft Vulnerabilities Report, Russell Smith, Editorial Director, Petri IT Knowledgebase, urges that “it is critical that organizations continue to carefully manage administrative privilege use to protect against vulnerabilities in Microsoft’s software.” Smith adds that, “despite the importance of running with standard user privileges for protecting systems and data, it is still not possible to natively manage in Windows today. Organizations need to manage privileged access on endpoints in a flexible and secure way that reduces risks to the business while allowing employees to do their work”.

If an end user really does need local administrative rights for some obscure task, there are native tools from Microsoft and third party vendors to accommodate the use cases without the risk of giving out secondary administrative credentials. While this may sound like a “bolt on” approach to the original problem, it is a viable solution with merits like documenting privileged access for regulatory compliance initiatives.

The thing that makes BeyondTrust’s Privilege Management for Windows so unique is its combination of least privilege management and application control capabilities, which enable the solution to provide:

What are the security issues related to operating system?

What are the issues that are considered as security issues?

What are the security issues of using an unsupported operating system?

What are three main security issues?