Overview
The Cyber Security Operations Centre (CSOC) frequently deals with alerts triggered by routine administrative changes, such as mailbox updates and user configuration modifications. When administrators use unknown or unmanaged devices, it introduces considerable cybersecurity risks to the organisation. Below are some key concerns:
- Lack of Security Controls: Unmanaged devices often lack essential security features such as antivirus protection, firewalls, and encryption. This makes them more susceptible to threats like malware, ransomware, and other cyber attacks.
- No Monitoring: Unmanaged devices aren’t typically monitored for suspicious behaviour. Without proper oversight, any malicious activities or security breaches could go undetected for long periods, potentially increasing the extent of damage.
- Irregular Updates: These devices may not receive timely security patches or updates, making them vulnerable to known security flaws that attackers could exploit.
- Data Leakage Risks: Administrators have access to sensitive information. Using unmanaged devices raises the risk of data leaks through unsecured networks, unauthorised apps, or even physical theft of the device.
- Susceptibility to Phishing and Social Engineering: Unmanaged devices often lack advanced email filtering and network protection, making them more prone to phishing attacks and social engineering tactics.
- Compliance Violations: The use of unmanaged devices may result in non-compliance with industry regulations, potentially leading to legal penalties and reputational harm.
- Identity Theft: If an unmanaged device is compromised, attackers could gain access to administrator credentials, leading to identity theft and unauthorised entry into critical systems.
Our recommendations
To reduce the risks associated with using unmanaged or non-compliant devices, it’s important to enforce strict policies that require the use of managed and secured devices, especially for applications that handle sensitive data. Strong identity protection measures should also be implemented, alongside continuous training and awareness programmes for administrators.
As part of a privileged access strategy, using solutions like Azure Virtual Desktop (AVD) or Privileged Access Workstations (PAW) is considered best practice. These tools help ensure that administrative activities are both legitimate and lower risk. They also restrict access to administrator accounts, making them only usable from a secure cloud PC.
A recommended approach is for users to perform everyday tasks on their regular work account while accessing the Virtual Desktop for administrative tasks via Remote Desktop. This should be combined with phishing-resistant authentication methods, such as FIDO2 or Passkeys. These secured machines can also be subject to stricter network controls and have fewer applications installed, reducing patching requirements and overall attack surface.