l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s 32 By Daniel Lindley, Security and Compliance Consultant, Conetrix SAFELY SURFING F rom our desktops to our phones, we are a connected society. We check email, social networking sites, news sites, message boards, and a large variety of other websites on a daily basis without thinking about the security implications of having billions of devices connected to countless interconnected servers that are run by people we have never met through an Internet infrastructure that was created without security in mind. While this is scary enough to think of from a personal standpoint, it has even larger implications for businesses that store and transmit confidential company and customer data. There are, however, actions that can be taken to help mitigate some of the security concerns that go hand-in-hand with Internet browsing. First, it is extremely important to limit system and network privilege levels for employees with Internet access. A recent analysis of Microsoft vulnerabilities by the security company Avecto revealed 94% of critical Microsoft vulnerabilities reported in 2016 were found to be mitigated by removing local administrative rights . In other words, if your employees don’t have local administrator rights on their systems, the vast majority of critical Microsoft vulnerabilities would already be addressed without additional controls. Now, there are times when a vendor will push for local administrator privileges for employees in order for their software to run without issues. While this was acceptable many years ago, this is no longer a viable option and other controls, such as limiting elevated privileges to certain directories through whitelisting, should be considered instead. In addition to normal users, it is perhaps even more important that domain administrators do not browse the web while logged in but instead use a standard account for normal tasks and only elevate when necessary. While an argument can be made that domain administrators are typically more security minded than the standard employee, they also have far greater capacity to install malware on all of the systems in the network domain.