If you are running a Windows domain and have Windows devices and Office, maybe with a splash (or more) of Chrome, this might be for you.
You may have spent some time implementing white lists (and/or black lists, restricted execution, unsigned blocking) for traditional installers - an attempt to reduce risk or just control the sprawl of various downloads. I am assuming malicious downloads are covered elsewhere and you have a scheme to update software, so put that to one side.
Now, there are plenty more very easy ways to add software that could be a risk, here are just four:
Lots of the software here will have some form of access to your computer and in some cases this goes much further and can access your entire active directory, automatically take data to a cloud service, and so on. You should at least start the journey to understand where your environment sits.
More info...
Adventures in Chrome
It would be sensible to lock this down and only approve extensions you have tested/checked. There are approaching 200,000 extensions that do a huge variety of things, from setting Chrome in Dark Mode to syncing passwords you enter to some cloud service. If you do control Chrome extensions via Group Policy remember that each one you check will need to be added (white listed) in your group policy which may be a higher risk change. And, you need a process to check them within a decent time-frame.
Fun with Microsoft Azure Active Directory
If you have synced your directory to Azure, or work that way native, then many apps/services can link into and reference your online directory. This is a quick way to setup things like Single Sign On. However, it does mean the app will have access to your directory. It would be sensible to have a central point (admin) to check these trusts and evaluate the app being linked to your Azure. And, the new phishing kid on the block is one of these trust boxes prompting users to click trust, once clicked this gives the attacker access to an API into your directory.
Would welcome any comments on what others have done/found.
Adam
@4d4m A very good posting, perhaps you should offer up your thoughts for predictions in 2020 and add the growing collection. Your posting and thoughts have good merit.
Often the biggest problem is the growing complexity and lack of visibility with checks and balances:
There are a number of good checklists around including:
https://www.skyhighnetworks.com/cloud-security-blog/73-azure-security-best-practices/
Regards
Caute_cautim
Thanks for the feedback.
Not keen on predicting the future, but will certainly add more if/when I find them. It is tricky because there is so much detail and complexity, so even having a checklist it is out-of-date after a month... all fun!
Will take a look at those links too.
Best
Adam