Peter’s proposals for creating a prevention strategy, training and strict refusal of local administrator access for employees, can be implemented quickly and at a fair price.
To complement this, companies should add a trusted zone concept for administrative tasks. A server administrator should never sign in to a server from a system at a lower trust level, e.g. from the laptop he uses to connect from outside the company network to a server. A trusted admin zone concept will prevent the lateral drift of attackers within the company network once they got access through e.g. a phishing attack and a RAT (Remote Access Trojan).
Once a single computer is compromised, an attacker has enough time to search for the next victim in the network. Finally, when he finds a Windows 7 computer where a domain admin logs on, it ends up with a Sony like disaster.
From a technical point of view mitigation is really easy:
Remove whatever privileges from the users.
Set UAC to ‘Always notify me’, even for administrators.
But this are very unpopular measures. User acceptance is very low, as well as business support. Therefore IT groups are always interested in high sophisticated and expensive solutions to keep business impact as low as possible.
IT security is to a large extent a matter of leadership …