Cyber CyberSecurity Security
can have some definable mitigation strategy. Most modern threats come via phishing attacks and the training needs to cover the threat, identification of phishing emails, and the hard lesson of what to click on and when not to open a file. A simple phone call can verify if the email is legitimate and we need to instruct team members how to verify the source before continuing. It is not hard to do--just like looking both ways before crossing the street--but we need to teach all users about safe computing practices. And, for most organisations, penetration testing with phishing samples is recommended to measure the success of your training initiatives. 2. Secure and Verifiable Backups One of the worst-case scenarios for any attack is you become infected with malware that wipes the environment. That means your data is encrypted by ransomware or simply erased (wiped). So how do you recover? Secure Backups. While this recommendation is not preventative, it is the only one that can help you when all else fails. All data should be backed up, and most important secured, such that a malware infection or advanced persistent threat cannot compromise the backup via mapped drives or network shares. The backup should also be tested on a periodic basis to ensure it can restore all files to a pristine state. A common mistake for organisations, however, is to attempt a restoration before a malware infestation is cleared. While some anti-virus solutions can remove the malware, best practices recommend rebuilding or re-imaging the host(s). There is always a chance the threat was more sophisticated than the endpoint security solution can detect and resolve, and that a persistent threat may be present for a future attack. A complete reload is the only way to be moderately sure that the issue has been resolved. If the infection is bad enough and found its way to a domain controller, you should strongly consider reloading the entire environment. It is the only way to be sure. 3. Secure Macros Some of the newest ransomware and clever malware is taking cues from older viruses that leverage Microsoft Office and other application macros. This isn’t easy to resolve, because many of our spreadsheets and documents depend on macros to satisfy business and functional requirements. For example, a recent addition to the long list of ransomware, “PowerWare,” comes in typically through a phishing email and contains an infected Word attachment. The document contains a malicious macro, which then calls a PowerShell script, which carries out the payload. This email is scary because Word and PowerShell are very common and approved applications at almost every organisation. Therefore, they represent a trusted attack vector for modern threats. In newer versions of Microsoft Office, they do contain a setting to drastically reduce the possibility of this happening. The setting, ‘Disable all macros except digitally signed macros’, found within the Trust Center settings will do just that, prevent a macro without a valid certificate authority from executing. This provides secure granularity to enable macros verses the ‘Disable all macros’ setting. Unfortunately, you may not be able to enable this setting since not all macros your
business requires may be signed, or otherwise the certificate for them may be expired. Wherever possible, insist any vendor that provides software containing macros sign them and establish a process internally to sign macros, so this setting can be properly enabled for everyone. 4. Patch and Update Frequently As if the thought of an angler phish is frightening enough, an exploit kit sharing the same name targets older versions of Flash and Silverlight. According to the Verizon Data Breach Report, 99% of attacks target known vulnerabilities. Even though this specific vulnerability has been patched, many organisations do not patch third party applications regularly — let alone the operating system itself (think WannaCry). Maintaining software to their most recent versions is nothing new, but we continue to see outdated--and sometimes years outdated--software in production environments. It is important to have a regular schedule to assess your environment for outdated or vulnerable software, and have a tested process to remediate any findings. These are security basics and if your organisation is not doing it well, it is an easy problem to solve and see some tangible threat reduction results. This includes keeping endpoint protection technology and local anti-virus up to date as well. Businesses still rely on this for a first line of defense when education fails and a threat has been identified (and prevented) before the infection. Basically, if it can be updated to a more secure version, it should be, and as frequently as technically and business friendly as possible.
'While defenses for monetized crimes are the same as other cyber security threats (monitoring privileges, patching, reviewing activity, etc.), organised hactivism is much more difficult to control without censorship.'
5. Remove Administrator Rights Most threats propagate by leveraging the user’s privileges to move laterally or infect files. If the user only has standard user rights, the only files and systems visible are the ones they may have local or via a network share. While the scope of this may be large, it can be much worse if the user has administrator privileges. Then, potentially every resource visible to an administrator is in scope and therefore the entire environment is potentially susceptible to an infection. The fact of the matter is that most threats requires administrator privileges just to launch or leverage an exploit. If you reduce a user’s privilege to standard user, threats that try to install a persistent presence are generally thwarted because it does not have the privileges to install files, drivers, or even access the registry unless it leverages an exploit to escalate privileges. This is a sound mitigation strategy for the clear majority of malware, that needs to own a system to begin infecting files and lateral resources. If this strategy is bundled with application control and least privilege technology, only a few forms of threats (like WannaCry ransomware or macro based) cannot be prevented. This proves that to successfully prevent an attack requires a blended approach from the removal of administrative rights to handling the edge cases that leverage social engineering, macros, and vulnerabilities and their corresponding exploits. In conclusion, if you look at these closely, they are covered in the ASD Top Four and Essential Eight. The Australian Government recognizes these recommendations and their >>
Australian Security Magazine | 5