"The thing that won't die, in the nightmare that won't end"
Although this is the legendary tagline from the movie “Terminator’, it may as well have also been the theme for many of the information security focussed sessions at last week’s Chilli IQ LawTech summit held in Noosa.
From the opening sessions, delegates were introduced to the dark underbelly of Information Technology and what it means to be the target of cybercrime. In an age where it seems our firms, our data and our people are under constant attack from shady elements that are hard to identify and even harder to defend against, the overwhelming message was that preparation and vigilance are the order of the day. Nobody wants to be the next Mossack Fonseca!
So how do you go about evaluating whether your cybersecurity posture is adequate? Fear not! The Australian Government is off to the rescue (there is a statement I never thought I would utter) in the form of the Australian Signals Directorate (ASD) Top 4 strategies to mitigate cyber intrusions. As that is a bit of a mouthful, let’s just refer to it as the T4…. that’ll catch on… right?
The T4 strategies are actually part of a much larger list of strategies (around 35 in total) that the ASD recommend based upon their expertise with regards to responding to cyber security incidents and penetration testing of government organisations. While the entire list of strategies is a mammoth undertaking to complete, the T4 are an excellent place to start as the ASD have calculated that:
"at least 85% of the adversary techniques used in targeted cyber intrusions… could be mitigated by implementing… the Top 4".
85%!!! Considering the relatively low cost of implementing these strategies this makes for a very compelling ROI calculation.
So without further ado, these are the T4:
Ensure Operating Systems (OS’s) are fully patched
While this one might sound like a no-brainer, it is surprising just how many businesses do not regularly patch the operating systems on their servers and PC’s. It is not an over simplification to state that if the operating system is not patched, most other security undertakings are rendered almost useless.
In addition to patching OS’s, it is also important to try and ensure that operating systems are updated to current versions wherever possible. OS’s that are significantly out of date, like Windows Server 2003 and Windows XP, are especially susceptible to compromise and exploitation. Microsoft’s Security Intelligence Report, Volume 11 (Page 58) gives a stark example of this issue showing that Windows XP is infected at ten times the rate of Windows 7. This trend is seen across both the server and workstation operating systems.
Minimise Administrative Privileges
Administrative privileges are exactly what you think they are. They let trusted users, usually your IT team, make changes and monitor your IT systems including servers and workstations. In a Windows environment there are broadly two types of administrators, local administrators and domain administrators.
Of the two, the domain administrator has the most access to the network. A domain administrator generally has unfettered access to any service or data on a firm’s network and these privileges need to be jealously guarded. Imagine what would happen if a domain administrator account was to be compromised. A rogue domain administrator account would be able to make almost any change to a network either rendering it inoperable or stealing data at will. This could result in massive amounts of downtime where employees would be unable to work and the public relations backlash could be disastrous!
As a general rule, only IT staff should have domain administrator credentials, and even then they should be audited regularly to ensure that they are appropriate to the role that the staff member plays.
Local administrators, while not as risky as domain administrators, are still a significant risk to the firm. While a local administrator only has rights to manage a workstation, these rights are enough to allow the installation and execution of applications and malware that can then move onto the network by other means. Many users insist that they require local administrator accounts on their PC’s in order to install their own applications when they need them. This is generally a bad idea as most users do not use enough care when surfing the web or clicking on links sent to them in emails. Both of these methods are common attack vectors for numerous types of malware including the dreaded CryptoLocker and its many variants!
Ensure applications are fully patched
While most firms will commonly patch operating systems to a greater or lesser extent, not many will patch the applications that run on their workstations and laptops with as much rigour.
The types of applications that we are talking about here are things like Adobe Flash Player, Microsoft Office and so on. Flash Player and Office are particularly significant in terms of risk as these are very widely installed and used and are therefore a higher priority target for purveyors of nefarious software. In fact, in previous years Adobe Flash has had the dubious honour of being the most exploited software product with eight out of the top ten vulnerabilities used by exploit kits targeting flash player alone.
One of the problems associated with patching applications are that, unlike operating systems, there are generally no centralised solutions that all software applications can use for this purpose. This can cause issues with the management and delivery of patching and in many cases manual approaches, costing time and money must be used to keep applications up to date.
The final of the T4 is, unfortunately, the most difficult to implement from both an IT management and cultural perspective.
Application whitelisting essentially locks down the PC to only allow certain applications to run on it. This is different from only allowing certain applications to be installed in that it renders inoperable any application that may already be installed but that is not explicitly included in the whitelist.
In order to implement application whitelisting, the firm must first put significant effort into discovering and documenting which applications are used by which users and then implementing software solutions to enforce compliance with the white list policy. From a technical perspective, this is difficult to achieve with perfect results. From a workplace perspective it is a nightmare as every user will have a ‘special exception’ that they desperately need for them to do their job.
As soon as the exceptions are accepted, the job of managing the white lists becomes harder and harder and the overhead can simply become too much. When improperly implemented, applications whitelisting can cause, at best, grumblings among your workforce and at worst, open revolt against management and the IT function.
Should the potential downsides be used as a reason not to implement whitelisting? The short answer is no. Application whitelisting has the potential to stop most exploits from ever executing on the workstation and can save countless hours and large amounts of money from being wasted recovering from infection. In addition to the easily quantifiable savings, the firm must also take into account the benefits to be gained from not having their name splashed across the news as the latest victim of cybercrime and the associated reputational damage that this type of bad publicity can cause.
While the news, the web and various legal conferences might be filled with tails of doom and gloom regarding cybercrime, it is well within the power of most firms to drastically reduce their attack footprint by implementing a few fairly basic precautions.
In most cases your firm is likely to have implemented many of the recommendations contained above and you are already well on the way to becoming as indestructible as the eponymous Terminator from the beginning of this story. To fill in the gaps, let’s get together over a coffee (all good business is done over coffee) and have a chat.
Asta La Vista.
Feature image courtesy of Garry Knight under Creative Commons licence via flickr