Cyber Security - Prevention is Always Better Than Cure
15/10/20, 8:04 am
We have seen with COVID-19 that simple measures can make a big difference in preventing the spread of the infection. Washing hands, sanitising working environments, and covering our mouths are practical and cost-effective methods to prevent infection spread.
With Cyber Security, we can also use practical, simple and cost effective ‘hygiene’ methods to reduce risks from cyber threats. These strategies provide a framework to keep your ICT environment clean; preventing threats from entering or spreading in your organisation. Much like the caution associated with COVID-19, simple preventative measures are better than having to recover from a major outbreak.
In Australia, we are fortunate to have clear and practical guidance from the Australian Cyber Security Centre with the Australian Signals Directorate Essential Eight mitigation strategies. In this post, we outline incremental strategies to build on the Essential Eight to raise cyber security levels.
In this post, we recommend four mitigation strategies to prevent malware delivery and execution:
Application Control
Often referred to as application whitelisting. This migitation ensures that only approved software can run on desktop PCs, laptops and servers.
Patch Applications
Software applications often have exploitable bugs and vulnerabilities. The software vendor provides updates (patches) to fix bugs and remove vulnerabilities.
Restrict or Block Macros
Macros are code that run inside of application files like Microsoft Word or Excel. They automate processes or enable other functions. Macro-based malware can cross-infect users if shared through email.
User Application Hardening
Applications on PC, laptops and tablets may need extra modules or plug-ins to deliver functionality. The outdated modules can have vulnerabilities if outdated or are no longer supported.
Why is it important?
Malicious software can sometimes be installed as it is undetected by anti-malware/virus software. Application control provides additional methods for preventing malware from running even if is accessible on an endpoint device or server.
Is it easy to implement?
The biggest challenge to implementing application control or whitelisting is defining, maintaining and distributing allowed software applications.
Application control software systems use a variety of methods to identify the authenticity of an application. The most reliable method is a complex mathematical calculation that generates a unique code referred to as a hash. However this means that every time the software is updated or patched, an administrator will need to re-run the maths algorithm and create a new hash.
Larger organisations use over 2,000 business applications. Managing these volumes is challenging. Alternative approaches with similar outcomes to application control may be more practical.
Are there any considerations?
Many organisations have users in the organisation that require legitimate access to unofficial or open source software to perform their job. This can be software developers creating and testing new applications.
Application Control and Bring Your Own Device policies are difficult to achieve together. Users are unlikely to agree to complete control of applications that run on their own devices. Mobile Device Management (MDM) and Mobile Application Management (MAM) technologies are now used more with corporate managed devices rather than employee purchased devices. Virtual desktop/workspace is the best approach to these conflicting policies.
Implementing application control should be done in consultation with organisation departments and business units to ensure that employees are not hindered or prevented from doing their work. Many application control solutions have a learning mode which can capture current applications used. This approach can create a baseline list of applications.
Application Control will need an application packaging team and an ‘IT store’ where users can find approved applications (including open source if applicable) to install. This collection will need maintaining.
CONSULATION IS KEY
Implementing application control should be done in consultation with organisation departments and business units.
Are there alternatives?
There are good alternative approaches that can achieve similar outcomes to application control. Some of NEC’s recommended approaches include:
Local Sandbox – having a local sandbox on your endpoint, allows users to run software that are controlled and isolated without having to support an IT store and application packing for vast numbers of applications.
Windows S Mode – this is a good alternative for users that need a basic productivity machine with operating system, email and the Office suite. More applications can be controlled through a corporate managed Windows Store.
Virtual Desktop/Workspace - A virtual desktop/workspace is similar to a sandbox where applications that run on the endpoint are isolated from your datacentre.
Mitigation Two: Patch Applications
Why is it important?
Implementing patches ensures that malicious software and individuals do not take advantage of application gaps. The longer that unpatched software is on ICT systems, the greater chance of exploitation.
Is it easy to implement?
Application patching is typically possible with applications currently supported by the software vendor. This means that you must be using recent versions of the software that is under an ongoing software assurance agreement that provides updates.
Unsupported software, whether it is an old version or outside of a software agreement, may not be able to be patched.
Many software applications come with automatic updating capabilities. Use this whenever possible to avoid manual overheads of patching and updating the software.
Are there any considerations?
Application compatibility and integration can be complex. It is not uncommon to find that older applications will not run on new operating systems or new applications will not run on old operating systems. This means that an application cannot be patched to a new version as it will not run. Sometimes a simultaneous upgrade of the operating system and the application is necessary.
Patching applications can sometimes stop the application from working properly. Sometimes the patch can corrupt other applications that may share the same application libraries.
Legacy applications often do not have patches or upgrades available. The vendor may no longer be around or the application is at end of life. The only option is to replace the application. This may need costly new designs, training and supporting databases.
USE CAUTION WITH LEGACY APPLICATIONS
Legacy applications often do not have patches or upgrades available. The vendor may no longer be around or the application is at end of life.
Are there alternatives?
Application and system hardening, which is another mitigation, can be an appropriate alternative approach when the application cannot be patched.
Application isolation through delivery of virtual or remote apps could also be an approach. This removes the risk from the local endpoint onto a server which can be hardened and more easily managed.
Local sandbox machines could also be used to run the application where it cannot be patched.
Mitigation Three: Restrict or Block Macros
Why is it important?
Macros help automate processes or enable other functions. However, they can be malicious and cross-infect other employees, files, and systems. Since productivity applications, are so widely used in organisations, macro-based malware can be easily distributed and rapidly cross-infect organisations.
Email is the leading business communication tool. It is also the most common way for macro-based malware to cross-infect other users and organisations.
Is it easy to implement?
Disabling or blocking macros is very easy to configure through the latest Microsoft tools with central policy management. However, this can create challenges that are highlighted in the considerations below.
Are there any considerations?
Macros are created for legitimate purposes to automate manual processes and workflows. Disabling macros will prevent users from using these benefits and forcing the organisation back to more manual processes.
Blocking macro-based attachments could also prevent important emails from being received by stakeholders.
A BALANCED APPROACH
In some instances disabling macros can cause reduced efficiency by forcing manual processes to be used in place of automating simple tasks.
Are there alternatives?
Modern cyber security capabilities from innovative organisations like Check Point are alternatives that work by extracting threats temporarily whilst allowing content to be received by users. The original file is sandboxed to check if it is behaving maliciously and if not, it can be safely retrieved by the user.
Macro signing can be used for internal macros and these can be trusted at an organisation level. Files that have unsigned macros can be blocked or disabled.
Secure file sharing through OneDrive, Microsoft Teams and other collaboration tools can also be an effective way of removing a link in the sequence flow that macro-based malware relies upon.
Mitigation Four: User Application Hardening
Why is it important?
Outdated and unsupported modules can have vulnerabilities. Patching modules with the latest security updates, removed or disabled to mitigate the risk. Modules such as Flash and Java can also be used to deliver malicious code over the internet.
Is it easy to implement?
Most of the user application hardening can be done through configuration policies in web browsers and applications. An organisation standard for web browsers is required. Users should not be able to download non-standard browsers.
Blocking advertising in browsers is difficult. Some browsers have some features to block advertising, but the best solutions are via a plug-in or extension in the browser or using DNS filtering on your internet gateway.
In Microsoft environments, most configurations can be centrally controlled via group policy, configuration management scripts and packages.
Are there any considerations?
The modules, plug-ins and extensions are often required for an application to work. NEC finds that there are still many applications that require Adobe Flash and the server applications need updating to remove Flash.
Blocking advertisements in the web browser requires a plug-in which in itself is a risk.
CONFIGURATION POLICY IS KEY
Configuration policies in web browsers and applications should support user application hardening.
Are there alternatives?
Organisations should evaluate who needs the application plug-ins and modules. These should be restricted to a small group that only need them to reduce the risk exposure of your organisation.
If the application vendor provides a full client application that does not require plug-ins or modules in a web browser, then this should be considered as a lower risk approach.
A local sandbox/virtual PC could be used to run the unhardened application or web browser. This will lower the risk when compared to having the application or web browser on the local endpoint.
Web browser isolation using a virtual or remote apps could also be an approach which removes the risk from the local endpoint onto an application delivery server which can be hardened and more easily managed.
In the next blog post, we continue with four more mitigation actions to minimise cyber security incicents.
Nicholas Route
National Solutions Manager
Nicholas.Route@nec.com.au