Cyber Security doesn’t have to involve big budgets, big iron or a big head.
85% of almost all intrusions can be prevented, mitigated or quickly discovered and eradicated by implementing four basic steps, as shown in the Australian Signals Diretorate.
I was recently reminded how the vast majority of businesses could have much stronger Cyber Security defense if they just practiced more of the Blocking and Tackling basics.
At least 85% of the targeted cyber intrusions that the Australian Signals Directorate (ASD) responds to could be prevented by following the Top 4 mitigation strategies listed in our Strategies to Mitigate Targeted Cyber Intrusions:
- Use application whitelisting to help prevent malicious software and unapproved programs from running
- Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office
- Patch operating system vulnerabilities
- Restrict administrative privileges to operating systems and applications based on user duties.
These are actually ranked in order of effectiveness.
Whitelisting can be the most effective method, even preventing end users from infecting their computers by clicking on an email or link or opening an attachment due to socially engineering or spear Phishing.
Whitelists on every Windows machines can be implemented using Software Restriction Policies as discussed further in this NSA article for free. Essentially, you only allow executable programs to run that are located in directories that aren’t writable by non-admin users on that system. Yes, this means your users can’t run as super user admins doing their daily tasks…which is the best practice that everyone should utilized and is the #4 step to take in the above list. If you’re on a Mac (OSX), you can actually use their Parental Control application for similar capability.
Fundamentally, the program executable area on the disk is locked down from average users creating folders and new files while the areas they can write to (MY Documents) don’t allow programs to execute or run. Voila!
Slightly further down the list is monitoring. It’s not hard to setup a simple Host Based Monitoring and alert system that detects the major processes that shouldn’t be running on most end-user systems unless they’ve been breached. That list would include:
- powershell – a typical program installed and run by attackers once on the system to call back to their Command & Control server
- whoami – often part of attackers exploration; they’re seeking information about the system they’ve gotten access into.
- systeminfo – another “situational awareness” program attackers will often use when exploring
- Net Group “Domain Admins” – another program call that tells attackers information about privileged user accounts. Obviously this is not something most admins need to run as they already know what groups they have or are within.
Many small to medium sized businesses tend to buy products to solve their perimeter defense, which isn’t effective. The best use of their dollars are to hire a security professional to use what they have, educate their users a bit more and shore up end-points as well as perimeters.
It’s time and it’s needed. Of course, Sentar can definitely assess and provide the Plan of Action and Milestones (PoA&M) you need to tighten down well beyond that 85%. It’s your call, so consider calling us if you’re in need.