The First Five Quick Wins

The Top 20 Critical Controls for Effective Cyber Defense have been around for half a decade now, and are constantly gaining more praise and acceptance among information security groups and government organizations across the globe. One of the main reasons for this is that all of these controls have been shown to stop or mitigate known, real-world attacks. Another reason for their success is that they are constantly being updated and adjusted to fit the changing threat picture as it emerges. 

One of these recent updates is the delineation of the “First Five” from the other “Quick Wins” category of sub-controls included in the guidance (Quick Wins security controls are those that provide solid risk reduction without major procedural, architectural or technical changes to an environment, or that provide substantial and immediate risk reduction against very common attacks – in other words, these are the controls that give you the most bang for the buck). The First Five Quick Wins controls are those that have been shown to be the most effective means yet to stop the targeted intrusions that are doing the greatest damage to many organizations. They include:

  1. Application white listing: Application white listing technology only allows systems to run software applications that are included in the white list. This control prevents both external and internal attackers from implementing malicious and unwanted applications on the system. One caveat that should be kept in mind is that the organization must strictly control access to and modifications of the white list itself. New software applications should be approved by a change control committee and access/changes to the white list should be strictly monitored.
  2. Secure standard images: Organizations should employ secure standard images for configuring their systems. These standard images should utilize hardened versions of underlying operating systems and applications. It is important to keep in mind that these standard images need to be updated and validated on a regular basis in order to meet the changing threat picture.
  3. Automated patching tools and processes: Automated patching tools, along with appropriate policies and procedures, allow organizations to close vulnerabilities in their systems in a timely manner. The standard for this control is patching of both application and operating system software within 48 hours of release.
  4. Removal or replacement of outdated software applications: Many computer networks we test have outdated or legacy software applications present on the system. Dated software applications may have both known and previously undiscovered vulnerabilities associated with them, and are consequently very useful to cyber attackers. Organizations should have mechanisms in place to identify then remove or replace such vulnerable applications in a timely manner just as is done with the patching process above.
  5. Control of administrative privileges and accounts: One of the most useful mechanisms employed by cyber attackers is elevation of privileges. Attackers can turn simple compromise of one client machine to full domain compromise by this means, simply because administrative access is not well controlled. To thwart this, administrative access should be given to as few users as possible, and administrative privileged functions should be monitored for anomalous behavior. MSI also recommends that administrators use separate credentials for simple network access and administrative access to the system. In addition, multi-part authentication for administrative access should be considered. Attackers can’t do that much damage if they are limited to isolated client machines!

Certainly, the controls detailed above are not the only security controls that organizations should implement to protect their information assets. However, these are the controls that are currently being implemented first by the most security-aware and skilled organizations out there. Perhaps your organization can also benefit from the lessons they have learned.

Thanks to John Davis for writing this post.

What YOU Can Do About International Threats

Binary eye

With the addition of RedDragon Rising (@RedDragon1949) to the blog, we are now pushing forth a new stream of threat data and insights about the growing problem of international threats. Since we added that content to the site, many of you have written in or asked me on Twitter, what is it that YOU can do about these threats? I wanted to take a few minutes and expand on my responses.

First of all, you can remain aware and vigilant. Much of the information we post here isn’t directly actionable. It isn’t designed to be a roadmap of actions for you to take. It’s designed to be a continual source of data that slowly helps you see a clearer picture of the threat, the actors and their capability. It’s designed to keep you AWAKE. It’s custom made to help you understand your adversary. Knowledge is power and insight is key. We make this content to give you both!

Second, you can communicate the threat and knowledge to your management. This helps them remain aware. It also presents to them that you are monitoring the threats and keeping your eye on the rising tides, even as you help them steer the ship through safe waters. You can use this information to build rapport with them, to give them new insights into your decisions when you explain to them various risks and to help them understand the changing nature of the interconnected world.

You can use the information here as an impetus to get the basics of information security right. While there aren’t any panaceas to fight off the threat and there isn’t a single thing you can buy to make it better ~ we do know that focusing on the basics of infosec and getting them done efficiently, effectively and well is the best defense against a variety of threats. That said, consider doing a quick and dirty review of your security initiatives against our 80/20 Rule for Information Security. This is a set of simple projects that represent the basics of information security and map easily to other standards and baselines. Simply judging your maturity in these areas and following the roadmap to improvement will go a long way to getting the basics done right in your organization. 

Invest in detection and response. If your organization is doing the basics of prevention, that is you have hardening in place and are performing ongoing assessment and mitigation of your attack surfaces, then the next thing to do is invest in detection and response capabilities. Today, one of the largest advantages that attackers enjoy is the lack of visibility and effective response capabilities in our organizations. You should have some visibility into every segment and at every layer of your environment. You should be able to identify compromises in a timely manner and move to isolate, investigate and recover from any breaches LONG BEFORE they have become widespread and heavily leveraged against you. If you can’t do that today, make it your next major infosec goal. Need help?Ask us about it.

Lastly, share information with your peers. The bad guys are good at information sharing. They have excellent metrics. They openly share their experiences, successes, failures and new techniques. Much of crime and espionage (not all, but MUCH) is “open source” in nature. The cells of attackers free float in conglomerations of opportunity.  They barter with experience, tools, data and money. They share. The more we begin to share and emulate their “open source” approaches, the better off we can be at defending. If knowledge is power, more brains with more knowledge and experience equals MORE POWER. Be a part of the solution.

That’s it for now. Just remain calm, get better at the basics, improve your visibility and stay vigilant. As always, thanks  for reading State of Security and for choosing MicroSolved as your information security partner. We are striving to dig deeper, to think differently and to give you truly actionable intelligence and threat data that is personalized, relevant to your organization and meaningful. If you’d like to hear more about our approach and what it can mean for your organization, get in touch via Twitter (@lbhuston), email (info(at)microsolved/dot/com) or phone (614-351-1237 ext 250). 

HoneyPoint Wasp is Almost Ready to Leave the Nest

As many of you may know, the MSI team has been hard at work the last several months finishing the beta of our new compromised workstation detection product, HoneyPoint Wasp. It is a fully integrated component of HoneyPoint Security Server, capable of executing distributed detection and threat monitoring on Windows workstations across enterprises. The initial feedback by the beta group have been absolutely amazing. We are finding bots, malware and compromised hosts in a variety of locations, once thought to be “clean” and “safe”.

Wasp accomplishes this mission by being deployed as a service on workstations and by monitoring for the most common signs of compromise. It can watch for changes in the users, admins, port postures and such. It does white list detection of the running processes and it is even capable of detecting DNS tampering and changes to selected files on the operating system.

Even better, it does this work without the need for workstation event logs, signature updates or tuning. It “learns” about the workstation on which it is deployed and adapts its detection techniques to focus on important changes over the long run.

We designed Wasp to be easy to install, easy to manage and to be transparent to the end – user. As such, it is deployed as a 0-interface piece of software. There are no pop-ups, no GUI and no interaction at all with the user. All alerts are routed to the HoneyPoint console and the security team, eliminating any chance of increased help desk calls, user push back and confusion.

In the next couple of weeks, we will be making some announcements about the general availability of the Wasp product. I hope you will join me in my excitement when we announce this launch. In the meantime, think about what you are doing today to protect against initial stage compromises and congratulate the MSI development team and our beta testers on a job well done. I think you are going to be amazed at how easy, capable and advanced Wasp is, when it is released. I know I continue to be amazed at what it is detecting and how much stuff has evaded current detection techniques.

In the meantime, while we await the full release, check out this PDF for some more information about where we are going with Wasp and our HoneyPoint product line. I think you are going to like the diagrams and the explanations. If you would like to book a special sneak preview of Wasp and the rest of HoneyPoint, give your account executive a call. We will be happy to sit down and discuss it with you. As always, thanks for reading!