Years ago the security of IT systems was focused on antivirus and firewalls. However, it is important to understand that antivirus was only able to detect and analyse processes which were running on specific hosts, and firewalls were just opening traffic to a specific port whilst blocking another. When malware is based simply on JavaScript executed in a browser, this ‘security’ is ineffective.  An attacker will find it challenging to attack and compromise a firewall, as they are purpose built security devices and as a result are reasonably well protected.  Servers on the other hand, can be misconfigured and provide vulnerabilities, that cannot be alleviated or defended by firewalls or antivirus.  However, probably the biggest weakness is at the end user points, i.e. PC’s and laptops. PCs and laptops are a dream world for an attacker (or penetration tester), providing an incomparable amount of opportunity for attack.  The biggest vulnerability in any IT System lies with a user. They can become a victim of a social engineering attack, and may ‘innocently’ click something that they shouldn’t. In fact statistics reveal at least 30% of emails sent as part of a social engineering attack will be opened.  As we have mentioned in other articles, staff education and preparation is key in order to reduce the potential of attack.

Research suggests that each day we see more than 200,000 NEW flavors of malware, that antivirus simply cannot detect.

So, what is the answer? Unfortunately, we are unable to conduct one sweep to block the ‘bad guys’, we cannot identify them quickly enough?
Let’s consider what we do with physical access control – access to restricted areas of a building is granted only to the holder of a relevant security badge. Access control isn’t based on the black listed names –  access control system grants access to a list of approved or ‘allowed’ names. Adopting the same process in IT Systems is paramount, – whitelisting of applications. Only applications and processes granted permission should be allowed to run. We can do this using Microsoft AppLocker function, which is a free solution which works very well – (unfortunately very few system administrators know about it). We grant permission for certain apps/ systems to run, e.g. Only Microsoft, Autodesk, Sage and Adobe products families to run, nothing else will start. (Another product providing similar functionality is  RES Workspace Manager.

Is whitelisting enough? Well, it depends on what we want to achieve. Realistically, if we want to have a reasonably sound and secure IT system we also need the following two items as standard:

  • No local admin rights for users
  • Unified Security Management USM approach – monitoring and maintenance of all aspects of the system e.g. behavioural monitoring, vulnerability management, network intrusion detection, host based intrusion detection and log analytics.

No local admin rights appear obvious. But what about a Unified Security Management (USM) approach – we cannot talk about a secure network, without correlating all apsects of the operation.  No system administrator can look into all logs, traces, netflows etc. however, ignoring it, is not an option.  There are solutions on the market e.g. AlienVault which include automatic analysis and correlation logs, traffic, vulnerabilities and threat intelligence, tougher with asset management, providing a set of actionable alerts. It filters hundreds of thousands of events, creating alerts about the events that require further exploration.

In conclusion, we have determined that the following tools/ actions we have discussed need to work together with antivirus and firewall for an IT System to be relatively sound and secure.

  • Application whitelisting
  • No local admin rights
  • Unified Security Management

It is interesting to note that as well as the topics we have discussed, it is imperative that all organisations have and use an actionable Information Security Management System, this is a topic in its own right and should not be confused with the USM approach.

Posted by Derek Mizak

Cyber security consultant working on application of Artificial Intelligence to cyber security practice, Digital Forensic Investigator, ISO27001 lead auditor.