Security Management  

Information is one of the most valuable assets in your business. The use of proper preventive measures and safeguards can reduce the risk of potentially devastating security attacks, which could cost you the future of your business. Some losses might be irrecoverable, such as the loss of a business deal due to leaks of confidential data to your competitor.

With an effective information security management policy in place, you will be able to provide your company with a strong security strategy, and a cost-effective solution for the overall protection of valuable information. The advantage is that information control becomes easier to manage and, most importantly, you can minimise the risk of attacks, ultimately saving costs. You want to safeguard you assets as best as you can, so simply making a security budget a mandatory part of your company / organisation budget would be a wise move.

Information security management involves a combination of prevention, detection and reaction processes. It is a cycle of iterative activities and processes that require ongoing monitoring and control. While this management cycle is mostly applied at the overall organisation level, it can also be applied to different functions or units in a business to prevent financial loss, e.g. the sales department, the customer service unit, and so on.

In order to make security management work, involvement, understanding and support from all members in your organisation is a crucial factor in the effectiveness of any program. Do not be fooled into thinking it is an isolated task just for the security or IT department.

 

Security Primer – EternalBlue

Overview

EternalBlue is an exploit that allows cyber threat actors to remotely execute arbitrary code and gain access to a network by sending specially crafted packets. It exploits a software vulnerability in Microsoft’s Windows operating systems (OS) Server Message Block (SMB) version 1 (SMBv1) protocol, a network file sharing protocol that allows access to files on a remote server. This exploit potentially allows cyber threat actors to compromise the entire network and all devices connected to it. Due to EternalBlue’s ability to compromise networks, if one device is infected by malware via EternalBlue, every device connected to the network is at risk. This makes recovery difficult, as all devices on a network may have to be taken offline for remediation. This vulnerability was patched and is listed on Microsoft’s security bulletin as MS17-010.

Malware that utilizes EternalBlue can self-propagate across networks, drastically increasing its impact. For example, WannaCry, a crypto-ransomware, was one of the first and most well-known malware to use this exploit to spread. WannaCry uses the EternalBlue exploit to spread itself across the network infecting all devices connected and dropping the cryptro-ransomware payload. This increased the persistence and damage that WannaCry could cause in a short amount of time. This increase has made EternalBlue popular with various malware, such as Trickbot, a modular banking trojan, as well as CoinMiner and WannaMine, cryptominers that use the EternalBlue exploit in order to gain access to computing power to mine cryptocurrencies.
For more information on this vulnerability, please see the MS-ISAC’s Microsoft SMBv1 Advisory and the Common Vulnerabilities and Exposures list where it is listed under CVE-2017-0143, CVE2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, and CVE2017-0148.

Recommendations

  • Patch devices with Microsoft Windows OS with the security update for Microsoft Windows SMB v1. The Microsoft Security Bulletin, MS17-010, includes the list of affected Windows OS.
  • Use Eset’s tool to check whether your version of Windows is vulnerable.
  • Where appropriate, disable SMBv1 on all systems and utilize SMBv2 or SMBv3, after appropriate testing.
  • Use Group Policy Objects to set a Windows Firewall rule to restrict inbound SMB communication to client systems. If using an alternative host-based intrusion prevention system (HIPS), consider implementing custom modifications for the control of client-to-client SMB communication. Ata minimum create a Group Policy Object that restricts inbound SMB connections to clients originating from clients.
  • Apply the Principle of Least Privilege to all systems and services and run all software as a non-privileged user (one without administrative privileges).

Security Primer – Remote Desktop Protocol

Overview

Remote Desktop Protocol (RDP) is a Microsoft proprietary protocol that enables remote connections to other computers, typically over TCP port 3389. It provides network access for a remote user over an encrypted channel. Network administrators use RDP to diagnose issues, login to servers, and to perform other remote actions. Remote users use RDP to log into the organization’s network to access email and files.

Cyber threat actors (CTAs) use misconfigured RDP ports that are open to the Internet to gain network access. They are then in a position to potentially move laterally throughout a network, escalate privileges, access and exfiltrate sensitive information, harvest credentials, or deploy a wide variety of malware. This popular attack vector allows CTAs to maintain a low profile since they are utilizing a legitimate network service and provides them with the same functionality as any other remote user. CTAs use tools, such as the Shodan search engine, to scan the Internet for open RDP ports and then use brute force password techniques to access vulnerable networks. Compromised RDP credentials are also widely available for sale on dark web marketplaces.

In 2018, the Multi-State Information Sharing and Analysis Center (MS-ISAC) observed an increase in ransomware variants that strategically target networks through unsecured RDP ports or by brute forcing the password. The ransomware is then manually deployed across the entire compromised network and is associated with higher ransom demands.

Recommendations:

  • Assess the need to have RDP, port 3389, open on systems and, if required:
    • place any system with an open RDP port behind a firewall and require users to VPN in through the firewall;
    • enable strong passwordsmulti-factor authentication, and account lockout policies to defend against brute-force attacks;
    • whitelist connections to specific trusted hosts;
    • restrict RDP logins to authorized non-administrator accounts, where possible. Adhere to the Principle of Least Privilege, ensuring that users have the minimum level of access required to accomplish their duties; and
    • log and review RDP login attempts for anomalous activity and retain these logs for a minimum of 90 days. Ensure that only authorized users are accessing this service.
  • If RDP is not required, perform regular checks to ensure RDP ports are secured.
  • Verify cloud environments adhere to best practices, as defined by the cloud service provider. After cloud environment setup is complete, ensure that RDP ports are not enabled unless required for a business purpose.
  • Enable automatic Microsoft Updates to ensure that the latest versions of both the client and server software are running.