Most organizations enforce system configuration policies to reduce the chance of misconfiguration and improve their overall security posture. For Microsoft Windows systems, many organizations rely on guidance from Microsoft Security Compliance Manager (SCM) for proper configuration. For organizations deploying Windows 10, this Top 5 list helps you understand and implement the new settings introduced in SCM for Windows 10.
As an engineer on the Qualys Policy Compliance product team, I routinely compare compliance benchmarks, and have compiled this list based on my work. If you are already familiar with previous version of Windows, this blog post can help you to quickly adopt the new changes.
Controls (represented by Control IDs or CIDs) are the building blocks of the policies in Qualys Policy Compliance used to measure and report compliance for a set of hosts. For each of the Top 5 in this article, we include the CID that allows you to build policies to measure and report compliance for that new setting.
Good Software Hygiene mandates fast patching, but most organizations prioritize the roll-out of patches and take into account severity and applicability.
To help organizations tune their prioritization process we added last week a knowledgebase enhancement that extends our severity rating with an “ExploitKit” mapping. The new mapping groups all QIDs that are used in the so called ExploitKits that are available for purchase on the black markets. ExploitKits, such as Crimepack, IcePack and Phoenix offer the attacker a suite of exploits that can be used to attack common OS, browser and application vulnerabilities and automate the setup of malicious webservers necessary in the malware infection cycle and focus (for the moment) on the Windows OS.
ExploitKits are behind many of the mass malware infections (Zeus, SpyEye, etc) that group the affected machines into botnets that are remotely controlled to send SPAM, participate in DDoS attacks and intercept banking credentials by monitoring browser usage. Affected machines can also be used as beachheads for further incursions into the enterprise networks they participate in, which are widely spread. Gartner estimates that between 4-8% of all workstations in enterprise environments are infected.
Organizations can protect themselves from infection by hardening their installation and patching all of their workstations against the vulnerabilities abused by the ExploitKits. The “ExploitKit” mapping can be used in targeted scans or in reporting to aid in the hardening process.
On Friday April 15th, The Oak Ridge National Laboratory (ORNL) disconnected its Internet access to contain an intrusion and interrupt the theft of data. Attackers had gained access to the ORNL network on April 7 through a phishing e-mail attack carrying malware with an exploit for a 0-day vulnerability in Microsoft Windows Internet Explorer.
Previously, we had seen a similar attack on the security company RSA, where data related to SecurID, RSA’s two-factor token authentication product was extracted. In RSA’s case, the phishing e-mail involved an Excel spreadsheet purporting to be about the hiring budget for 2011. The spreadsheet contained an exploit for a 0-day vulnerability in Adobe Flash.
At the same time Verizon’s 2011 Data Breach Investigations Report (DBIR) affirms for the 3rd year in a row that the majority of data breaches (96 %) could have been avoided with the implementation of simple countermeasures.
Organizations can effectively protect themselves by implementing good software hygiene, which starts by introducing a structured patching process aimed at installing critical updates for all software within a short timeframe, we recommend within 10 days. Organizations that have implemented such fast patching have seen a significant improvement in the robustness of their infrastructures and have been documenting their progress publicly (see reference section on processes in use at Goldman Sachs and US State Dept).
Fig 1: Motivation for Patch Speed at Goldman Sachs (From SPO-208 RSA US 2009)
Fast patching will prevent infection from all of the common malware exploit kits that are available for purchase. The toolkit “Phoenix 2.5” for example offers 5 exploits based on the PDF file format, 3 on Java and 1 each for Quicktime and Adobe Flash, all of them abusing vulnerabilities that are already patched.
Further resilience can be gained by controlling installed software and its configuration. The ORNL case would have been countered by the consistent use of an alternative browser. The Excel attack could have been prevented by prohibiting active content in Microsoft Office Trust Center or uninstalling Adobe Flash, preferably both. Switching to a more modern version of the base OS or even an alternative OS will also help to add resilience against malware (i.e. Windows7 64bit, Mac OS X or Linux).
This level of tightening of IT configurations raises the bar significantly and will keep most classes of attackers out of enterprises networks. Talk to your industry peers to see what they are doing; a number of organizations are already operating their networks in this way and can attest to the effectiveness of these measures.
