SecureIT - Basic Cyber Defense

Introduction

With Devices, PC's and Tablets becoming ever more numerous it is becoming necessary for all users to perform basic security administration functions. Individuals can no longer depend on automatic default configurations to maintain a personal secure digital environment. Today even the least technically savvy user must begin to practice basic Cyber Defensive tasks to keep their personal systems and data private.

Cyber Defense 101 - For Beginners

Like all applications on defensive measures, Cyber Defense begins with a mind set or philosophy. This philosophy is grounded in the firm understanding that everyone who uses computing devices is a target. No longer can anyone say with certainty that “they are too small or too unimportant to be a target”. In fact many small businesses across the world are finding themselves targeted more as larger corporations establish sophisticated security defenses.

Being a hacking target is one thing. But it is also hard for the average user to know where to concentrate any defensive measures. In large corporations, Security Risk Management efforts now quantify a scored hierarchy of importance. Then after the hierarchy is established security defensive measures are applied to the most critical systems first. Individuals can do this scoring as well. But they should score their most critical systems based on what the Hackers are most likely to attempt to exploit.

Key Point – Everyone is a Target of Hackers

 What Hackers are after – The Money Goal

In broad terms a Hacker’s Goal is money. They are either after Money directly or Data that leads to money. They want Data to get access to money, Data to sell for money, or Data to use a computer system’s resources to get money. So an individual who is only concerned about their Bank account could concentrate their cyber defensive measures on the one system that has access to their Bank (oh and probably use ONLY ONE system for Bank access too). Given that money is a Hackers primary target. A user can now start to organize their digital life so they do not become a victim of cybercrime.

Key Point – Hackers want money or something easily converted into money

Becoming a less Visible Cyber Target – Not being an easy target

There is an old joke often told among Cybersecurity professionals:

 Two men are walking in a forest. Suddenly a large brown bear appears on the path before them. One of the men calmly starts to tie his shoes. The kneeling man’s companion says, “What are you doing? You know you can’t out run a bear!” To which the kneeling man replied, “I don’t have to out run the bear… I only have to out run you!”

Key Point – Eventually Hackers will compromise systems. But Hackers like everyone else are resource constrained. If you as an individual make yourself difficult to compromise most Hackers will stop and go to an easier target

Cyber Defense Guidance

The Australian Signals Directorate Top 35 list of mitigation strategies shows us that at least 85% of intrusions could have been mitigated by following the top four mitigation strategies together. Those Four Strategies are:

Basic cyber security defense
  1. Patching Applications
  2. Patching Operating System Vulnerabilities
  3. Restrict Administrator Privileges
  4. Application Whitelisting

What follows is an explanation of each of the 4 strategies above:

[1 & 2] Operating System and Application Updates - Basic Digital Hygiene

For Personal Computers: There is no better high value mitigation than regular OS Updates. These should be set to automatic, but if you suspect your computer is out of date and has Windows OS, simply go to the address below and follow the prompts to see if it needs any critical patches: windowsupdate.microsoft.com

 

Note: it is VERY important to go to only this designated website above! Many malware vendors will redirect or hamper updates so be cautious

 

For Applications: The following applications should be updated regularly and manually checked to see if they are still the latest versions.

  • Web browser
  • Adobe Acrobat
  • Adobe Flash
  • Anti-Virus

For Devices: For Android Based Devices it is good to allow automatic updates to install. While it’s a pain because there is always some widget that needs updating. It’s good to allow the updates to occur and be connected to secure non-public Wifi when doing so rather than over the wireless network providers bandwidth.

For Apple Devices, users are prompted at the Settings icon with a red dot number when an update is available. While it is not common for apps to be hacked on Apple if you have an older app that connects to outside websites (e.g. Facebook) these should be checked to make sure the latest and greatest version is installed. 

Are you enjoying this article?? Follow us on LinkedIn and Facebook.. 

[3] Restrict Administrator Privileges - Keeping the Safety features in place

The reason that Administrator accounts need to be controlled is obvious. Most home systems simply allow “standard users” to operate as an Administrator account, which is a recipe for disaster. In actuality the Administrator account should be used sparingly, so to limit the privilege is an excellent measure to take.

Key Point – Use your computing device in USER mode and leave the Administrator account separate and use it for true administrative tasks. 

[4] Application Whitelisting – No Rogue Programs

A whitelist is a list or register of entities that are being provided a particular privilege, service, mobility, access or recognition. Entities on the list will be accepted, approved and/or recognized. Whitelisting is the reverse of blacklisting, the practice of identifying entities that are denied.

For personal computing application whitelisting is not very practical. But the basic principles of Whitelisting CAN be applied manually to yield some protection. Mitigations like manually monitoring process listings to see if any strange applications are running (e.g. Flash post web browser exit). Then ending that process/application if it seems to be running when it is not supposed to. 

How to detect if a system is ‘Hacked’

There are many ways to detect if your system is hacked, but baring the use of sophisticated forensic tools a qualitative assessment is best for most users.

Qualitative Indicators of Compromise (IOC)

  • System runs slow (possibly because malware background processes are running)
  • System takes overly long to boot (possibly due to Hacker hardware drivers loading)
  • System makes strange noises as odd times (could be due to malware hardware driver being poorly coded)
  • System applications do not run as desired (if System Update, System Restore or Antivirus cannot update it is highly probable the system has been hacked)
  • You find web services such as web searches are redirected to unusual sites (Possibly Malware/Adware compromise) 

In general if you have any of the above happen you should contact an IT professional to resolve the problem. If you are doing this yourself you can try to download/install Malwarebytes and scan for malware.

Similarly, on a network level, it is highly advisable to monitor network performance and behaviours for unexpected symptoms. A technical report explaining how to monitor networks for security purposes in more detail can be found here.

Key Point – The only way a non-security expert would know if a system is mostly clean of malware is for an Operating System AND Anti-Virus update to occur without being halted. Since almost all malware disables Operating System and AV updates to keep the initial flaw from being closed

Appendix A

This is an excerpt from the latest United States Department of Homeland Security US Computer Emergency Response Team (US-CERT) recommendations. The guidance below is for additional guidance and information.

USCERT recommends that organizations adhere to the following best practices to strengthen the security posture of their information systems:

  •  Develop Intrusion Detection System (IDS) signatures to monitor for the aforementioned IOCs
  • Investigate outbound network traffic observed over TCP port 53 that does not conform to the DNS protocol
  • Restrict access or probing of the aforementioned domains and IP addresses
  • Maintain up-to-date antivirus signatures and engines
  • Ensure systems are fully patched and updated; employ least-privileged accounts
  • Restrict users' abilities (permissions) to install and run unwanted software applications
  • Enforce a strong password policy and implement regular password changes
  • Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known
  • Enable a personal firewall on agency workstations
  • Disable unnecessary services on agency workstations and servers
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header)
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs)
  • Scan all software downloaded from the Internet prior to executing
  • Maintain situational awareness of the latest threats; implement appropriate Access Control Lists
  • Consider installing Application Whitelisting, Cloud Antivirus, Enhanced Mitigation Experience Toolkit, or similar host-level anti-exploitation tools 

Basic Cyber Hygiene

Practicing basic cyber hygiene would address or mitigate a vast majority of security breaches handled by today’s security practitioners:

  • Minimizing administrative privileges (In most cases, this is the primary target for malicious intruders)
  • Application directory whitelisting (This prevents malicious software and unapproved programs)
  • Application patching (e.g., third-party vendor applications)
  • System patching (e.g., operating system vulnerabilities)
  • Dual-factor authentication (e.g., Personal Identity Verification card) 

General User Accounts are Targets

  • US-CERT is seeing common vulnerabilities exploited and threat actors compromising general user accounts instead of administrative accounts:
  • Threat actors can conduct business on the network as an authorized user
  • Undermines discussion and debate around whether to encrypt data because it doesn't matter
  • Authorized user account is set up by default to read/write/share encrypted data

Network Segmentation

  • These cyber incidents have continued to emphasize the importance of network segmentation:
  • When an organization’s network is not segmented from others, this could mean hundreds of sub-networks affected versus one
    • Separate administrative network from business processes with physical controls and Virtual Local Area Networks.

Do you have any questions or comments? Send us an email or leave a comment below!