| |
 |
 |
 |
|
|
|
|
Date: 29 November 2012
Click here for printable version
DSD’s recently updated Top 35 Cyber Mitigation Strategies represent a series of controls that organisations can implement to help secure information systems. We’d like to present AusCERT’s perspective and give a little advice on how to apply appropriate security controls.
We’re not talking tech here. This is a non-technical perspective for gaining buy-in with key decision makers to actually be able to implement these security controls.
According to DSD, implementing the top four of the 35 strategies has the potential to prevent around 85% of intrusions. This might not necessarily be the case for your organisation; controls are best considered and applied as part of a broader information security management strategy or framework, such as ISO27001 or other information security standards. While adopting a risk-based approach based upon the needs of the business, and which focuses on assets in order of criticality provides the best approach to choosing and applying security controls, it's not the purpose of the blog to focus on that. Rather, this blog provides practical tips to consider if seeking to apply DSD’s top four strategies.
Let’s start with gaining trust. You’ll need to confidently present your planned changes, fully tested with a backout plan. Your business users will appreciate that you’ve considered the impact on them and invited them to test how the changes would impact their operations. Perhaps you’ve even teamed up with your organisation’s Windows 7 (or 8) project – why not minimise disruption and implement your planned changes at the same time as a new desktop operating environment?
DSD has now placed application whitelisting at the top of the list. If you’re unable to apply application whitelisting across the entire organisation, start with computer users that have access to the most critical business information. Ensure key decision makers understand why application whitelisting is important, in order to obtain buy-in. If you need a real world example of how application whitelisting could have helped, read our blog on ransomware. This and other types of malware will not execute in an environment controlled by application whitelisting, and will help bridge the weaknesses in signature based anti-virus software, which is often ineffective against the most current targeted malware attacks.
DSD’s number 2 and 3 are application patching and OS patching respectively. If unsure where to start, even after applying a risk-based approach, go with the three applications commonly targeted on desktop computers: Adobe Reader, Oracle Java and Adobe Flash. Microsoft (and Adobe to a degree) have made it easy for us by adopting “patch Tuesday”, so take advantage and consider allocating a time each month for Microsoft patching – perhaps raise a recurring change control record (where applicable) for Microsoft patching.
But when and how often should you patch? You’ll need to consider the risk appetite for your organisation, but why not place some standard metrics around your patching efforts? You could use an independent scoring system such as CVSS to assign a criticality level to each patch, and even define acceptable time frames for implementing critical and non-critical patches based on whether the CVSS score is above or below a certain level. This also makes for easy service level measurements.
The fourth item on DSD’s list is to limit the number of users with administrative rights. This is often less of a technological problem and more one of “social status”. Administrative rights are often seen as a prerequisite for management staff, and some IT staff sometimes forget not to browse the web with their domain admin account!
We know that restricting unnecessary access to administrator privileges can have a similar effect as application whitelisting by preventing malicious software from executing, and this could be a good substitute if application whitelisting is proving too difficult in all situations. You’ll need to obtain buy-in by explaining the consequences of an attack mounted against an administrative account.
Invariably some users will want administrative rights, so why not negotiate a compromise? Perhaps you could only allow Windows UAC prompts to escalate privileges after providing training to computer users, or an audited IT support function could escalate user privileges via telephone and desktop remote control (for example, during software installation). Testing is obviously required to ensure minimal impact on computer system users and gain trust.
Finally, consider DSD’s remaining items on the Top 35. AusCERT has noted a spike in compromised remote access systems using Terminal Services user accounts with weak passwords, and many organisations are struggling to protect their data with the onslaught of bring your own device (BYOD). Finally, if nothing else, go through the Top 35 Strategies and identify which of these strategies are currently being applied and which are not, then determine which could be applied to obtain the greatest security protection for the investment, going forward.
Regards,
The AusCERT Coordination Centre Team.
Additional: AusCERT's full paper on DSD's Strategies to Mitigate Targeted Cyber Intrusions is available for members to download here.
|
|
|
|
 |
|
 |
|
|