February 12th is ‘Clean Up Your Computer Day’. This important awareness day promotes both clean hardware and clean software within the organisation and at home.
In its most simplistic form, this is a good opportunity for organisations to remind their employees to carry out important computer maintenance, such as physically wiping down their computers, which usually falls by the wayside. More critical in today’s security threat landscape is ensuring that all software is also “clean”.
Organisations and those with home computers all need to ensure that their hard drives are running smoothly, and that software is updated and old programs removed.
Basic IT health checks should be top of Security teams’ agendas this Clean Up Your Computer Day as well as at regular intervals throughout the year. This is particularly poignant seeing as a recent report from the OTA (Online Trust Alliance) found that there were 159,700 total cyber incidents in 2017. Furthermore, 7 billion records were exposed in the first three quarters of the year, and the financial impact of ransomware was $5 billion. Worryingly, 93% of breaches that occurred in 2017 could have been prevented by following basic security best practices such as implementing patching software. This demonstrates that despite the onslaught of high profile attacks that took place, organisations still aren’t recognising the value in being able to patch quickly and comprehensively.
Beyond patching it is also a good idea to ensure hardware drivers are up to date. There are many hardware vulnerabilities coming up now as well and updating firmware is required to plug these vulnerabilities. For infosec professionals, leveraging awareness days such as this one is a good way to capture the attention of those who make decisions in your organisation, such as the board.
Case & Point: Spectre and Meltdown
2018 started with a bang when the CPU vulnerabilities known as Meltdown and Spectre were discovered by independent researchers using multiple proof-of-concept examples of the attack methods. This may feel like déjà vu for many security pros as the start of 2017 saw the Shadow Brokers disclosing the SMB exploits that later led to many global cyber security events. Meltdown and Spectre have stood out as particularly far-reaching vulnerabilities – if you looked at the CERT KB you would have seen the list of affected vendors, which was pretty much everyone.
Promising recent research has identified that while 139 malware samples related to Meltdown and Spectre have been identified, there have not been any widespread publicly disclosed malware attack campaigns using the vulnerabilities. While this is great news, we also should not delay in investigating rollout of fixes. Mitigating updates have been released by hardware vendors and software vendors alike, but there have been many issues found in the updates released as well. Intel has had to pull some updates as they were causing issues or didn’t properly mitigate the vulnerabilities. Likewise OS updates from Microsoft have had a few issues, from conflicts with AV vendors (as a result of those vendors’ methods of interfacing with the Kernel) to random reboots after applying updates and turning on mitigation features.
My recommendation is to not delay testing of firmware, OS, and software updates, but to approach with more testing and caution than normal, as there are fundamental changes to interactions with the Kernel which have been proving to be problematic for vendors. Also keep watching for additional updates as it seems we are far from done with these vulnerabilities.
Back to Basics
The current landscape is in essence a lethal petri dish of cyber attackers, some of whom are more skilled than others, but all of whom have access to exploit kits available online. These kits include pre-written exploit code, and criminals will often even have access to support and updates, just like legal commercial software. Combine that with the online availability of sophisticated tools that were originally intended for cyber espionage, and you have an idea of how deadly the cyber threatscape out there today is.
Organisations should always be prepared by embracing a layered approach to security, and one that makes full use of the power of the patch – patching won’t protect against everything but it’s still the most important step in a cybersecurity defence plan. If organisations can’t patch—because they’re running legacy systems, for example, or they have concerns that patching will break something in their environment—they then need to block the applications that don’t get patched with tools like application whitelisting and privilege management. Regardless of how or where a user accesses their desktop, it’s essential they receive only the authorised apps they need to be productive.
There are other layers to your cybersecurity defences to consider. User education is vital to preventing those initial—potentially malware-laden—phishing emails from getting in, while regular backups (including off network, to protect against ransomware) will mitigate the risk of data loss. Correctly configuring Windows firewalls can also help to halt the spread of ransomware within the organisation. However, patching and application control should be first on the list for all organisations looking to fortify their organisation against attack—and can go a long way toward reducing an attack surface, enabling businesses to take on the attacks that do get through, even with limited resources in place.
So, “cleaning up your computer” isn’t as simplistic as it initially appears, but in fact promotes business critical processes that could protect your organisation against the next WannaCry or NotPetya.