I am not a security expert. In fact, most of the self-proclaimed security experts that you meet are not security experts. I have met real security experts. They speak a whole other language that we IT Pros don\u2019t understand. I\u2019ve also met \u201csecurity experts\u201d with their recently downloaded checklists who do more damage than good. The good news is that there is lots that you can do to protect yourself from attacks such as the above. The bad news is that there is no 100% perfect defence. For example, antivirus scanners detect already known threats. Someone has to get hit somewhere before a threat becomes known. Let\u2019s stay positive and see what could be done to protect against the above two attacks.<\/p>\n
Defending Against Drive-By Browsing<\/u><\/strong><\/p>\n Drive-by browsing has been around for some time. I\u2019ve attended presentations by Microsoft\u2019s Roger Grimes (serious security dude), where he talked about the website of a certain conservative news broadcaster. They sold advertising space on their website. Other than the space, they had no control over content. That was done by the online advertiser. And they probably did more outsourcing or bidding. Allegedly, browsing this website could cause you to become a victim of an attack that was built into one of these outsourced adverts. You\u2019d just browse the site and *BANG* your PC downloaded a trojan downloader. In other words, it was 0wned.<\/p>\n The most basic defence against drive-by attacks is to keep your browser up to date with security fixes. Don\u2019t be a fanboy sheep: all browsers are vulnerable. I remember listening to another podcast (TWiT Windows Weekly) a few months ago where they discussed how Safari took seconds to smash, and Chrome\/IE lasted a bit longer but eventually gave in at some hack-athon. Google and Microsoft are constantly releasing updates. Google do it via new versions of Chrome. Microsoft do it through security hotfixes.<\/p>\n If you run anything but the smallest business then you need to manage these updates. This is one of IE\u2019s strengths because it can be updated immediately (or after internal testing) via Windows Updates, WSUS, and System Center (Configuration Manager 2007 or System Center Essentials 2010). There really is no excuse for a business not to be doing this, monitoring patch update levels, and remediating any deployment issues.<\/p>\n This adverts are effectively downloading a trojan installer. A proxy malware scanner can help defend against this. Forefront Threat Management Gateway (TMG) includes a Malware Inspection Filter<\/a>, as do many other firewall and proxy products. I\u2019ve always like the ISA (now TMG) family because they are AD integrated, and I can reuse security groups and user accounts for rules and exceptions.<\/p>\n Malware Attachment<\/u><\/strong><\/p>\n The problem with email is that is pretty open, and trusting. If I know the name or IP address of your SMTP gateway then there\u2019s nothing to stop me from creating a malformed email that appears to come from someone you know and trust, and attaching a piece of malware to do bad things to your PC (and then your network).<\/p>\n Last night I read about some executive of a large corporation who sent out a memo to all employees to instruct that they should confirm the source of all emails before opening them. That certainly is one way to prevent the opening of an attachment. I just wonder if this executive answered the 20,000+ phone calls from his employees when they called to confirm that he really sent that email. Let\u2019s get real \u2013 people have jobs to do and they cannot spend 3\/4 of the day calling people to see if so\u2019n\u2019so really sent an email. Why would we have email at all in that case?<\/p>\n Sure we can do a bit of user education. I don\u2019t need to open an attachment with a .EXE file extension. I don\u2019t need to read an email from the wife of some deposed king. And I really don\u2019t need pills for you-know-what Lets start with the mail server. Stick some malware scanning on there, like Forefront for Exchange (or another solution). That will protect the server against external threats. I know you\u2019ll interject here with another suggestion (and I\u2019ll get there). Think about how IT is changing. Consumerisation of IT has caused users to bring all sorts of devices onto our networks. Lord knows what they connect to when they are not on our network. And those same devices will be used to connect to the company\u2019s mail services. You need to protect the company\u2019s email (and reputation) against those internal threats.<\/p>\n Next up is the online malware scanning service, such as Forefront Online Protection for Exchange (FOPE) or others. The company\u2019s MX record points to this, all incoming email is scanned for spam and malware, and then sent on to the company\u2019s SMTP gateway. You\u2019re in complete control \u2013 you can even integrate the management of Forefront for Exchange with FOPE via a free (I believe) management console (it also can manage Forefront for SharePoint). Now you can filter out the incoming rubbish before it gets to the company\u2019s expensive Internet connection, and you have a layered defence.<\/p>\n Third Party Update Catalog<\/u><\/strong><\/p>\n We aren\u2019t finished yet. Antivirus scanners are not perfect, especially when it comes to custom written or brand new threats. The more serious attacks out there are not done by script kiddies in a basement; they\u2019re done by organised crime, your competitors, and state agencies. They have the time and money to create new programs to leverage discovered vulnerabilities. For example, it\u2019s one thing to scan for Conficker, it\u2019s another thing to fix the vulnerability that it attacks so you can prevent anyone else from attacking it.<\/p>\n So you can use Windows Update, WSUS, ConfigMgr, or SCE to patch Windows. Great! The attachment that was used in the allegedly attack on HM Treasury was allegedly based on an Adobe product. How often do you see Adobe products looking to update themselves to fix some security issue? It feels to me like it happens a few times a week. I bet most of you, and your users, disable these annoying updates \u2013 and that\u2019s what the attacker is betting on! They can write a custom attack, build it into a PDF (or whatever), send it to a user in your organisation using a crafted email that appears innocent enough, it\u2019ll sail through the scanners (because it is an unknown attack), the attachment is opened in a vulnerable reader, and *badda bing* the attacker now has control of a PC on your network.<\/p>\n *PANIC* This is where you uninstall Adobe Reader, Flash, etc, and use third party alternatives \u2013 not so fast, my friend! (Why do I keep quoting Lee Corso?). Adobe products, like every other, has vulnerabilities. If you think those other readers don\u2019t then you\u2019re fooling yourself. If you\u2019re a big enough target, then an attacker will figure out what third party reader you use via social engineering, and craft an attack for that. With Adobe, you at least have a way to force updates for your users.<\/p>\n No, we cannot trust users to run Adobe updates by themselves, just like we cannot trust them to run Microsoft updates for themselves. Adobe has created software update catalogues<\/a> that we can use in System Center Configuration Manager (MSFT\u2019s main way to adopt\/control consumerisation of IT) and System Center Essentials. This will allow you to centrally download, test, approve, and deploy updates to relevant machines in an automated, and scheduled manner, with deployment deadlines. Now you can force those vulnerable PCs to update, and secure your network against those vulnerabilities.<\/p>\n Summary<\/u><\/strong><\/p>\n With all this you get layered defences. Is it 100% secure? No. Like I said, I\u2019m honest enough to say that I\u2019m not a security expert but I know that with the above systems, you could protect yourself against the same attack that allegedly targeted HM Treasury (based on the information that I heard this morning). Combine this with protection for PCs, servers, SharePoint, Lync, and so on, and you\u2019ll have a nice fortress. You can\u2019t rely on people to protect the castle, and that\u2019s why you need an automated portcullis<\/a> approach like this. The responsibility then falls on you as the gatekeeper to ensure that the gate is built correctly.<\/p>\n Note: I don\u2019t know why some people always assume that virtual machines (on any hypervisor) assume that security should be any different for them. The virtualised workloads still need the same levels of protection that they physical alternative would.<\/em><\/p>\n I was listening to The Guardian\u2019s Tech Weekly podcast on the way into work this morning and they were discussing some of the recent announcements from the British government about the cyberwar research that the MoD\/GCHQ is doing. In the discussion they mentioned that there was a recent attempted attack on HM Treasury (department of … Continue reading “How HM Treasury Was Allegedly Attacked & How to Defend Against It”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[37],"tags":[173,178,179,190,191,193,194],"class_list":["post-11286","post","type-post","status-publish","format-standard","hentry","category-security","tag-configmgr","tag-exchange","tag-forefront","tag-security","tag-sharepoint","tag-system-center","tag-system-center-essentials"],"aioseo_notices":[],"jetpack_featured_media_url":"","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/11286","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=11286"}],"version-history":[{"count":0,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/11286\/revisions"}],"wp:attachment":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=11286"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=11286"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=11286"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"Smile\"](\"https:\/\/aidanfinn.com\/wp-content\/uploads\/2011\/06\/wlEmoticon-smile2.png\")
Common sense education helps. But as Steve Riley has said in presentations in the past: the vulnerability lies in the meat that sits between the chair and the keyboard. If we cannot fix that. then maybe we need to wrap our email system in defences to counter those weaknesses.<\/p>\n