October is Cybersecurity Awareness Month, and that's a good excuse to review what's running on your network to identify security risks.
The US Cybersecurity and Infrastructure Security Agency (CISA) has designated October as Cybersecurity Awareness Month. In honor of this event, I urge you to take the month of October to become more aware of your computer and network assets.
Inventory and evaluate software for risks
One way to become more aware of your cybersecurity risks is to evaluate and inventory the software your firm uses. We tend to focus on Microsoft patching, but often we overlook actions we can take with third-party that can easily make our systems more secure. Review weaknesses in software and configurations. For this you typically need some sort of inventorying software that can analyze your network.
If your firm is in a traditional domain, you can use tools that rely on Active Directory to analyze what security weaknesses you have. If your firm has both cloud assets as well as traditional domain infrastructure and you have access to a Microsoft 365 E5 license, you can use tools such as Microsoft Defender Security Center to assess what software needs to be updated.
If your budget doesn’t allow for such licensing, alternatives such as SpiceWorks will allow you to inventory and analyze your network. For on-premises systems, you can use PowerShell to prepare an inventory report of the software on your network. It will review the installed software section on your computers and prepare a listing.
PowerShell has long been a means to inventory systems, but it depends on Active Directory access. As we move to disconnected networks, especially during the pandemic, ways to inventory systems that are not joined to the domain is a key need. Unconnected, unmanaged computers are often behind in updating and maintaining of software. A tool that gives you an overview of the security of all software can help keep your network secure.
I tend to forget lesser-known software such as 7-zip that has been installed, forgotten, and now no longer up to date. However, assign a realistic threat to any unpatched software situation. Are there active attacks using vulnerabilities in the software? The security recommendations dashboard in Microsoft Defender Security Center (exposed with an E5 license) suggests that the most pressing thing I should doing is updating 7-zip as it has the highest impact rating. Yet, when digging into the details it states that no exploit is available.
Set attack surface reduction rules
Look for tools that recommend what security settings to deploy. Office software has long been an entry point for ransomware, and you should enable attack surface reduction (ASR) rules to better protect systems. Rather than patch 7-zip, I should deploy, test, and enforce ASR rules instead. Microsoft Defender for Endpoints console suggested I use these five ASR rules:
- Block all Office applications from creating child processes
- Block JavaScript or VBScript from launching downloaded executable content
- Block executable files from running unless they meet a prevalence, age or trusted criterion
- Block untrusted and unsigned processes that run from a USB
- Block persistence through WMI event subscription
Every firm should test and deploy the first ASR rule in this listing, “Block all Office applications from creating child processes.” Microsoft often gives the impression ASR rules require an Enterprise license. Anyone with a Windows 10 Professional license can take advantage of these settings. If you don’t have Windows 10 Enterprise, you merely lose out on some of the reporting features.
Microsoft Defender Security Center Security Center’s threat insights showcase the risk of the vulnerability. Even a fully patched Office brings risk to your network. Attackers have used Office many times to deliver ransomware. For example, attacks that have used child processes in Office include Qakbot, which provided access to ransomware affiliates; CVE-2021-40444 MSHTML remote code execution; GravityRAT; CHIMBORAZO; ZLoader; IcedID; Sysrv botnet; and BISMUTH, which was used in mining for intelligence and coins, among others.
Attackers have also recently used Excel 4.0 macros. You would think that we would no longer have a need for Excel 4.0, but some firms still rely on older macro processes to perform basic business functions. Often combined with phishing lures, Excel macros are used to gain a foothold into a workstation and from there launching larger attacks into the network. Once in the network, attackers can use LSASS memory dumps to harvest credentials from a workstation to gain more rights into a network.
For those of us in security, every month is Cybersecurity Awareness Month. Take this month of October to reflect on your network, both on-premises devices and those that you don’t have direct connection to. Review your options to ensure that you can know, and therefore control, all your technology assets.
