Cyber risk affects businesses all over the world, so it’s no surprise that countries have developed their own individual mitigation strategies to help combat this threat. But businesses can apply many of these strategies to their organisations to improve their overall cyber security posture, regardless of the geography that they are operating in.
A good example is the Essential Eight, created by the Defence Signals Directorate, the cyber security arm of the Australian Department of Defence (DoD). Designed to prevent the spread of malware, limit the extent of security incidents and support data recovery, the Essential Eight is a collection of best-practice recommendations that businesses can use to bolster their security protocols against attacks online.
The Essential Eight recommends the following actions to prevent malware from executing:
- Application whitelisting: Creating a list of approved applications that are authorised to run within a system, automatically turning off untrusted operations.
- Patching applications: Frequent security updates and patches to applications can prevent known vulnerabilities from causing problems, boosting overall cyber defences.
- Disabling untrusted Microsoft Office macros: Disabling untrusted macros can prevent attackers from using them to download and use malware – a growing threat.
- Application hardening: Uninstalling, or at least blocking access to, Adobe Flash Player, along with blocking untrusted Java code, can help prevent data and applications from being manipulated.
And the following to limit the impact of a breach and aid data recovery:
- Backing up data on a daily basis: Regularly backing up data can ensure that important information can be restored quickly and efficiently in a worst-case scenario.
- Patching operating systems: Operating systems can fall victim to vulnerabilities if they are not regularly patched.
- Restricting administrative privileges: Users should only be granted access to the data and applications that are crucial for the role that they are performing, and only those who handle tasks like system management or software installation should be granted these privileges.
- Multi-factor authentication: Where useraccess to data or systems is subject to multiple forms of identification, such as entry of a unique code, passwords, fingerprint scans or other biometric data.
Used concurrently, these rules can help businesses prevent and mitigate the potential impact of cyber attacks. Importantly, the DoD proactively evolves the guidelines to keep pace with the ever-evolving cyber threat, ensuring that they remain applicable both now and in the future.
Although each of these measures play important roles in helping organisations identify vulnerable assets and set appropriate defences for their networks and applications, there are two specific steps of the Essential Eight that stand out from the rest: whitelisting applications and restricting administrative privileges.
By creating a list of applications that are pre-authorised to be used on devices within a system, organisations can alleviate the potential risk of malware infecting a device, since operations that aren’t contained within the list will automatically be turned off.
Application whitelisting can be particularly useful when deployed by the users who are most likely to be the victim of a cyber attack, such as senior management, system administrators or those who have access to more sensitive data – often those who work in HR or finance departments.
Enforcing application whitelisting across a company can seem like a daunting task, but the benefits of doing so for high-risk users far outweigh the time and effort required to do so.
To execute application whitelisting, businesses should:
- Pinpoint the applications that are necessary for everyday operations and authorise these to be used across all systems.
- Implement a framework and rules to guarantee that only those applications which are on the pre-approved list can be executed.
- Maintain and update this framework regularly by using a change management programme.
Application whitelisting should not replace any antivirus or security software that is already being used within an organisation. Instead, it should complement this software by protecting data and lessening the number of vulnerabilities that may be present within the system.
Restricting administrative privileges
In addition to whitelisting, organisations can better secure their networks by restricting admin privileges solely to those who need the ability to change parts of a network or computer system.
Company-wide admin privileges may be seen as a way of increasing user flexibility, since each individual is able to adapt their devices to suit their own needs, adding applications and changing settings as they please.
But if this activity is left unsupervised, malicious attackers can more easily infiltrate and infect entire systems by compromising just one device, potentially causing catastrophe across a network.
Removing this privilege from users who do not need it can bolster network security by eliminating this potential vulnerability. It can also create a more stable network environment, making problems easier to identify and fix, since only a limited number of users will be able to circumvent security settings and make changes to the system.
Restricting admin privileges can be done by:
- Identifying which tasks require admin privileges.
- Authorising users for whom admin privileges are necessary.
- Creating separate accounts for those users who need admin privileges, whilst ensuring that they only have the admin privileges necessary for their roles.
- Regularly reviewing which accounts have access to admin privileges, updating and removing users and privileges when appropriate.
To further improve the effectiveness of removing admin privileges, those who have access to these accounts should be prevented from accessing programs which could pose a potential cyber security risk, such as web browsers or email applications. Separate accounts should always be created for these tasks.
By following the guidance laid out in Australia’s Essential Eight, and by focusing particularly on application whitelisting and admin right restrictions, global organisations can better mitigate the risk and impact of cyber attacks.
About the author: Kevin Alexandra is principal technical consultant in Avecto’s Boston office, where he acts as senior escalation engineer for all Avecto Defendpoint deals in North America. Kevin is also a technical account manager providing dedicated one-to-one support to a multi-national consumer goods corporation operating Avecto’s solution.
Source: infosec island