Reducing your Risks

As I’m sure you’re all aware, there was another vulnerability advertised to the general public over the Christmas new year period, and if you’ve been following the details, the patches to fix this specific vulnerability have been recalled. The advice from Intel and other vendors currently is, “don’t deploy the patch as it can cause system instability and in some circumstances cause data loss or corruption”. Good stuff!

Update: Intel releases Spectre fix for Skylake CPUs only

Protecting against vulnerabilities like this and many other security threats is a multi-layered approach, if you’ve got these layers of protection in place, then the risk of your computers being impacted by any of these vulnerabilities is greatly reduced.

Removing Admin rights
First and foremost, to protect your network and computers, you should be granting user’s with sufficient rights to do their job, nothing more. In our opinion, users very rarely need Administrative rights over a computer. Users in an Enterprise environment shouldn’t be installing software as they please, not only does this prevent system changes from being made, intentionally or otherwise, it also allows the IT department to maintain control of your software licensing.

One issue we tend to face when suggesting or implementing the removal of Admin rights, tend to be those joyful applications that sing out in protest. Most of these well written applications may simply require write access to the local machine registry hive, or write access to the application install location. You can use tools such as ‘Process Monitor’, system instability can in some circumstances cause data loss or corruption troubleshoot these applications and then granting the users write access to the require locations. This is far more secure than granting blanket Admin rights of the entire computer, or computer fleet!

Application Whitelisting
Not all vulnerabilities or malicious code require administrative access, a user accidentally running a crypto locker application will cause more than enough headaches when all the network shares they have access to become encrypted. This is where Application whitelisting comes in. Using Group Policies AppLocker we can ensure that only authorised applications (e.g. programs, software libraries, scripts and installers) can be executed. The default rules you can create with AppLocker, allow applications installed in the ‘Program Files’ and Windows directories to run without hindrance. You can then extend these rules to allow additional applications to run as needed for your environment, and as you’ve removed Admin rights from your users, they wont have write access to these locations.

Blocking Attachments
By far the most common distribution of malware I’ve experienced has been via E-mail attachments. I’m sure, like me, you’ve lost count of the number of times you’ve told friends, family, users, don’t open emails or attachments you don’t know, but let’s face it, that’s a losing battle, especially when one of these people get infected, and then start sending out emails unknowing to their address list containing a malicious payload. Most malware I’ve seen attached to emails has been either
an executable or script directly attached to an email, or in a zip file attachment, there are very few reasons a standard user would be sending these types of attachments via email, I’d even argue that IT users should also be using alternative methods for transferring these files. It may simply be a case of changing the script file extension to txt, which then at least requires the users interaction before it will run. In the enterprise environment, I strongly suggest setting up rules in your email system to block or quarantine any email with an executable attachment (including scripts) or any zip file attachments that include executable files.

If you’d like any assistance or guidance in implementing any of these measures in your environment, feel free to contact us, we’d be happy to help.

Meltdown and Spectre patches available

Hi all,

For many of you that switched off over the xmas break (like me), you may have missed that there are now patches (released Jan 3rd 2018) for the creatviely (almost bond movie like) named vulnerabilities of “meltdown” and “spectre”.

You can find more detail on these Vulnerabilities  here – https://meltdownattack.com/

Advice for Microsoft client OS’s is here – https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in . The page still indicates to “contact your vendor” for microcode updates – which isnt going to overly helpful for standard end-users.

Advice for Microsoft server OS’s is here – https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution. There is additional work required over and above the patch for Remote Desktop and Hyper-V servers. Additionally, Windows server 2008 and 2012 are not yet patched, only Server 2008 R2/2012 R2/2016/1709 – read into that what you will.

The register has a good article (as they do most of time) cutting through the intel PR bullshit. Importantly, there has been various reports of performance impacts after installing these patches – but it is still too early to tell exactly how large/important those perfomrance impacts are.

There are links to many vendor advisories (which in turn have links to updates) @ https://meltdownattack.com/ – which is quite useful.

The patches and additional mitigations are fairly easy to implement if you have patching/management infrastructure in place – but if your company needs any assistance, we’re happy to help too.

Preparing to update for Intel® Management Engine Critical Firmware Update (Intel SA-00086)

Intel released a security advisory yesterday (22/11/2017) advising of vulnerabilities with their management engine firmware – which can he found here

The reason why this is concerning for corporate customers is that basically every PC, Server and laptop that you have, most likely will be exposed, as the vast majority of corporate level hardware contains this hardware.

Intel has provided a detection tool available at https://downloadcenter.intel.com/download/27150. Contained within is a couple of applications, the GUI version will probably be handy for those orgs with only a handful of makes and models – where-as the command line tool will be more useful for larger organisations to run and centralise results via tools such as SCCM.

 

The original page contains links for various vendors update, the downside is that there doesnt seem to be many patches as yet, as per this page (at the time of writing, all Dell entries are marked as “TBD”, where-as Lenovo lists a target date of 24/11/2017)

 

So, what can you do while waiting for the patches to be released?

  • Test your systems using the provided tool to see if they are vulnerable. Testing at least one of each make/model will give you a good idea what you will need to target
  • Setup SCCM collections ready to go, which would entail
    • A collection for each make and model (I imagine many places would have this already)
    • A series of collections which each include one/make model and the criteria “AMT Agent – Flash is NOT equal to <insert version number of patched FW – once released>” – This will enable you quickly identify machines which need to be targeted with the update
    • (Please note the above is an assumption, some vendors may patch this via a BIOS update, in which case, the BIOS version may be the identifier instead)

 

Please post a comment if there are any questions – and ill update thios post once the patches are released – if there are any gotcha’s we run into.