Don’t Lose Sight of the Real Threats or Focus Only on Phishing Scams
Heightened security awareness is crucial as we all transition to remote modes of working. However, security teams must remain cognisant that it’s business as usual for hackers, so it’s business as usual for us too. While it’s easy to become distracted during a time where our health, safety and economic stability is at risk, not all hackers and cybercriminals are focusing on coronavirus phishing scams.
On Monday, 23 March 2020, Microsoft published details of two new vulnerabilities discovered in the Adobe Type Manager Library, a particularly dangerous pair of bugs for Windows 7 users. As remote code execution vulnerabilities, there are several ways attackers can exploit them, such as convincing users to open specially crafted documents via spearphishing or viewing it in Windows Preview.
Making matters worse, there is currently no patch. Microsoft says Window 10 users are protected, but if you are not running Windows 10 then you’ll need to follow one of these action plans:
- Disable the Preview and Details Panes in Windows Explorer
- Disable the WebClient service
- Rename ATMFD.DLL or disable the file from the registry
What this shows is that while the world is distracted by the coronavirus emergency, the activities of cyber security teams must continue regardless. Patching is and always will be a top priority, since many of the attacks delivered through phishing campaigns need to exploit an operating system vulnerability or application weakness to be effective. In most cases, except for a few like this recent Microsoft zero day, vendors will already have patches available and they should remain a key priority for IT teams to deploy and manage.
A vulnerability risk assessment is crucial in your patching process, since the context of your organisation – the systems, applications, controls and enterprise architecture – dictates how you prioritise patching over other activities. For example, if you have a couple of machines on an extranet running Windows 7, where the Adobe Type Manager Library vulnerabilities may be exploited, you might focus on protecting your core network, patching these systems when the next standard patch cycle comes around. On the other hand, if your fleet of frontline medical staff use Windows 7 laptops, then this should be today’s top priority. Risk assessments help security teams make better decisions, and while there is no hard and fast rule as to how you scale threats, likelihoods and impacts (it’s different for each organisation) common sense will quickly tell you what’s important.
Protective monitoring, vulnerability management, along with endpoint detection and incident response continue as key priorities that should remain front of mind for cyber security teams.
Protective Monitoring
Your security operations team should continue scrutinising your systems, networks and applications for access violations, behavioural anomalies and indicators of compromise. Fast detection, incident triage and notification to the appropriate incident management teams is essential to ensure attacks are quickly shut down before they cause harm.
Vulnerability Management
Scouring your enterprise for vulnerabilities and configuration weaknesses is a critical aspect of managing your security posture, and with risk-based vulnerability scoring you can quickly make decisions as to what to fix immediately as opposed to what can wait for normal maintenance windows. Vulnerability management, as opposed to individual vulnerability assessments, is the process of managing the detection and response to findings across the entire enterprise. It’s an ongoing process, designed to flag new vulnerabilities across your fleet as they are detected, so any system you select should update its database of known issues in real time, and detections should be as near real time as possible.
Endpoint Detection and Incident Response
Endpoints are where most attacks gain a foothold in your business, which is why endpoint detection and response (EDR) platforms are usurping traditional antivirus platforms as the endpoint control of choice. EDR combines antimalware, fileless attack prevention, behavioural anomaly detection and process whitelisting, with log collection and analysis to offer situational awareness across the entire enterprise endpoint fleet.
For further advice or guidance on any of these matters, please contact Kinetic IT’s expert PROTECT+ team.
More reading
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006
https://www.itnews.com.au/news/new-remote-code-execution-windows-zero-days-actively-exploited-539730
