Protecting Against Phishing

Phish mail

A recent survey by Blue Coat Systems highlighted the continued threat of poor user IT security behavior. One of the interesting results related to phishing found that 17 percent of US employees open unsolicited emails despite 80 percent viewing such behavior as a serious risk. In today’s mature phishing and spear phishing environment, businesses should refresh their protection measures against such behavior.

Phishing and Spear Phishing Revisited

As a quick refresher, phishing is when unsolicited emails are sent out in mass with malicious URLs, or attachments, that will result in the potential compromise of a computer by malicious software.

Spear Phishing goes one step further and creates messages that appear to come from a trusted or known source such as your bank, ecommerce website, or a personal connection. If 17 percent of US employees are opening unsolicited emails, it is fair to assume that the rate would be significantly higher for a spear phishing attack where the sender is assumed to be trusted.

Steps to Protect

Here are a few steps to add or review in the battle against phishing.

  1. Keep applications patched
  2. Remove administrator privileges
  3. Containerization
  4. SPAM filters
  5. Anti-malware
  6. User education

Application Patching

Much has been said about patching operating systems, but most phishing attacks will exploit a browser or application. In the case of a browser, a URL can be shortened, lengthened, or have a domain name that is slightly off, leading to a link that exploits a browser vulnerability. Keeping browsers up to date with patch management software (shameless plug) is critical to success. Even in a highly managed environment, end users can still install alternates, so inventory and patch everything.

As to other applications, the exploit can be a malicious PDF, Office document, or something similar. Phishers are going after big targets, so keep all your software patched as well as your operating systems.

Remove Administrator Privileges

Less common in the US, as in Europe and Asia, is the removal of administrator rights. Many users want to run with an administrator account so they can install their own software and modify operating system settings. Where users have administrator accounts, privilege management software (such as Arellia Application Control Solution) can reduce the privileges of targeted software such as browsers, PDF readers, and email clients. By reducing the privileges of applications, exploits will be limited in their impact (browser crashes versus a malicious program is installed).

Containerization

Containerization is a newer technology similar to operating system virtualization, except applied to applications. With containerization software (such as BUFFERZONE), an application doesn’t have the ability to access other application data or certain areas of the operating system. Should a browser be compromised, the access is limited to that container. This has been the model for mobile operating systems such as iOS and Android, and proved to be fairly successful.

SPAM Filters

There isn’t much to be said here other than you need to prevent bad behavior by never giving users the choice. While not perfect, a good SPAM filter can reduce the number of decisions users need to make, not to mention reduce the number of emails one needs to review and delete daily.

Anti-malware

Although frequently maligned these days, it is still important to use anti-malware software to protect against malicious exploits. It may not catch the zero-day vulnerability attacks or advanced threats, but not everything will be that sophisticated.

User Education

Sometimes it feels hopeless after a study like this, but user education should still be provided to reduce risk. Not every user will learn, but you can assume some users will apply better behaviors and not click on that enticing email that leads to a path of doom and dismay.

Summary

These are a few recommendations, but not a comprehensive list. Apply these steps to reduce the risk of phishing in your environment.

Why you should #fearthetoaster!

Back to work after a long holiday weekend! I thought I would start the week off with a recap of LANDESK Interchange 2015. The show was great! The very first keynote showed off some of the new workspaces which bring together LANDESK Systems Management and Service Desk features for the user that will make life easier. The ability to use your phone to take an image of on-screen errors and have a solution presented to you, without having to contact IT directly, was pretty cool. The new security workspace was also very interesting to see, but the highlight of the keynotes for me was on day two and three.

The keynote on day two focused on Security. Rob Juncker, Tom Davis, and Steve Morton talked about how more devices are being connected to the internet every day. The Internet of Things is bringing us more innovative life experiences than ever, but with this more connected world we have larger concerns. Self driving cars, internet connected toasters, voice activated TVs (which vendor admit are spying on you), and much more are getting connected every day. Rob then scared everyone by talking about that internet connected toaster and how it may be used as an attack to potentially burn down a house. Scary realization.

The final day of the event, we had a guest keynote speaker, Marc Goodman, author of Future Crimes. Marc hit on all the topics from they keynote the day before and really opened some eyes. Marc talked about the exponential growth of technology and the proliferation of internet connected devices. And while really cool things may come of these trends, ultimately, it is leading us to a world where crime knows no borders, no boundaries, and becomes less and less personal. A good example of this is the hacking ring which reportedly has stolen up to $1 billion from banks globally. These are not street thugs walking into banks with masks on, but cybercriminals with the skills to target more than 100 banks in 30 countries.

Marc talked about the risks the future brings if we are not diligent about security. Risks like exploiting vulnerabilities in a car and he even went as far as to share this photo in reference to the previous day’s keynote conversations around toasters #fearthetoaster.

killertoaster

 

While no toaster exploits have occurred yet, the message was clear. In a future where more of our world will be connected, more of that world will be exposed to risks. Marc’s message was about awareness. We can do great things if we work together. If companies do their part in securing the customer and personal data they collect, and if the new innovators creating the next connected device do so with security in mind, we can mitigate these risks.

Check out Marc’s Update Protocol on his website and his book Future Crimes.  There are some tips here that will help you protect yourself and your company.

May Patch Tuesday Round-Up

SecurityImage

There were a lot of updates released this month.  A lot of the updates from Microsoft overlap each other.  There is even a case of one patch replacing another within the 13 patches released this month.  Here are some things to know as you continue through your patch process:

Several patches may apply multiple times to the same system.  MS15-044 applies to multiple products including the OS, .Net, Office, Lync, and Silverlight.  MS15-047 for Microsoft Silverlight is another update that overlaps what files are being updated.  MS15-048 for .Net is also overlaps many of the other updates and could show missing multiple times on the same system.

MS15-052 is replaced by MS15-055.  On Windows 8 and Server 2012 you need to install 052 before 055.  With Shavlik Protect you would just see MS15-055 in this case as it replaces MS15-052.

MS15-043 (Cumulative IE) includes additional defense-in-depth updates to help improve security-related features.  For systems with IE7 and earlier, the JScript and VBScript vulnerabilities are resolved through MS15-053.

MS15-045 resolves two vulnerabilities that have been publicly disclosed, which increases the risk that they will be exploited significantly.

MS15-050 is vulnerable on Windows 2003, but there is not updated offered for this OS as the changes required would require significant re-architecture.  As 2003 reaches its End-of-Life the number of unpatched vulnerabilities will increase.

MS15-055 resolves vulnerabilities in Schannel, but also includes additional security-related changes to TLS including increasing the minimum allowable DHE key length to 1024 bits.

 

May Patch Tuesday 2015

SecurityImage

Well Patch Tuesday isn’t dead yet. At least according to four of your favorite vendors who just released updates for the May Patch Tuesday. Microsoft, Adobe, Mozilla and Google updates are upon us.

Microsoft released 13 bulletins, three of which are Critical. The Critical updates resolve 30 vulnerabilities and the following Microsoft products affect Internet Explorer, the OS, .Net, Office, Silverlight and Lync. The remaining 10 Important updates resolve 18 more vulnerabilities and affect the OS, .Net, SharePoint, Silverlight and Office.

MS15-043 is a Critical update for Internet Explorer, which resolves 22 vulnerabilities, mostly relating to memory corruption, but there are a few ASLR bypass, Elevation of Privilege and Information Disclosure vulnerabilities being resolved as well. This update should be on your priority list this month.

MS15-044 is a Critical update for the OS, .Net, Office, Lync, and Silverlight. Expect to see a few variations of this update needed for most of your machines. The update resolves two vulnerabilities in OpenType and TrueType Font. An attacker could craft documents or web content that contain embedded TrueType Fonts, which could allow remote code execution. This update should also be in your priority list, but it will likely require more testing due to the variety of products impacted.

MS15-045 is a Critical update for the OS. This update resolves six vulnerabilities, which, if exploited, could allow remote code execution. An attacker could craft a special Journal file, which could allow them to gain equal rights to the logged-on user. This update should also be in your priority list this month.

Of the important updates, there are a few things to note. SharePoint, .Net and Kernel Mode Drivers are all in the list of affected products this month. They should be tested adequately and rolled out in a timely manner. MS15-052 is replaced by MS15-055, so if you are deploying both updates, you really only need MS15-055, which is an update for SChannel. If you do not deploy MS15-055, then MS15-052 would still be required to resolve the Kernel security feature bypass vulnerabilities described in that bulletin.

Adobe pre-announced updates for Acrobat Reader and Acrobat and added an update for Flash Player today. Both bulletins are Priority 1 updates from Adobe and should both be added to your priority list this month.

For Acrobat and Acrobat Reader there are 34 vulnerabilities being resolved and these are rated as Priority 1 updates. The vulnerabilities range from buffer overflows, which could lead to code execution, to null-pointer dereference, which could lead to DoS. Fourteen of these vulnerabilities are able to bypass restrictions on Javascript API execution. These updates, especially Acrobat Reader, should be on your priority list this month.

Adobe Flash resolves 18 vulnerabilities and is also rated as a Priority 1 update. Thirteen of the 18 CVEs resolved have a CVSS base score of 9.3. There are multiple code execution vulnerabilities being resolved, one of which allows an attacker to bypass Protected Mode in Internet Explorer. With Flash updates you could have up to four updates to be deployed to resolve all of these vulnerabilities. Flash Player itself, Google Chrome (also released today), an update for Flash for FireFox, and a Security Advisory from Microsoft for Flash for IE. Flash Player should be on your priority list this month.

Google Chrome 42.0.2311.152 is released. The only change in this update is support for the aforementioned Adobe Flash 17.0.0.188 update. To ensure you are up to date on Flash Player, you must update Google Chrome so you are supporting the latest plug-in.

Mozilla Firefox released an update today resolving 13 advisories and a total of 15 vulnerabilities, five of which are Critical. The vulnerabilities resolved include a buffer overflow, a use-after-free error and a buffer overflow during SVG graphics rendering, all of which could lead to an exploitable crash. An out-of-bounds read\write during JS validation, which could result in allow for information disclosure, as well as memory safety bugs that could be exploited to run arbitrary code. Between the Flash Player plug-in and the Critical vulnerabilities being resolve, it is a good idea to keep Firefox in your priority list this month.

Join us tomorrow for our Patch Tuesday webinar as we review the Microsoft and 3rd Party updates released this Patch Tuesday.  Find out the potential impacts of updating, the risks of not updating, and anything else that comes up as we walk through this months Patch Tuesday lineup.