Best Practices for Building a Cybersecurity Program
Every organization—no matter the organization’s size or industry—has cybersecurity risk. All IT systems and data are a target for cybercriminals, so every organization needs a cybersecurity program. Starting a program can be challenging, especially not knowing what to focus on first. There are thousands of companies out there trying to sell you their magic bullet for cybersecurity. The truth is you already have what you need to get your program started, and it doesn’t require new or expensive hardware. Here are the Top 5 things Totem Technologies recommends for any organization starting a cybersecurity program:
Before I get into an explanation of each of the Top 5, let me give you a little background on how we developed the list. The Totem Top 5 are derived from three separate top “controls” or “mitigations” lists from the world’s leading expert organizations on cybersecurity:
- The Centers for Internet Security (CIS) “Basic Controls”
- The US National Security Agency (NSA) “Top Ten Mitigations”
- The Australian Cyber Security Centre (ACSC) “Essential Eight”
There is a lot of overlap between these three lists. I’ve color-coded the various lists’ overlap and how they relate to the Totem Top 3 through 5 in the tables below:
You can see the green rows correspond to our Totem Top #3: Patch Software and Operating Systems; blue rows correspond to Totem Top #4: Restrict Administrative Privileges; orange rows correspond to #5: Harden System Components.
The Totem Top 5 is derived partially from the expert sources, but I’ve departed from those sources for Top #1 and #2. All of the mitigations presented are predicated on understanding what technology components your IT system is comprised of and what users are interacting with those components. Thus, taking an inventory of who/what is supposed to be part of your IT system is critical; hence Totem Top #1: Know your assets (who/what). Also, for reasons I’ll get into below, Totem Top #2 is User Training.
Totem Top #1 and #2: Know Your Assets and
User Awareness Training
The Totem Top 5 is designed to help thwart the single biggest cybersecurity risk facing any organization: social engineering of users, specifically through phishing. By implementing the Top 5, the organization will begin to develop a layered “defense-in-depth” approach to cybersecurity. Like a castle has multiple layers of defense—moat, drawbridge, high/thick walls, sentries—so must a robust cybersecurity program. To illustrate the layers of defense, I’ll show how implementing the Totem Top 5 helped our organization defeat an actual phishing threat.
The Phishing Email
From: Jain Li [email protected]
Subject: Outstanding Payment
kindly confirm the attach invoice if it corresponds with your bank details, because we are about to remit the outstanding payment soon, we await your urgent respond ASAP.
At lot of you immediately would regard this email as suspicious. Good job! Give yourself a pat on the back and now go thank your IT training and awareness staff for learning you up on how to spot a phish. But there’s a reason your staff knew to include you in the training: they knew their assets (Totem Top #1). They knew that you were a system user, and knew that you use email, so they targeted you for phishing training (Totem Top #2). Had they not, you might not have the skills you now have, and might have chomped on the bait dangled by this email.
Let’s talk about some of the phishing indicators in this email, indicators that most certainly should be included in any user cybersecurity awareness training program:
- No one in our organization knew the sender, Jain Li, or the associated email address, kctcintl.co
- I was not expecting any emails from this sender, certainly not with attachments
- “To:” line: “undisclosed-recipients”
- Sense of urgency: “URGENT!!!!”; “ASAP”
- No specific salutation: “Dear Sir/Madam”
- Multiple spelling, grammar, and formatting mistakes for US English
Now, I’ve been trained to spot such obvious phishes. But I guarantee someone else in that list of “undisclosed-recipients” opened this email, thought “oh s**t”, and opened the attachment.
Having not taken the bait, I deleted this email, but not before saving off the attached “Invoice.doc” for some more analysis.
Analysis of the Attachment
Good thing I didn’t open that attachment! Looks like a Windows Rich Text File (.rtf) with some embedded nastiness.
Next step was to execute the file in the app.any.run sandbox, which is one of the best (free!) analysis tools out there. Sandbox execution showed Invoice.doc.rtf contained exactly one character: a dot “.”. It also contained an embedded exploit for CVE-2017-11882, by which memory corruption can be caused by exploiting a vulnerability in the Microsoft Equation Editor (eqnedt32.exe), allowing remote code execution. When Invoice.doc was opened, commands were run, connections were made to an external smtp server, files were copied to the machine, the registry was modified, and when all was said and done, the Hawkeye keylogger was installed and set to autorun. All without any user interaction at all, aside from opening the file.
Luckily for me, and for the Haight Bey/Totem IT system, and for the rest of my team, we’ve implemented the Totem Top 5, any one of which would have stopped this nastiness from executing on my machine. I’ve already discussed Totem Top #1 and #2—the user training I’ve received stopped me from even opening the attachment. There’s defense-in-depth layer 1. But let’s say I did open it—that’s where Totem Top #3-5 come into play.
Totem Top #3:
Patch Software and
As stated above, the Invoice.doc attachment was laden with an exploit for CVE-2017-11882. Microsoft released a patch for the exploitable vulnerability in November 2017, fully nine months prior to our receipt of the phish. Our cybersecurity policy states that workstations shall be set to automatically download and install operating system and software updates when available. We also configure the Microsoft updates to update software like Office alongside operating system updates. You can configure this on your Windows 10 workstation by typing “Settings” at the Start menu, and going to Windows Update –> Advanced options. A screen shot of the interface is shown below:
Because of this policy and configuration, within one day of patch Tuesday November 2017, my system was no longer susceptible to the exploit this phish was attempting. Just to be sure, we also run vulnerability scans to ensure systems are patched, and that the patches are properly implemented. Defense-in-depth layer 2.
Totem Top #4: Restrict Administrative Privileges
To make the modifications required to fully execute the exploit—modifications like registry edits and system certificate misconfigurations—requires administrator-level privileges on a Windows machine. Our cybersecurity policy dictates that end users shall not have access to administrative accounts or privileges; those privileges are reserved for our IT administrators. We also engage Microsoft’s User Account Control at its strictest settings, requiring administrative credentials to make specific changes to the machine configuration. Thus, I interact with my machine as a regular “Joe Shmo” user. So even if my machine hadn’t been patched, had I opened the Invoice.doc file, my lack of administrative privileges would have stopped the exploit attempt dead in its tracks. I also probably would have been alerted that some shenanigans were afoot by notifications on my desktop. Another layer of the defense-in-depth approach.
Totem Top #5: Harden System Components
You know that annoying “PROTECTED VIEW” warning you get when you try to open a Word or Excel file that you downloaded or received as an email attachment?:
Yeah…that’s there to help prevent exactly the sort of attack I’m describing here. Don’t ignore the warning, and don’t automatically click “Enable Editing”. Microsoft knows adversaries execute these type of attacks using malware-laden Office documents, so in Office 2010 it introduced a feature to block the execution of macros and scripts until a user explicitly allows it. So, had I:
- Not been trained to spot phishes (defense layer 1)
- Not patched my machine (defense layer 2)
- Been using an administrative account (defense layer 3)
And opened this attachment, the exploit would not have immediately run because it would be sandboxed in the PROTECTED VIEW. This would give me time to notice the only content of Invoice.doc was “.”. This should raise some suspicions (or at least made me realize that Jain Li—whoever that is—sent me a bad file) and I would close the file without further consideration. And there’s the bottom layer in our delicious defense-in-depth layer cake.
The bottom line is that we left the Office application in its natural “hardened” configuration, with out-of-the-box security settings intact. Adversaries know this, and there are easy ways to entice the user to click the “Enable Content” button. (How about in the phish, the attacker just writes “Please ignore the warning and click “Enable Content”? If you opened the attachment, you’ll probably heed this recommendation too.) To thwart this threat, organizations can get crafty with further hardening Office applications. For example, there’s an Office hardening guide from the Australian Cyber Security Centre. The key is to pick a level of hardening commensurate with your organization’s risk management plan, and configure your systems accordingly. You don’t need to buy any new hardware or software to securely configured your systems. It just takes time and commitment.
Caveat to the Totem Top 5
It is important to note that the Totem Top 5 are just the tip of the iceberg when it comes to building a robust cybersecurity program. Cybersecurity is all about risk management. Every organization has a different risk profile, and needs its own custom program—one size does not fit all. The Top 5 fit squarely within the “Harden” aspect of Totem’s Harden-Hunt-Heal cybersecurity cycle; they don’t address any Hunting or Healing requirements. That being said, if you’re looking for a place to start building your program, you can do a lot worse than starting with our Top 5.