Securezoo Articles
Article Topics   
By Frank Crast, 8/5/2016

If you have worked in the security field for any length of time, you know by now there are many different types of cyber threats that can compromise endpoints. The often coined phrase "multiple levels of defense" is often used to protect endpoints from such threats. In other words, if one layer of controls fails, other layers can prevent a breach or at very least make an attacker's life more difficult to cause havoc. 

As I described in previous endpoint security articles to include OS X and Windows Security, hardening standards can go a long way to protect your workstations from intrusions. Sometimes the most basic and simplest controls can protect your organization's systems from attack. 

According to recent NIST standard for securing OS X (similar to other OS), we must first understand the types of threats that can impact your organization's endpoints, such as local and remote cyber threats. Then put controls in place to stop threats in their tracks.

Local threats and mitigations

Local threats can include insecure boot processes, unauthorized local access and privilege escalation just to name a few. 

Insecure boot processes can include the ability of an intruder to boot your device from a local USB storage device, thereby bypassing the OS. Or one could boot to a recovery partition. The end result could be access to sensitive data stored on a laptop system, for example.

Boot process: Controls needed to secure the boot process include whole disk encryption and password protection of the firmware from unauthorized changes. Only allow local hard drive to boot.

Unauthorized local access: visitors could gain physical access and guess a weak password on your system. Controls to mitigate include strong password policy, automatic screen lock/saver (after 15 minutes of inactivity) and immediate disabling of password accounts for departing employees.

Privilege escalation: this happens when an authorized user with normal user-level rights escalates privileges to gain administrator-level rights. For example, an attacker could exploit a vulnerability in a local service to gain administrator privileges and access sensitive files. This could be the result of phishing or drive-by download attacks. Adversaries could guess weak admin passwords and even gain full access to systems to disable security controls (to cover their tracks) or pivot to another more sensitive system in your organization. 

Controls to limit privilege escalation can include the restriction of all admin-level accounts and tools to a select few administrators. Disable unused local services, install patches and encrypt server data. 

Remote threats and mitigations

Remote threats often consist of network services, data disclosure and malicious payloads. 

Network services: hackers can use network services to gain unauthorized access to systems. For example, weak remote access protocols that don't require authentication or unsecured services listening on wide open ports. 

Recommended secure protocols include SSH, TLS, and IPSec just to name a few. Also disable unused services, patch/update systems, and ensure your systems are hardened to industry best practice standards such as the National Institute of Standards and Technology (NIST) or the Center for Internet Security (CIS). 

Data disclosure: protocols that pass credentials in clear text (such as telnet or "R*" protocols) are vulnerable to data disclosure. Remember attackers can sniff or monitor for clear text credentials sent over your local or wireless network and use them to gain unauthorized access to sensitive systems (especially if those credentials have privileges). 

Recommended controls include encrypted network communications, switched networks and a secure identity/authentication system to include multi-factor authentication. 

Malicious payloads: There are many potential malicious payloads to include viruses, worms, trojans, and active attack systems.  

End users can trigger such payloads via any one of the following ways: 

  • Download free game that is infected with trojan from third party site.
  • A user logged in with administrative-level privileges browses to a malicious site infected with malware, subsequently infecting her system.
  • A user installs and operates peer-to-peer (P2P) file sharing software to download music files, and the P2P software. 
  • Download of spyware programs via peer-to-peer (P2P) file sharing software. 
  • Victim of phishing attack (open up payload from email link or malicious file attachment).
  • A user connects untrusted USB device infected with malware.
  • A user connects an untrusted or unprotected USB storage device.

To mitigate malicious payloads, use standard user accounts and not admin privileges. Only use administrator accounts for maintenance activities and make sure your users are aware of phishing attempts and how to avoid malicious payloads.

Use anti-virus software, application whitelisting and strong email security controls such as anti-spam and block email attachments with certain file types. Last but not least, keep OS and third party software up to date at all times. These controls will help reduce the likelihood of infections. 

Topic: Configuration Management, General Security Awareness, Malicious Software Controls