With devices, PCs and tablets becoming ever more numerous, it is becoming necessary for all users to perform basic security administration functions.
Individuals can no longer depend on automatic default configurations to maintain a personal secure digital environment. Today, even the least technically savvy user must begin to practice basic cyber defence tasks to keep personal systems and data private.
Cyber defence 101 – for beginners
Cyber defence begins with a mindset or philosophy grounded in the understanding that everyone who uses computing devices is a target. No longer can anyone say with certainty that “they are too small or too unimportant to be a target”. In fact, many small businesses across the world are finding themselves targeted more as larger corporations establish sophisticated security defences.
Being a hacking target is one thing. However, it is also hard for the average user to know where to concentrate their defensive measures. In large corporations, security risk management efforts now quantify a scored hierarchy of importance. Then, after the hierarchy is established, security defence measures are applied to the most critical systems first. Individuals can do this scoring as well. Nevertheless, they should score their most critical systems based on what hackers are most likely to attempt to exploit.
What hackers are after – the money goal
In broad terms, a hacker’s goal is money. Either they are after money directly, or data that leads to money. They want data to get access to money, data to sell for money, or data to use a computer system’s resources to get money. An individual who is only concerned about their bank account could concentrate their cyber defence measures on the one system that has access to their bank (and probably use only one system for bank access too). Given that money is the primary target, a user can now start to organise their digital life so they do not become a victim of cybercrime.
Becoming a less visible cyber target
There is an old joke among cybersecurity professionals: “Two men are walking in a forest. Suddenly a large brown bear appears on the path before them. One of the men calmly starts to tie his shoes. The kneeling man’s companion says, “What are you doing? You know you can’t out run a bear!” To which the kneeling man replied, “I don’t have to outrun the bear ... I only have to outrun you!”
Eventually hackers will compromise systems. But hackers, like everyone else, are resource constrained. If you as an individual make yourself difficult to compromise, most hackers will move on to an easier target.
Cyber defence guidance
The Australian Signals Directorate Top 35 list of mitigation strategies shows that at least 85% of intrusions could have been mitigated by following these top four mitigation strategies:
• Patching applications.
• Patching operating system vulnerabilities.
• Restricting administrator privileges.
• Application Whitelisting.
What follows is an explanation of each of the above.
[1 & 2] Operating system and application updates – basic digital hygiene
For PCs: There is no better high value mitigation than regular OS updates. These should be set to automatic, but if you suspect your computer is out of date and has a Windows OS, simply go to the address below and follow the prompts to see if it needs any critical patches: windowsupdate.microsoft.com
Note: It is extremely important to go to only this designated website. Many malware vendors will redirect or hamper updates so be cautious.
For applications: The following applications should be updated regularly and manually checked to see if they are still the latest versions.
• Web browser.
• Adobe Acrobat.
• Adobe Flash.
• Antivirus.
For Android based devices it is good to allow automatic updates to install and be connected to secure non-public WiFi when doing so.
For Apple devices users are prompted when updates are available. While it is not common for apps to be hacked on Apple, if you have an older app that connects to outside websites (e.g. Facebook) these should be checked to make sure the latest version is installed.
[3] Restrict administrator privileges – keeping the safety features in place
The reason that administrator accounts need to be controlled is obvious. Most home systems simply allow ‘standard users’ to operate as an administrator account, which is a recipe for disaster. The administrator account should be used sparingly, so to limit the privilege is an excellent measure to take.
Use your computing device in User mode; leave the administrator account separate and use it only for true administrative tasks.
[4] Application whitelisting – no rogue programs
A whitelist is a list or register of entities that are given a particular privilege, service, mobility, access or recognition. Entities on the list will be accepted, approved and/or recognised. Whitelisting is the reverse of Blacklisting, the practice of identifying entities that are denied.
For personal computing application Whitelisting is not very practical. However, the basic principles of Whitelisting can be applied manually to yield some protection. Mitigations like manually monitoring process listings to see if any strange applications are running and then ending any that look suspicious.
How to detect if a system is hacked
There are many ways to detect if your system is hacked, but barring the use of sophisticated forensic tools, a qualitative assessment is best for most users.
Qualitative Indicators of Compromise (IOC):
• System runs slowly, possibly because malware background processes are running.
• System takes overly long to boot, possibly due to hacker hardware drivers loading.
• System makes strange noises at odd times, could be due to malware hardware driver being poorly coded.
• System applications do not run as desired. If System Update, System Restore or Antivirus cannot update, it is highly probable the system has been hacked.
• You find services such as Web searches are redirected to unusual sites, possibly malware/adware compromise.
In general, if you have any of the above happen you should contact an IT professional to resolve the problem. If you are doing this yourself, you can try to download/install Malwarebytes and scan for malware.
Similarly, on a network level, it is highly advisable to monitor network performance and behaviour for unexpected symptoms. A technical report explaining how to monitor networks for security purposes in more detail can be found here ( http://www.yokogawa.com/rd/pdf/TR/rd-te-r05702-007.pdf).
The only way a non-security expert would know if a system is mostly free of malware is for an operating system and antivirus update to occur without being halted. Since almost all malware disables OS and AV updates to keep the initial vulnerability from being fixed.
The United States Department of Homeland Security US Computer Emergency Response Team (US-CERT) recommends that organisations adhere to the following best practices to strengthen the security of their information systems:
• Develop Intrusion Detection System (IDS) signatures to monitor for the aforementioned IOCs.
• Investigate outbound network traffic observed over TCP port 53 that does not conform to the DNS protocol.
• Restrict access or probing of the aforementioned domains and IP addresses.
• Maintain up-to-date antivirus signatures and engines.
• Ensure systems are fully patched and updated; employ least-privileged accounts.
• Restrict user abilities (permissions) to install and run unwanted software applications.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its ‘true file type’ (i.e., the extension matches the file header).
• Monitor Web browsing habits and restrict access to sites with unfavourable content.
• Exercise caution when using removable media (e.g. USB thumb drives, external drives, CDs).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats; implement appropriate access control lists.
• Consider installing Application Whitelisting, Cloud Antivirus and Enhanced Mitigation Experience.
For more information contact Christie Cronje, Yokogawa South Africa, +27 (0)11 831 6300, [email protected], www.yokogawa.com/za
| Tel: | +27 11 831 6300 |
| Fax: | +27 11 86 411 8144 |
| Email: | [email protected] |
| www: | www.yokogawa.com/za |
| Articles: | More information and articles about Yokogawa South Africa |
© Technews Publishing (Pty) Ltd | All Rights Reserved
printer friendly version