A number of free mitigation and configuration changes can be easily employed at most enterprises, but few organizations are using them, giving cybercriminals a better chance to penetrate the corporate networks, according to a new paper that outlines steps IT security pros can take to greatly reduce the attack surface.
When it comes to trying to mitigate and reduce your organizations overall attack surface, there is no one change that works for everybody.
Marc Maiffret, cofounder and CTO, eEye Digital Security
The new research paper, “In Configuration We Trust,” was issued Thursday by eEye Digital Security. The report was produced by eEye’s research team led by eEye cofounder and CTO Marc Maiffret. The document outlines several of the most common threat mitigation techniques and configuration changes, as well as the potential side effects certain changes can have on the network.
In an interview with SearchSecurity.com, Maiffret said the changes represent a good starting point for IT professionals looking to improve security. Hundreds of other changes exist, and if deployed, they can have a dramatic impact on infrastructure security, he said.
“While the industry is so fixated on the scariest threat out there in the world, a lot of the times we’re not talking nearly enough about some of the more tactical things that folks working in IT can do to make their environments more secure,” Maiffret said.
A recent survey by eEye found many firms struggling to address zero-day vulnerabilities. Companies have been looking for new, more effective security technologies to detect and eliminate external attacks, but few firms realize that locking down systems would have eliminated the threats posed by some recent high-profile attacks. Operation Aurora, which targeted Google and dozens of other firms, and Stuxnet, which targeted specific control mechanisms at power plants, both used zero-day vulnerabilities to gain access to internal corporate systems. Stuxnet leveraged a Windows task Scheduler Service, and if the firms had more locked down file system permissions on the jobs folder used for Task Scheduler, it would have blocked attacks from accessing it.
“A lot of these things, including something as sophisticated as Stuxnet, could have been severely hampered just by having proper file system permissions,” Maiffret said.
While the methods outlined by eEye will reduce the attack surface, making it more difficult for cybercriminals to leverage vulnerabilities, Maiffret said there is no silver bullet. Attackers can find other hacking techniques, including using stolen credentials or flaws in unpatched software to gain access to systems containing sensitive data. He advocates thorough testing to limit disruption to end users.
“When it comes to trying to mitigate and reduce your organizations overall attack surface, there is no one change that works for everybody,” Maiffret said.
In 2010, companies that deployed the latest version of Microsoft software wouldn’t have to worry about half of all Microsoft vulnerabilities, Maiffret said. In fact, Maiffret estimates that organizations that run the latest versions of Microsoft software and use configuration changes could reduce the attack surface of the firm from more than 80% of all Microsoft vulnerabilities.
New Microsoft security features, including Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) and other technologies are in place help prevent exploitation of vulnerabilities. The configuration changes that Maiffret outlines don’t hinder the exploitability of a flaw, but completely take the legs out from under vulnerabilities.
For example, disabling the WebDAV protocol, a Web client service that is used for file sharing, could greatly reduce the effectiveness of many exploits targeting Microsoft software, as well as third-party exploits targeting Java, Maiffret said.
WebDav is enabled by default on Microsoft systems. Maiffret estimates that 90% of companies don’t even use the technology, but if the file sharing protocol is being used by employees, the WebDAV traffic doesn’t have to be completely filtered out at the perimeter. Instead, a company can use Active Directory to limit WebDAV use to a subset of users.
If disabling or limiting WebDAV were combined with disabling Microsoft Office document converters, which have been the source of many errors and vulnerabilities, organizations would have eliminated 12% of all vulnerabilities patched by Microsoft in 2010.
The goal of the research is to get companies to start focusing on broader ways to mitigate threats. Too often, companies focus on a single exploit, Maiffret said. Configuration changes help organizations with limited IT staff and resources not only mitigate against known threats, but also future attacks, he said.
“Any time you are setting up that new email server or doing another project it’s important to find that balance between what you need to be agile and competitive as a business, and leaving out and turning off everything else you don’t specifically need to reduce the attack surface,” Maiffret said.