Securing the workspace, part I : chasing bad versus ensuring good
Security is a thing we have to deal with more ever than before. At vEUCTechCon I presented a session about securing the workspace. The intend of that session was to create awareness of threats out there. It was also intended to show how certain products could help you. The products shown at the conference were VMware products, this was because the even we organised was a VMware oriented conference. After my presentation I got to talk to several attendees about security. I think a series on securing the workspace is a nice blog series, so let’s get started. In this first blog I will talk about chasing bad versus ensuring good. In blogs to come I will go deeper on that as show simple solutions to protect. And lastly I’ll discuss monitoring as that is your first line of defense as an early warning system.
Lets first establish what a workspace is, in dictionaries you will find things like a desk, a place to set at and so on. Those are old references to workspace not applicable anymore to this time and place. a workspace today is where users will access their applications and/or data. It can be a variety of devices from a mobile to a desktop, from a laptop to a virtual desktop. Office 365 even is a workspace, one you need to access from one of the devices mentioned earlier. As work being something you do not something you go to so did the workspace shift. It’s more a functional thing now from being a pure physical place before. For the sake of this blog I will refer to a workspace as a Windows running device even though I know that is limiting it too much.
Social Engineering and hacking
Hacking has reached the news so often it is a topic at birthday parties today. Suddenly everyone knows what a hack is, or do they? I think we need to establish a base first what is hacking and what differences are there? for me hacking is actively seeking for flaws in the security perimeter of a network to gain access to the network or data. This kind of hacking has been going on for ages since the second we got connected and far before with old skool spying. There is a different type of hacking that is more a threat to our users and their workspaces. It’s more the fishing kind of hacking. Trying to lure them into opening a link, a document or a video to download a payload or execute a program.
The first kind of hacking are for me the real hackers, they have knowledge and know where weaknesses are. The second group are not real hackers as they use social engineering to get in. They let the user execute and gain access to data like that without having to search for weaknesses at all. This last group is however more dangerous than the first one as these are criminals trying to hijack your data and make you pay.
In my presentation I showed the social engineering hack live on stage. A good friend of mine who shares a deep interest in both good liquor and security preformed the hack. He is more into hacking than I am. (He forgot to put his hoody on – Hackers have a hoody, right?) What we showed in the demo was the functionality of Microsoft Office to integrate with other programs. This is a nice feature for the users as it allows you to integrate e.g. Excel sheets in Microsoft Word. It also allows you to open PowerShell or anything else from Microsoft Word. From a Kali machine a listener was opened and once the user opened the Word document it took 2 minutes to be system.
We use it when we get desktop at a customer with no Internet explorer. From Microsoft Word we browse to a webpage because once we click the link it will open Internet Explorer whether is is visible to me or not. Only if they explicitly denied me access it will I be able to access it.
Our workspace is under attack 24/7. in the session I discussed why we need security but I think that goes without saying. Our workspace is a chess board with the criminals after your data on one side. In the world of virus scanner and firewalls we used to react to there move. They move a tower you update the AV pattern. They move their queen you close a firewall port and so on. Always one step behind, chasing bad. Chasing bad will tire you pretty fast and you know that one moment of inadvertence could lead to data being stolen.
The chess board got more complex, one more party started to be a player, the law. Several laws are in effect guarding over our data pushing you to do even more. We got data protection laws already in place, read my previous blog about Windows 10 telemetry – Data protection laws in action, Microsoft breaches law with Windows 10. In a few months a new European law will be in effect, the General Data Protection Regulation. It is designed (whether you like it or not) to protect all our privacy data. You as an individual should be the owner of your data. Your data is everything any processor of data or holder of data is storing about you. You have the right to be forgotten or to know what they do with your data.
These laws have direct impact on your workspace as beside defending from hackers you now need to comply with the laws. The state you need to show that you guard the data as safe as possible. You need to report when a breach has occurred and not after 200 days. also, you need to show what you did to prevent is and what you do to monitor to protect. You can’t get away with “I don’t know and I don’t care”. The fines for breaking it are interesting, better get your act together.
Chasing bad versus ensuring good
For years we have been chasing bad instead of ensuring good. At VMworld with the presentation of AppDefense this was a analogy that was used and I think it works.
Chasing bad is like the morning after pill. Solving something after it has happened (trying to be safe here in my wording). That’s what the morning after pill is doing and that is what anti virus has been doing. Anti virus is working with definition files and scanning patterns. Definition files are always old, the new viruses are not in there, they are new. If you’re not the first one to get hit you might be so lucky the file was updated. If not the virus is in and you need to find a solution to clean it up. Patterns being scanned are easily worked around, adding trash in the code of a payload confuses virus scanners, I’ve done that to test and the detection rate drops from e.g 30/60 to 5/60 scanner detecting the virus.
The most effective way of protecting would be to ensure good. At VMworld with AppDefense this was presented as that you take e.g. a picture of a virtual machine. With that picture you know the good status of the machine. Everything outside that frame is marked bad, any anomaly found is something to act on. AppDefense works together with VMware NSX so once a anomaly is found it could isolate the machine.
From a workspace perspective this might be a too difficult approach, it more of a server kind of thing. In a workspace the picture would have to be taken over and over again, user work, things change. In a workspace we rather look at a User Environment Management solution. I’ll go deeper on that in a next blog.
Ensuring good in a workspace would come down to
- Whitelisting applications
- Opening only those firewall ports that are needed instead of every single on.
- Redirecting non-user FTA’s to Notepad
- Using context awareness to allow access on a need to have basis.
Ensuring good works because if you ensure starting certain applications in a specific context you don’t have to go chase bad. Everything outside the good perimeter is bad by default. Ensuring good will save you work in the long term. It will need some setup and time to design but will help you in the long run for sure.
If you look to your left and to your right you’ll see several of the best monitoring vendors in the market. All of them are able to monitor for security events in your logs. I will go deeper on this is a next blog but the Windows eventviewer for one is full of warning signals. By default eventviewer logs are only storing a small time frame of events, enough for events happening right now. For security related events, think about the law and what they want you to do, that isn’t enough. You need to make sure yo have at least two weeks of visibility.
Some logs are not even enabled, the task scheduler log is not enabled by default. This is a major flaw in Windows and one you should correct. You need to see if tasks are created or altered with to detect intrusion or attempts to do so. same goes for auditing several parts of the profile folder to see changes there. With a monitoring tool (again look left and right) you can create a very effective dashboard keeping an eye on your most valuable systems. without information we run blind remember that. You don’t want to end up in the headlines and if you do only with the title – They stopped them dead in their tracks.
This blog was a long introduction to the next ones, I will show the use of User Environment Management and how is can be used to protect your workspace. In this part I discussed the workspace, why we need security and how the discussing between chasing bad / ensuring good is going. Next blogs will be about User Environment Management, monitoring and the laws we’re dealing with.