Windows 10 Security Mitigations When You Can’t Apply Cumulative Updates

Managing-Windows-10-Updates

The introduction of Windows 10 cumulative updates will force enterprises to make a difficult choice: security or availability. Security in the sense of eliminating the risk of known vulnerabilities through patching. Availability where an application or Windows 10 feature only works when an update isn’t applied. Enterprises will need to plan on Windows 10 security mitigations when applying cumulative updates isn’t an option.

Bad Patches

Bad patches are like any other software bugs: they happen. In speaking with many of our customers, we hear about them experiencing bad Windows patches a few times a year. When these patches are applied they break functionality in Windows or 3rd party applications. Sometimes Microsoft needs to fix something – sometimes a 3rd party vendor (see Windows 10 Cumulative Updates Overview for an example with Citrix XenDesktop). In the past, the solution was fairly straight forward: don’t apply the bad patch, address the security risk of the vulnerabilities in that patch, wait for a fixed patch or 3rd party software to be released, apply the improved patch or software and move forward.

Windows 10 Security Mitigations

With the cumulative updates, selectively applying patches is over. Rather that fretting over the situation, there are a number of mitigations that might be applied in place of the update when issues arise. In April 2014, Gartner’s Neil MacDonald, wrote a report on Best Practices for Secure Use of Windows XP After Support Ends to address the issues of not being able to patch vulnerabilities that would continue to be found. Many of these practices can be used with Windows 10 for these situations where a patch breaks functionality. These practices can also be used persistently, but are often seen as too restrictive. Consider these approaches as part of a flexible security strategy that goes along with your patch management program. I will highlight a few of the practices in that report that can be addressed with LANDESK solutions.

Restrict Network Connectivity to the Minimum Possible

This can be challenging for many client systems, but easier to achieve with fixed function devices like kiosks or POS systems. LANDESK Security Suite can limit network connectivity through Windows firewall management or the LANDESK firewall.

Whitelisting

Whitelisting is a very effective method of securing a system as it stops unauthorized applications from running. LANDESK Security Suite and our recently acquired AppSense Application Manager both provide industry leading whitelisting with plans to blend both capabilities in future product releases.

Remove Administrative Rights

Many Microsoft vulnerabilities can be mitigated if the user does not run with an administrator account. Removing administrative rights is easy, but the limitations from such an action often stop organizations from taking this step. Privilege management software, including AppSense Application Manager, can be used to grant privileges to applications that need them so users can use non-administrative accounts. On the reverse, privilege management software can also be used to remove administrative rights from an application that is vulnerable and cannot be patched.

Address the Most Common Attack Vectors — Web Browsing and Email

There are a number of things that go into securing web browsing and email. Neil mentions the following controls:

  • Patch Management: As discussed in my previous article, 3rd party patch management is a strength of LANDESK Patch Manager
  • Containerization: there are a number of solutions that use technology to isolate applications including our partner Bufferzone. With these solutions, attacks are contained to that application unable to spread to the operating system or other applications.

Keep the Rest of the Software Stack Updated Where Possible, Including Office

Can I get one more amen for patch management? Enough said.

Use an IPS to Shield Systems from Attack

LANDESK Security Suite includes a Host Intrusion Prevention component to address behavioral based attacks and apply file protection rules. Add to that, LANDESK Antivirus brings an industry leading antimalware engine.

Disable USB Ports and CD\DVD Drives

Often malware is introduced through removable media. LANDESK Security Suite provides device control to disable external media devices, make them read-only, and\or shadow copy files that move across those devices.

Key Takeaways

Here are some points to remember and share:

  • Expect Windows 10 cumulative updates to occasionally break features or 3rd party applications
  • Selective application of patches is no longer an option with Windows 10
  • Build out a strategy of security mitigations when applying the cumulative update isn’t feasible

The article marks a stopping point for this series. There will likely be updates and changes to this conversation as new branch upgrades are released, but this gives you a solid foundation. Hopefully this series has been helpful and I wish you great success with Managing Windows 10 updates.

Managing Windows 10 Branch Upgrades with LANDESK Part 2

Managing-Windows-10-Updates

In the previous article, I explore the first part of how LANDESK can help with Windows 10 branch upgrades through pre-upgrade education and communications. In this the second part, I will discuss how LANDESK solutions manage Windows 10 branch upgrades with the solution preparation, rollout, and issue management.

Solution Preparation

  • Upgrade Readiness: The large size of branch upgrades elevates the need to monitor free disk space. Using LANDESK Management Suite’s inventory capabilities, one can periodically review a report to see who is running out of space.

 12 - Free Disk Space

If a manual report is a hassle, alerts can also be generated to automatically prompt for action.

Free Disk Space Alerts

  • Targeting: LANDESK Patch Manager will inventory hardware, software, branch types (Current Branch or Current Branch for Business), and Active Directory users and groups to use in targeting of branch upgrades. This targeting becomes particularly valuable when used for staged rollouts (see more in next section).
  • Distribution: With the need to push large upgrade files, a robust software distribution capability is a must. LANDESK Patch Manager has numerous capabilities for distributing branch upgrades efficiently across your network including:
    • Targeted multicasting
    • Peer-to-peer downloading
    • Bandwidth throttling
    • Distribution servers
    • Checkpoint restart
  • Off-Network Systems: How many of your enterprise clients are off the corporate network at any given time? With so many employees who work remotely or travel, the LANDESK Cloud Services Appliance enables management of systems without a VPN. Using a virtual or physical appliance, the Cloud Services Appliance can enable branch upgrades to occur anywhere.

Upgrade Rollout with LANDESK Patch Manager

Having a methodical rollout process is critical in large enterprises. The version 2016 release of LANDESK Patch Manager includes a new capability, Rollout Projects, for systematically rolling out patches or branch upgrades. Rollout projects is ideal for automating the deployment and execution of branch upgrades to specific groups of computers in a specific order.

LANDESK Patch Manager Rollout Projects

As part of the automation, each step can have exit criteria before moving on. Such exit criteria include:

  • Minimum success rate of systems upgraded
  • Minimum duration of executing that step to give time to identify potential issues
  • Email approval if you need manual change control to proceed

These exit criteria enable the complex process of rolling out branch upgrades to proceed automatically, but with controls to prevent issues from spreading to the next phase.

Issue Management

Addressing service issues related to branch upgrades can be achieved with LANDESK Service Desk where incidents can be tracked, problems managed, and service levels measured. Unlike most service management tools, Service Desk’s integration with LANDESK Management Suite enables service management to include taking actions such as remote assistance when users need help with upgrade issues, system reimaging when upgrades go bad, or software upgrades to maintain compatibility with branch upgrades. This combination of capabilities comes together in LANDESK Workspaces for the IT Analyst where a user and their devices can be found and actions applied such as remote control or installation of software.

LANDESK Workspace - End User Assistance

Key Takeaways

As usual here are some key points to remember:

  • Windows 10 branch upgrades are complex and LANDESK helps automate this process
  • LANDESK Service Desk gives end to end service management before, during, and after the upgrades
  • LANDESK Patch Manager automates phased upgrades with network-sensitive distribution and intelligent targeting
  • LANDESK Management Suite helps prepare for upgrades and address issues should they arise

This concludes the discussion on branch upgrades. I will next proceed with a series of articles on patching in Windows 10.

September 2016 Patch Tuesday

September 2016 Patch Tuesday

Here is the analysis for this month’s Patch Tuesday from Chris Goettl of our Shavlik team:

This September 2016 Patch Tuesday will be the final Patch Tuesday on the old servicing model. Starting in October Microsoft has announced a change to the servicing models for all pre-Windows 10 operating systems. I have had a number of questions from customers, partners, other vendors and companies I have spoken to since the announcement. My advice remains the same, which I describe in this post.  This change will require all of us to make some adjustments, and application compatibility and the risks associated with exceptions are the areas that will be most impacted.

I went through an exercise earlier today to show what I mean.

If you look at the average bulletin and vulnerability counts for each Patch Tuesday this year we are averaging about three CVEs per bulletin. Given the explanation from Microsoft’s blog post I revisited each Patch Tuesday for 2016 and refigured the total bulletin count we would have seen in under the new model and the average CVEs per bulletin changes to around 12 CVEs per bulletin.

The bottom line here is exceptions due to application compatibility issues will become more compounded from a risk perspective. Companies will have to do more rigorous application compatibility testing to ensure things to don’t break when these larger bundled security updates are pushed to systems. If there is a conflict, vendors that conflict with the updates are going to be under more pressure to resolve issues. Where companies may have accepted an exception for one or two vulnerabilities, an exception that causes 20 vulnerabilities to go unpatched will have a very different reaction.

Next month as we investigate the October Patch Tuesday release we will have more details, and will discuss the realities of the new servicing model in our monthly Patch Tuesday webinar, so plan to join us for that.

My forecast for this Patch Tuesday was pretty close. There’s the Flash Player update and 14 bulletins from Microsoft. Microsoft’s 14 bulletins include seven critical and seven important updates resolving a total of 50 unique vulnerabilities, including an IE zero day (CVE-2016-3351) and a public disclosure (CVE-2016-3352).

Adobe released a total of three bulletins, but only Flash Player was rated as critical or priority 1 in Adobe severity terms. This update resolves 29 vulnerabilities. The other two Adobe bulletins resolve nine vulnerabilities, but both are rated Priority 3, which is the lowest rating Adobe includes for security updates.

As I mentioned last week, Google also recently released a Chrome update, so be sure to include this browser update in your monthly patch maintenance as it includes additional security fixes.

Digging in a layer deeper on higher priority updates:

MS16-104 is a critical update for Internet Explorer that resolves 10 vulnerabilities, including a zero day exploit (CVE-2016-3351), making this a top priority this month. This bulletin includes vulnerabilities that target end users. The impact of several of the vulnerabilities can be mitigated by proper privilege management, meaning if the user exploited is a full user, the attacker also has full rights. If the user is less than a full user, then the attacker must find additional means to elevate privileges to exploit the system further.

MS16-105 is a critical update for edge browser that resolves 12 vulnerabilities. This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-106 is a critical update for Windows Graphics that resolves fives vulnerabilities. GDI patches often impact more than just the Windows OS, as GDI is a common component used across many Microsoft products. This month it appears the GDI update is only at the OS level, which I believe was a first this year.

MS16-107 is a critical update for Office and SharePoint which resolves 13 vulnerabilities. Now when I say this affects Office and SharePoint, I mean ALL variations — all versions of Office, Office Viewers, SharePoint versions including SharePoint 2007. You may see this show up on machines more than once depending on what products and viewers are on each system. This bulletin includes vulnerabilities that target end users, and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-108 is a critical update for exchange server that resolves three vulnerabilities. In reality, this update addresses more, as it includes Oracle Outside in Libraries which released an update in July. This adds 18 additional vulnerabilities to the resolved vulnerability count for this bulletin. This bulletin does include a user targeted vulnerability. An attacker could send a link that has a specially crafted URL which would allow redirection of an authenticated exchange user to a malicious site designed to impersonate a legitimate website.

MS16-110 is an important update resolving four vulnerabilities. Now, you may be asking, why include this one important update in the high priority updates for this month? Well, that is because of CVE-2016-3352, which was publicly disclosed. This means enough information was disclosed before the update was released, giving attackers a head start on building exploits. This puts this bulletin into a higher priority, as it stands a higher chance of being exploited. The vulnerability is a flaw in NTLM SSO requests during MSA login sessions. An attacker who exploits this could attempt to brute force a user’s NTLM password hash.

MS16-116 is a critical update in VBScript Scripting Engine that resolves one vulnerability. This update must be installed along with the IE update MS16-104 to be fully resolved. This bulletin includes vulnerabilities that target end users and the impact of several of the vulnerabilities can be mitigated by proper privilege management.

MS16-117 is a critical update for Adobe Flash Player plug-in for Internet Explorer. This bulletin resolves 29 vulnerabilities, several of which do target a user.

APSB16-29 is a priority 1 update for Adobe Flash Player that resolves 29 vulnerabilities. With Flash Player updates you will typically have two to four updates to apply to each system. Flash Player and plug-ins for IE, Chrome, and FireFox.

For more in depth analysis and conversation regarding this Patch Tuesday, join us for the Shavlik Patch Tuesday Webinar tomorrow morning.

Originally published at http://blog.shavlik.com/september-patch-tuesday-2016/

Deodorize Your IT Security With These Hygiene Basics

I recently studied the John Pescatore-authored SANS white paper entitled “Improving Application and Privilege Management: Critical Security Controls Update.” It’s an informative paper highly worth reading and you can download it below.cleaning a laptop

On page four of the paper Pescatore states:

“For many years, real-world experience and studies such as the Verizon DBIR have been finding that the majority of attacks are enabled by failures in basic security hygiene: the failure by businesses and government agencies to focus on the security basics that raise the highest barriers against real-world attacks.”

I have to confess that the word “hygiene” frequently sparks two memories for me—the first one not so pleasant and the second downright hilarious:

  1. I’m one week into junior high gym class, standing in single file with 30 other naked 7th-grade boys near the locker room’s shower area, waiting to exchange my used towel for a clean one. Enough said.
  1. The Cosmo Kramer character in the Seinfeld sitcom is trying to shorten his daily shower time. He boasts to his friend Jerry that he’s down to 27 minutes, only to discover soap suds behind his ears and dripping out his trouser bottoms. “I’m all lathery,” he exclaims. Determined to learn new skills, the fully clothed Kramer observes guys showering at the YMCA and busily jots down notes. He ends up with a black eye.

The Basics of Security Hygiene: The SANS “First Five”

In Pescatore’s white paper he talks about Version 6.0 of the Center for Internet Security’s (CIS) Critical Security Controls. It’s a prioritized list of 20 controls that, “when implemented well, have proved effective in blocking most advanced target threats and supporting faster detection and resolution of those that do get through initial defenses.”

The net result of Version 6.0 was to increase the emphasis on a few control areas that have shown to be immediately effective against real-world attacks and saving organizations a few figurative black eyes. “A subset of the highest priority controls within the CIS Controls provides ‘quick wins,’ with immediate risk reduction against advanced target threats,” Pescatore says.

SANS has listed five controls that deliver the highest payback in reducing risk from advanced targeted attacks:

  1. Software whitelisting
  2. Secure standard configurations
  3. Application security patching
  4. System security patching
  5. Minimization of administrative privileges

Solutions to Help You Implement Security Controls

Let’s consider the second of the five controls, “Secure standard configurations,” and how LANDESK and AppSense solutions can help.

First off, LANDESK Management Suite smooths the custom deployment of images while LANDESK Security Suite enables you to audit and implement specific security configurations.

LANDESK enables you to create provisioning templates to integrate all of your upgrade processes, including communications with users, moving user profiles, and standardizing Windows and Mac OS images. LANDESK uses hardware-independent imaging to configure machines quickly with the appropriate drivers. With AppSense also included as part of the build, workstation and server images are protected from unauthorized changes to prevent image sprawl.

The LANDESK core server uses distribution package hashes to verify distribution packages in scheduled tasks. What’s more, LANDESK enables you to control devices remotely from any HTML5 browser with secure, browser-based access.

The LANDESK directory monitoring capabilities enable you to specify folders to be monitored for file addition, deletion, and modification. AppSense is able to enforce digital signature checks on executables as they launch if required. By using SHA1, SHA256, or ADLER32, AppSense can ensure that only executables that match can run. When using AppSense for whitelisting, AppSense also monitors any file rename or overwrite in addition to monitoring the ownership properties of a file.

AppSense enables you to set up a corporate desktop environment and specify what users have access to, how they access it, and what they can do with it. Policy settings are decoupled from the corporate desktop and managed independently, increasing your ability to deliver efficient service to the business, minimize desktop management costs, and ensure users remain compliant with policies.

LANDESK enables you to bundle multiple applications and deploy them anywhere by targeting users and distributing software to their devices. A built-in Gantt chart allows you to monitor progress and provide automated updates to stakeholders.

SANS_BlogCTA_Banner

On March 14, 2016,  LANDESK acquired AppSense, the leading provider of secure user environment management solutions. Check the AppSense section of the blog for all of our AppSense-related content.

Hitler Ransomware: How Low (and How Lame) Can They Go?

Red shield on a digital backgroundThe short answer to this question is pretty low and very lame.

Hitler ransomware, targeting Windows computers, was recently discovered and presents two newer angles to ransomware: an offensive presentation and the ability to destroy files without using encryption (ransom scams).

Offensive, fear-based presentation

Part of ransomware’s power is the ability it has to instigate fear in the user. Namely, the fear of losing personally valuable files. Anything that can exacerbate that fear–such as an offensive image–will trigger an even stronger primal response to protect at all costs (literally). This is the reaction that malicious developers are seeking.

As noted in an article on Hitler ransomware by Bleeping Computer, one of the elements that gives this variant of ransomware its name is the lock screen with a picture of Adolf Hitler.

He is giving his militaristic salute followed by a message that files have been encrypted and then demanding payment in the form of a Vodafone card.

Using universally-offensive imagery of a historical figure creates an immediate negative reaction in the user. This fear-based reaction, compounded by the ransom demand, is more likely to trigger irrational responses that lead to higher payments.

Crash and delete instead of encryption

The second element of this ransomware is an action other than encryption of files.

Hitler ransomware developers were either too lazy or too inept to develop encryption capabilities, so they simply decided to crash infected computers and, upon reboot, delete files.

The command used with this ransomware (del *.* /s /q) unfortunately doesn’t put files into the Recycle Bin, but a positive note is that there are many utilities available for recovering deleted files.

Key takeaways

Here few things to learn from this offensive ransomware:

  1. Implement some best practices, such as those in our article Everything You Need to Know to Prevent Ransomware, to prevent ransomware from affecting you.
  2. Use good Internet hygiene when it comes to opening attachments in email or browsing websites.
  3. If you or your business gets hit by ransomware, take a deep breath and don’t emotionally respond. Remember that fear is a tool that is used by ransomware authors.
  4. Not all files are permanently lost. In the case of Hitler ransomware, a file recovery tool may be able to help. Some ransomware has been cracked and there are utilities for decrypting files. Do some research or get an expert to help see if your data is recoverable.

Be safe out there and be sure to get your free copy of our white paper on how to protect against ransomware below.

Blog-CTA-Whitepaper-527x150

The Latest Shocking Ransomware Statistics and What You Need to Do

This past Wednesday, LANDESK hosted a webinar entitled “Ransomware: The NSA’s Top 10 Mitigation Strategies (and More).”

On that same day, ZDNet published an article that includes some fascinating—and frightening—findings from a recent survey of 540 CIOs, CISOs, and IT directors conducted by anti-malware specialists Malwarebytes.

Recent ransomware findings:

  • 40 percent of the businesses surveyed have suffered at least one ransomware attack in the past year.
  • 20 percent of the businesses surveyed “have had to stop operations entirely in the aftermath of a successful data breach.”
  • 34 percent of those businesses lost revenue as a result of ransomware attacks.
  • 60 percent of enterprise ransomware attacks each demanded a ransom of more than $1,000, and 20 percent demanded more than $10,000 each. Some ransom demands reported by survey respondents exceeded $150,000.
  • 63 percent of respondents said it took more than a full business day to install patches and “fix vulnerable endpoints” after a successful attack.

Perhaps most disturbingly, according to Malwarebytes, is that the number of exploit kits including instances of ransomware has increased by 259 percent in the past five months alone. And since exploit kits are designed to make hacking and malware delivery faster and easier, the number and severity of ransomware attacks are both likely headed in the same direction: up.

Given all of the above, it might be timely to assess your own enterprise’s preparedness to deal with ransomware. Fortunately for you, we’re here to help.

In our August 3 webinar, our Chief Security Officer Phil Richards summarized the findings and recommendations included in documents recently released by the U.S. National Security Agency (NSA), independently and in concert with more than a dozen other agencies.

He broke those findings and recommendations into six key areas. Here they are, ranked in order of importance based on poll question responses from webinar attendees.

Key recommendations:

  1. User education
  2. Data backup
  3. Network hardening
  4. Email hygiene
  5. System hardening
  6. Incident response

As Phil provided details about why each area is important and how best to implement it, I asked webinar attendees to indicate the implementation status of each at their own organizations. For each area, respondents were given four choices: comprehensive, extensive, limited, or none.

Here’s how the responses played out:

Category Comprehensive Extensive Limited None
User education 23% 18% 32% 27%
Data backup 45% 45% 9% 0%
Network hardening 32% 26% 37% 5%
Email hygiene 17% 56% 22% 6%
System hardening 26% 58% 11% 5%
Incident response 16% 32% 42% 11%

Respondents ranked user education as the most important of the six areas. However, more than a quarter of them said that their organizations have no formal user education processes or requirements in place.

This may explain why 52 percent of them said that user education is the anti-ransomware effort they expect to pursue most aggressively in the next six to 12 months.

In contrast, only four percent of respondents plan to pursue incident response most aggressively during the same period.

Given that 53 percent have only limited or no formal incident response processes in place across their enterprises, this could come back to haunt some of them should they experience a ransomware- or malware-driven incident.

If poll respondents from our webinar are indicative, ransomware priorities and preparations are all over the map for many enterprises. Possibly including your own, unless you already have or are moving toward comprehensive implementations across all six areas discussed above and in our webinar.

Otherwise, you should grab the on-demand version of our webinar to get Phil’s detailed and cogent implementation recommendations.

More ransomware resources

You should also definitely check out my colleague Eran Livne’s magnum opus, Everything You Need to Know to Prevent Ransomware, and some of the other blog posts we’ve produced on the subject.

And if you aren’t already using LANDESK Security Suite, AppSense Application Manager, or any of our other solutions for stopping ransomware and other threats in their tracks, you should at least be considering them. Contact your LANDESK or AppSense representative, or visit the product pages online to learn more or to request trials or demos. And come back here often to see our latest thinking and recommendations.

Ransomware is a real and growing threat, and we’re here to help you to avoid becoming its next victim.

Blog-CTA-Whitepaper-527x150

The Methods Behind the Ransomware Madness and How to Prevent an Attack

The majority of ransomware attacks today are infecting users’ machines using two main methods.

In this post, I will describe these two methods, as well as provide actionable tips on how to reduce the risk of these types of ransomware infecting your end users.

Distribution Method 1: Ransomware as an Attachment

Cybercriminals are using social engineering to trick users into opening attachments that are embedded into seemingly convincing and legitimate-looking emails.

In some cases, the attachment is the ransomware itself (i.e., running it will run the ransomware code), but since ransomware is just an executable, security solutions have a good chance of catching the ransomware and preventing it from running.

For this reason, many types of ransomware are using different attachmentsand not pure executablesto trick users into opening them.

The common attachment type, until recently, was Microsoft documents. Specifically, cybercriminals were utilizing Microsoft macro capabilities to download the ransomware executable and run it on the victim’s machine.

This poses two challenges for them:

  1. First, they need to convince the user to open the document.
  2. Second, since Microsoft by default requires the user to approve running a macro, the user has to be tricked to allow Microsoft to run the macro.

Both are accomplished by different tactics, and one example is described here. However, even without reading the blog, the screenshot below provides a simple example:

ransomware

Once the user enables macros, the macro will download the ransomware code and execute it in the background–effectively encrypting the victim’s files.

Warding off Ransomware as an Attachment

Tip 1: Protect against ransomware that uses Microsoft macros to download by disabling macros on end users’ machines. This will disallow users from running the macro and, as a result, the ransomware cannot be unleashed. LANDESK Security Suite provides an automated method for disabling macros on all endpoints, all of which can be done remotely from a central console.

As tricking users to run macros can be a bit challenging, cybercriminals have shifted their attention to a different kind of attachment: JavaScript-based ones.

In most cases, the attachment will actually be a ZIP file which includes the JavaScript malicious code. Users are tricked to open (unzip) the zip file and execute the JavaScript (.js) file inside it.

By default, Windows runs JavaScript code using the Windows script engine (wscript). Note that by default, JavaScript is not executed inside a web browser. The JavaScript code will download the ransomware code and execute it.

Tip 2: Protect against ransomware that uses JavaScript by preventing Windows from running the JavaScript code so users cannot run this malicious JavaScript code. This can also be done using LANDESK Security Suite, which allows you to define rules that prevent wscript (or any other scripting engine) from executing .JS (JavaScript) code.

Distribution Method 2: Compromised Websites

Like many other types of malware, ransomware is all about leveraging vulnerabilities. These vulnerabilities are mainly discovered in internet-facing applications such as web browsers, Adobe Flash and PDF Reader, Java, and others to infect the victim’s machine.

Using spam emails and other web technologies, the cybercriminals are doing a good job of convincing users to visit “their” websites. These websites were designed to detect the software used by the victim and apply the best exploit based on the software the victim is using. Once the exploit is applied, the ransomware is downloaded and executed on the victim’s machine.

Warding off Ransomware on a Compromised Website

Tip 3: Protect against ransomware that is spread via compromised websites by ensuring that your users’ software is up-to-date. This is especially important for internet-facing applications like web browsers, Adobe, Java and in many cases Microsoft Office.

Compromised websites are most likely to exploit known vulnerabilities in software as the cost involved in finding zero-day vulnerabilities is high and most users do not update their software, which means there is a good chance that users are still running software with known vulnerabilities that are easy to leverage.

Ensuring users are using the latest version of the software reduces dramatically the chance of a compromised website be able to infect the end user machine and successfully run a ransomware on that machine.

LANDESK Patch Manager allows security administrators to easily and cost-effectively scan for missing software patches (software updates) and install the latest software version remotely on each one of the end users’ machines. LANDESK Patch Manager also supports scanning and patching for most third party applications including all web browsers, Java, Adobe flash, PDF readers and Microsoft Office.

In addition, smart distribution and bandwidth management capabilities ensure that large and distributed deployments are possible.

Don’t catch ransomware on your system! Check out our free white paper below for more information on how YOU can avoid getting infected.

Blog-CTA-Whitepaper-527x150

Everything You Need to Know to Prevent Ransomware

“Just pay the ransom.”

That what’s an FBI official said during a Cyber Security Summit 2015 in Boston several months ago.

However, since then, the FBI has published an official document that warns against ransomware and provides a list of best practices on how to fight it. Oh, and the new document specifically says: “The FBI does not support paying a ransom to the adversary.”

In this post, I will go over the FBI’s recommendations and explain what steps you can put into practice to implement them.

Prevention Tactics

For ransomware, a “detect and respond” model provides little value, since once the ransomware is running, it is too late. That is why prevention is critical to combating ransomware.

The FBI suggests you implement the following prevention methods:

  • Awareness and training

We know now that most ransomware is spread using phishing or spam emails. Just recently, users in the US House of Representatives fell victim to a ransomware campaign reportedly designed to trick users into opening an attachment sent to their Yahoo Mail accounts.

Increasing end-user education and awareness are always good ideas, but it is important to understand that the “bad guys” are professionals. They use many professional marketing and social engineering tools to improve their abilities to trick users into opening fraudulent emails and attachments.

This means that you should assume that even the most educated and aware user may be tricked. In fact, the latest Verizon data breach report found that 23 percent of recipients are opening phishing messages, and 11 percent click on fraudulent attachments. So the odds are against you.

  • Patch the critical operating systems and applications

Patching for most organizations should be the first or second line of defense against any attack. This holds true for ransomware as well.

Recently, a flaw in Adobe Flash was used by the Locky and Cerber ransomware attacks to distribute themselves to victim workstations.

Making sure each client system’s OS and required third-party applications are up-to-date will prevent many such attacks. A special effort should be made to ensure that all critical patches and updates for applications such as Adobe Flash, Java, Web browsers, and Microsoft Office are kept current. In addition, patch and update deployments should be prioritized based on business needs and policies, and executed in ways that don’t disrupt user or business operations.

Many organization fear that comprehensive, timely and consistent patching is too complex to execute and maintain, or that it may break critical business applications. However, using the latest patch management tools to scan for missing patches and deploy them to workstations or servers is a straightforward task—even in the most complicated environments.

LANDESK has many years of experience in delivering complete, flexible, end-to-end patch management solutions. Our experts can easily demo how you can efficiently use LANDESK solutions to automate patch management, and to deploy those critical patches with minimal to no disruption to your business or your users.

  • Ensure that antivirus (AV) software is up-to-date and that regular scans are scheduled

If patch is your first line of defense, AV should be your second line of defense. By now, it is well-known (at least to security researchers) that most ransomware attacks cannot be stopped by traditional, signature-based AV solutions. However, you do not want to fall victim to malware threats already identified and tagged by your AV vendor.

However, you do not want to fall victim to malware threats already identified and tagged by your AV vendor. Ensuring that your AV virus definition database is always up to date on all your workstations is the most important element of an effective AV strategy. LANDESK security management software can automate this process for you. Our software can efficiently (bandwidth wise) distribute the latest virus definition file to all your endpoints (in any size of

Ensuring that your AV virus definition database is always up to date on all your workstations is the most important element of an effective AV strategy. LANDESK security management software can automate this process for you. Our software can efficiently (bandwidth wise) distribute the latest virus definition file to all your endpoints (in any size of

LANDESK security management software can automate this process for you. Our software can efficiently (bandwidth-wise) distribute the latest virus definition file to all of your endpoints in any size environment. We support most AV vendors, so most likely it will work with your AV vendor. If you choose to use our AV solution—which is based on the Kaspersky AV engine—we will also automate scanning and AV management from one console.

  • Manage the use of privileged accounts

Minimizing privileges is an important tactic to protect against many types of malware, including ransomware.

For example, a recently discovered ransomware attack called Petya requires administrator privileges to run, and will do nothing if the user does not grant those privileges. Removing administrator rights is easy, but balancing privileged access, user productivity, and enterprise security is not. Thus the need for privilege management solutions.

The LANDESK security team believes in the importance of privilege management, which is one of the reasons we acquired AppSense, providers of a great solution in this space (among other great tools). The solution will help you to define policies that limit administrative privileges to those authorized users need to do their work.

However, one thing to consider when protecting against ransomware is that many ransomware attacks are just executables that users are tricked into running. Once executed, those ransomware instances run inside the current user space, and do not require any administrator privileges to do their damage. An updated version of the Petya ransomware attack (mentioned above) has a fallback mechanism that allows it to encrypt files without the need for administrator privileges.

  • Access control

An effective access control solution will help organizations protect against ransomware. However, access control that focuses primarily or exclusively on user access rights will likely prove less than effective.

Access control can be highly beneficial for protecting files located in shared drives. That is because at least some users will likely always have legitimate rights to access and modify at least some files on every shared drive. After all, most of those files are document files created by legitimate users.

This means that a ransomware attack that successfully infects the system of a user with legitimate access rights can encrypt and hold hostage all of the files on all connected, shared drives and folders.

LANDESK security solutions offer a different type of access control—one that focuses on the data you want to protect, and not rights of the users of those users. Using LANDESK software, you can define rules that will prevent any program other than those you specify to modify critical or sensitive documents or files. A rule that, for example, allows only Microsoft Word to modify .doc and .docx files will defy any attempt by successfully installed ransomware to encrypt any such files.

Adding similar rules to protect all Microsoft Office, Adobe PDF, and other frequently used and shared file types will provide the best defense against most ransomware attacks. With such rules in place, even if ransomware gets onto a user’s system, the ransomware will not be able to encrypt protected files. Users will retain access to those files and be able to continue working with minimal to no disruption, and with no need to revert to older, potentially out-of-date backup versions.

(Note that some ransomware attempts to add itself to system startup routines in order to appear as legitimate software. The LADNESK solution also prevents ransomware from doing so successfully.)

Compared to traditional access control, the LANDESK method of focusing on data protection is a more effective defense against ransomware. It relies on understanding the behavior of ransomware, and does not require creation and management of user-specific (and ever-changing) rules. It is therefore also easier to implement and maintain than access control based on user rights management.

  • Software restrictions

LANDESK software also makes it easy to define, implement, and enforce rules that govern how other software behaves. Rules can restrict the ability of designated software to execute, or to create, modify, or read any file, or files located in specific folders, including the temporary folders used by browsers and other programs. Those rules can be applied either globally or to specific users or groups.

However, before implementing such rules, it is important to consider the user experience degradation such rules can introduce.

For example, when installing new or updated software, legitimate users are sometimes required to decompress (“unzip”) or execute files directly from their browsers. Users may also rely upon the ability to create or invoke macros to do their jobs. Software restriction rules may block these otherwise legitimate activities.

  • Disable macros from office files

This is highly practical advice as it will block many types of malwares including ransomware.

For example, Locky, a relatively new crypto-ransomware, spread primarily via spam with attachments enticing users to enable macros in Word documents that download the malware onto machines. LANDESK security suite allows IT administrators to set a policy to disable macros. Deploying this policy to users that do not require the use of macros will effectively block those types of ransomwares from running.

Other considerations

The FBI issued additional recommendations intended to increase protection of your environment. Those recommendations are meant to defend against multiple types of malware and other attacks, but if used correctly, they will protect against ransomware as well.

  • Applications whitelisting

This solution ensures that only known applications designated as trusted can run on any endpoint. This effectively eliminates the ability of any ransomware to run, since no ransomware is trusted. The biggest challenges to whitelisting success are creating the initial list of trusted applications, and keeping that list accurate, complete, and current.

LANDESK solutions, including AppSense Application Management, offer multiple options for comprehensive, flexible, effective, straightforward whitelisting. And LANDESK makes it easy to create and maintain your whitelists.

For example, the LANDESK solution will automatically “discover” all applications running on “clean” system(s) and will validate application integrity against its own application reputation database. Adding rules to trust applications based on their owners (e.g., authorized admins) and vendors (e.g., Microsoft, Oracle) further reduces the amount of configuration required to create those trusted application lists.

  • Isolated environments

In most cases, ransomware is distributed as an email attachment. Restricting users to virtualized or containerized environments will ensure that any ransomware that gains access to a user’s system will do no harm to the user’s primary work environment. LANDESK ONE partner, offers an elegant threat isolation solution that integrates with LANDESK security solutions. You can find more information about

BUFFERZONE, a LANDESK ONE partner, offers an elegant threat isolation solution that integrates with LANDESK security solutions.

  • Backup

The FBI paper recommends using timely, frequent backups of critical files as a business continuity consideration. I warned about the shortcomings of backups in my previous blog, but if done right, backup will save your day if you are attacked by ransomware.

However, if you implement the defenses suggested above, especially the access control features offered by LANDESK solutions, you won’t need to rely on backups alone to combat ransomware.

Blog-CTA-Whitepaper-527x150