Two Ways to Counter Cybersecurity Threats from Windows Network Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has designated October as Cybersecurity Awareness Month. It may be a great opportunity to better understand your computer and network assets and respond to security threats.
ⓒ Getty Images Bank

Software cataloging and evaluation

One way to increase awareness of cybersecurity threats is to evaluate and catalog the software your company uses. People tend to focus on Microsoft patches and overlook the use of third-party tools to make systems more secure. Please review the weaknesses of the software and configuration of the environment. This usually requires inventory software that can analyze user networks.

If a company is using a traditional environment, tools based on Active Directory can be used to analyze the vulnerability of the drug. If you have both your existing infrastructure and cloud assets and have an Office 365 E5 license, you can use tools like the Microsoft Defender Security Center to evaluate which software you need to update.

If you don’t have the budget to buy an E5 license, you can use an alternative tool like SpiceWorks to catalog and analyze your network. On-premises systems can leverage PowerShell to create network-connected software inventory reports. This tool reviews and lists the sections of software installed on your computer.

PowerShell has long been used as a vehicle for developing inventory systems, but it relies on Active Directory access. Especially as we transition to disconnected networks during the pandemic, a way to list systems that are not registered to a domain is most needed. Unconnected and unmanaged computers often do not receive software updates and maintenance. A tool that provides a security overview of all software will help keep your network secure.

I forgot to install relatively new software like 7-zip and didn’t update to the latest version. All this unpatched software is the cause of exposure to real security threats.

Set Attack Surface Reduction Rule

The security recommendations dashboard in Microsoft’s Defender Security Center seems to strongly recommend updating 7-zip, which has the highest security vulnerabilities. However, a closer look states that in practice no exploits can occur.

You need to find a tool that recommends security settings to deploy. Office software has long been an entry point for ransomware, and to better protect your system, you should enable attack surface reduction (ASR) rules. Rather than patching 7-zip, you should deploy, test, and apply ASR rules. The Microsoft Defender Console for Endpoints suggests using the following five ASR rules:

  • Block creation of subprocesses for all office apps
  • Block action of downloaded executable content in JavaScript or VBScript
  • Block executable files from working if they don’t meet age or trust criteria
  • Block untrusted or unsigned processes running on USB
  • Block threat persistence through WMI event subscriptions

All businesses should test and deploy the first ASR rule: ‘Block all office apps from spawning subprocesses’. Microsoft often has the nuance of having to subscribe to an enterprise license to use the ASR rules. Any user with a Windows 10 Professional license can use the ASR rules. Without Windows 10 Enterprise, some reporting features are just not available.

Threat Insights from the Microsoft Defender Security Center reveals the risk of a vulnerability. Even a fully patched office poses a risk to the network. Attackers use Office a lot to distribute ransomware. Attacks using subprocesses in Office include Qakbot, which provided access to ransomware affiliates, and CVE-2021-40444 MSHTML remote code execution, GravityRAT, CHIMBORAZO, Zloader, IcedID, Sysrv botnets, intelligence and coin mining. Bismuth is an example.

The attacker is also using Excel 4.0 macros. People will think that Excel 4.0 is no longer needed, but some companies still use existing macro processes to perform basic business functions. Excel macros, typically contained in malicious files that induce phishing, etc., are used to take their place on workstations and launch more powerful attacks on the network. An attacker collects credentials from a workstation with an LSASS memory dump to gain more network privileges when connecting to the network.

For those in the security sector, every month is Cybersecurity Awareness Month. Take a closer look at your network of on-premises and unconnected devices this month. We recommend that you check if the option has visibility and control over all your technology assets. [email protected]


Source: ITWorld Korea by www.itworld.co.kr.

*The article has been translated based on the content of ITWorld Korea by www.itworld.co.kr. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!