The Malware Management Post

 

1.     Systems Hardening.

Matthew Quinn, Secon's Professional Services Director, unravels Systems Hardening and offers some tips on how to securely configure your systems to protect them against unauthorised access, while also taking steps to make your system more reliable ............

2.    Learning From Your Outbreak Incidents.

We look at why it is of vital importance to review all your virus outbreak incidents and how you should view each one as a learning experience . .........

3.    Case Study.

In the first of a series of case studies, read how Secon helped resolve a global food experts on-going malware infection (DOWNAD/CONFICKER) which they had been unable to contain using their existing AV solution...........

 

Please click on the titles or scroll down to view the articles on all the above..........

________________________________________________________________________________________________________

System Hardening

System hardening is a step by step process of securely configuring a system to protect it against unauthorised access, whilst also taking steps to make the system more reliable.

By definition, installing any security solution on a system is a type of hardening as you are protecting it further than its default state.

Many systems come with additional services and applications that may not be necessary for the role in which your organisation is using them.

By having these additional elements enabled, not only is your system using unnecessary resource, but is also susceptible to exploits of vulnerabilities related to them. By hardening systems in use, we reduce what is known as the attack surface of a system, lowering the level of exposure the system has to attack.

Organisations that have hardening procedures implemented within their build process of systems have a lower risk of virus and attack exposure.

All systems can be hardened. Traditionally people relate hardening to server architecture, but desktops and laptops can also take advantage as well as mobile phones, firewalls and all manner of devices.

For something like a Windows 2003 server, many services are turned on by default. For example, telnet is an application that can be used to access other systems and test system connectivity. In Windows 2008 and 2012, telnet is now disabled by default, and would need to be turned on if necessary. This has hardened the system as this is now no longer an application that can be vulnerable on a system where it is not enabled

So how do we go about hardening systems?

Depending on the systems used, there are many ways of hardening.

For Microsoft  Windows servers, there are many resources on how to harden:

1. Microsoft Baseline Security Analyser can help identify security misconfigurations and missing patches that may expose the system
   
   
2. Microsoft Security Configuration Wizard helps reduce a server’s attack surface by disabling services based on the role of the server (e.g. SQL server, file server).
   
   
3. Windows Security website provides many great articles on how to enhance Windows security.

For Linux servers:

1. SANS offers a number of resources for improving security practices and procedures, as well as training.

 

If you need help or advice on any issues you have with regard to Systems Hardening, please contact Andrew Gogarty on 0845 567 8777 or via email andrew.gogarty@secon.co.uk. Alternatively you can get in touch via the Contact Us tab.

 

_________________________________________________________________________________________________________

Review Outbreak Incidents

Secon have worked with many customers over the past decade that have experienced virus outbreaks of varying complexity, risk and impact.

Each outbreak often highlights an area of weakness with an organisation’s virus prevention strategy. For example, an outbreak could have come from:

1. Incorrect technology design and configuration
2. Zero-day exploits
3. Limited patch management
4. USB malware
5. Insecure passwords
6. Open network shares

Secon believes that protecting your organisation against a virus attack cannot be performed by one product alone, but must be a blend of protection technologies, techniques and procedures to ensure effective protection.

Secon break down an effective virus outbreak prevention strategy into the following areas:

1. Preparation
2. Detection & Analysis
3. Containment, Eradication & Recovery
4. Post-Incident Activity

When an organisation has been struck by a virus outbreak,and has subsequently recovered from it, the Post-Incident Activity phase needs to be started. This will involve asking questions such as:

1. Where did the initial infection come from?
2. How did it spread?
3. How many systems/sites were affected?
4. How much did it cost in support and overtime to recover?

Once these have been ascertained, an organisation can learn how to improve their strategy to reduce the risk of such an incident occurring again. This could include:

1. Improve existing solution configurations
2. Procuring new security solutions
3. Enhance technical training
4. Enhance user training

By learning from experience, organisations can continually improve on the effectiveness of their strategy and reduce the risk of outbreaks occurring in the future.

If you've been subject to a virus outbreak and would like some best practice help, please contact Andrew Gogarty on 0845 567 8777 or via email andrew.gogarty@secon.co.uk. Alternatively you can get in touch via the Contact Us tab.

 

________________________________________________________________________________________________________

Secon helps global food company to clean infection and streamline its Anti-Malware strategy 

This case study focuses on how one of the world’s largest Food Experts used Secon’s knowledge and malware experience to clean up and implement a new solution to tackle the security issues that their current products were failing to protect against.  

The Problem

The company advised that they kept getting repeated infections of malware known as ‘DOWNAD/CONFICKER’ which was not being removed by their current anti-virus product.

Prior to Secon’s engagement, to control the malware from spreading further to their servers and client machines, the company had even taken the steps to create a scheduled task running a removal tool every 6 hours. This measure however, was time consuming, difficult to maintain and ultimately unsuccessful at tackling the problem.

Problem Solved

We were so confident in our abilities, that we offered a no fix, no fee term.

Secon’s expert team prioritised the cleanup to minimise the risk the customer was exposed to and then began the process of implementing an effective antivirus strategy following our tried and tested framework:

 

The cleanup process was immediately initiated and Secon’s malware experts discovered  there were actually three forms of malicious software propagating the customer’s environment :

1. Worm_Downad.a
2. Worm_Downad.ad 
3. TROJ_CLICKER.ZF

 

Secon quickly established that the infection’s ingress point was one of the customers remote users connected to the internal network via VPN.

The malware was propagating via the shares on their Citrix servers, which is typical behaviour for such viruses – one infected machine connecting to the company infrastructure spreads its own infection.

To give the customer continued protection against previous and future infections, we deployed our preferred Antivirus Tools from the market leading Security Vendor Trend Micro. As part of this recommendation , a test environment was created to demonstrate the software’s ability to succeed where their original tools had failed.

Secon’s experts continued working with the companies IT team to establish security priorities, ensuring their SQL database infrastructure was protected and clean from infection and thereby protecting their most sensitive information. Moving forward, Secon’s team worked through their corporate IT systems ensuring each asset was secure and protected from future infections.

The infections experienced by this customer were particularly challenging . The Trojans that had infected them were connecting to remote command and control platforms and pulling down additional malicious software, typical behaviour of a polymorphic malware infection.  The three infections listed above actually work together to syphon key data and almost any sensitive information it could find and the test environment was again used to demonstrate Trend Micro’s ability to identify, remove and ultimately block re-infection of the end point machines.

The infection had now been successfully removed but our involvement with the customer had identified improvements that could be made within the procedures and policies to better align the company with best practice and industry standards. Some examples of our recommendations are below:

1. Ensure that a user is informed when some virus or malicious activity has been seen on their profile while using the remote or user facing servers.
2. Control over who can make changes to the AntiVirus activity
3. Ensure all legitimate files/applications are not being scanned thoroughly during day to day operations
4. Ensure devices plugged in to their workstations do not pose a risk, by disabling auto runs.
5. Ensure all remote users (who bring their machines home) are always updated and kept informed if the site they are visiting is malicious.

Secon completed the project within weeks of being called in. We have now armed the company with the latest tools and processes for best practice anti malware strategy. The whole project and new tools were provisioned within the cost of the software maintenance renewal of their legacy anti-malware solution.

Secon is now helping the customer to review their web security and virtualisation security measures to ensure the highest levels of protection in the future.

To find out how Secon's best in the business malware engineers could help your business security, please contact Andrew Gogarty on 0845 567 8777 or via email andrew.gogarty@secon.co.uk. Alternatively you can get in touch via the Contact Us tab.

______________________________________________________________________________________________________