It’s Time to Embrace the No. 1 ASD Strategy to Mitigate Cyber Intrusion
Since 2013, the Australian Signals Directorate has published a list of 4 critical strategies to adopt if you want to mitigate 85% of the risk from cyberattacks.
Do you know what they are?
No. 2 on the list is “Patch Applications”. Apply security patches to prevent criminals from entering your network through known flaws that already have available fixes. Simple.
No. 3 is “Patch the Operating System”. Makes sense. Might as well update the software that drives everything and can be manipulated to give a hacker everything he or she wants while we’re following Strategy No 2, right?
No. 4 is to “Minimise Administrative Privileges”. Only give power to those that truly need it. Make everyone else powerless in terms of your network and restrict the ability of rogue software to run rampant. It’s easy to do and it doesn’t add much overhead in terms of IT employee time.
Those 3 are all very important. But do you know what the number one strategy is? It’s the one people tend to skip over, because it’s complex and variable for every company (and can even vary between different users).
It’s Application Whitelisting.
What is it? In simple terms, it’s the process by which we lock down your company computing environment to prevent any software that’s not on the “Approved” list from executing, full stop.
Not on the list? It simply wont run.
It’s a proactive remedy for ransomware that installs an .exe file. Here’s a common scenario:
An email containing the payload slips past your anti-virus software because it’s never seen it before (this is because it’s been custom-crafted to target your organisation or a small group of people). The email is opened and the attachment is clicked by the user because it seems to come from a senior executive. The executable file attempts to install itself… and gets a look of indifference from the network. “Not on the list, hey? You can’t come in.”
“Brilliant,” you say. “Let’s do that; it sounds really good”.
It is. So why don’t more companies do it?
- It’s not a common tool. We’re used to working with anti-virus software. We’re used to firewalls. We’re used to setting user privileges and we’re used to updating software all the time. But not a lot of people in IT (let alone the broader employee population) have had experience in a whitelisted environment. So its uptake as an attack prevention tool is low.
- Innovation and new software go hand-in-hand. Innovative teams who are free to install new software can help your company be more adaptable in today’s competitive landscape. Locking down the environment can restrict their freedom to innovate. While there is an argument for that, a successful data breach is likely to have much more negative impact on your company’s productivity than the positive contribution of new software.
- It adds some administrative overhead – Its true, it does take administration and management, just like any security system, but again the productivity argument applies, among many others
It’s a simple fact. Companies that we work with to whitelist their operating environments experience fewer network breaches afterwards.
When you whitelist an environment, you have to whitelist ALL the executables that should be there. As well as your standard productivity applications this means hundreds of pieces of software that operate seamlessly in the background, all of which need to be inspected, catalogued and permitted to run so that you don’t end up missing something important when the whitelisted environment goes live.
It’s time-consuming and requires good attention to detail to produce an environment that is friendly to your users, but secure enough to withstand the next Cryptolocker or Wannacry or NotPetya.
2019 Update: We have a proven process using new Application Whitelisting software that is fast and thorough. If you’re interested, talk to us about what it might look like in your organisation.
James Walker
