The Necessary Nine: Generic Exploit Mitigation

Operating System Generic Exploit Mitigation

What Is It? Operating systems, as I outlined in a previous article, are critical to the daily operations of your systems and facilitate your applications the business relies on daily. While patching your operating systems is part of the Essential Eight, don’t overlook the other methods available to further bolster your defences. Nearly everything that runs in your infrastructure has an operating system, from desktops to laptops, from mobile phones to tablets, from servers to switches, and from printers to IP telephones.

Essentially, what we’re trying to achieve is preventing the breaching techniques from occurring in the first place, so really, we’re not just looking at dealing with the vulnerabilities themselves but rather the way they’re exploited. To put it another way, think of it like having a lock on a door that can be picked, but making sure a burglar can’t get to the lock in the first place. My grandfather was notorious for padlocking everything, but always placed a heavy steel guard above the hasp to prevent someone from striking down onto the lock to break it.

It is perfect? Absolutely not. Cyber criminals are very skilled at finding a work around to compromise you. At the same time, the same criminals can be more interested in a quick win and the more unattractive a target is, the more likely they are to move on to an easier mark. Of course, the more you have, the more effort they’ll invest, and the more mitigation you need to implement. A vicious cycle, I know.

Where Do I Start? With anything, taking stock of your current security posture is a must, so gather up some relevant details on your environment or engage specialists to help you out. The more you know about your present environment, the better. A common pain point I hear is from organisations is that they lack visibility, current inventories, and recent evaluations such as a vulnerability assessment. Vulnerability scanning services, available from several great service providers, can provide a lot of intel on your environment and the threats it faces.

According to ASD, there are a few options that include Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET). I won’t bog you down in what each one is and how it works, but in a nutshell, DEP marks parts of the memory as non-executable so when a program attempts to run, it flags an exception and hopefully fails miserably. ASLR “shuffles the deck” and moves the location of where executables can load around randomly, removing the predictability of where a program is. Think of this one like moving the furniture around in the dark so anyone that walks in thinking they know where the couch is falls over the coffee table instead. EMET is basically a tool kit that helps refine your security settings, so consider it as part of a hardening exercise.

Most exploits that we encounter seem to be related to the Windows environment because, face it, it’s everywhere. Other platforms, such as Linux, have their own versions of the above. In fact, entire platforms built on these mitigations exist such as SELinux. Oh yes, for the Microsoft folks, the EMET is end of life in 2018 but is being replaced by the Process Mitigations Management Tool.

Regardless of the methods selected or the tools used, you need to begin with an inventory of your systems to identify vulnerable and potentially vulnerable systems.

How do I make It Work? The good news is that a lot of the elements of DEP, ASLR, and EMET are already built into the newer operating systems. Even Windows XP has a few of them (but not all of them) and as much as we all loved XP, it’s time to let it go. If you’re already on Windows 10, you’re in a pretty good place already. I’ve also discovered that 64-bit platforms are far better than 32-bit regarding these mitigations but really, I think most of us are already running on 64 bit these days anyway.

Once you’ve identified your current vulnerable and potentially vulnerable systems, it’s time to get hardening and mitigating. Quick and dirty start is to upgrade to the latest and greatest platforms that already leverage these mitigation techniques and patch them to their current stable releases. Use toolkits, such as EMET, to refine your security settings. This, of course, is best left to the experts, so leave it to your systems administrators and if you need help, PLEASE put your hand up and ask!

I also recommend a before-and-after scan so before you begin and after you’ve completed the changes, be sure to run a vulnerability scan, or at least an inventory scan, so see where you’ve identified and dealt with vulnerable systems.

Pitfalls? Doing nothing is probably the worst thing you can do, or simply waiting for the next upgrade. Your organisation likely already has a strategy or plan in place for operating systems upgrades, so please be sure to follow through on it. You stand a far better chance running the latest technology. Also, be wary that some security settings can adversely affect applications. Not every application is developed with security front of mind and developers can and do take some liberties in the name of functionality. Also realise that there are going to be systems that just can’t be upgraded or hardened, so replacement may be a viable option. Just don’t leave yourself vulnerable.

Ghosts in the Machine? Beyond the operating systems are the applications above and the hardware below and sometimes we just must accept the vulnerabilities, mitigating by other means. I have often encountered legacy systems running on outdated platforms because upgrades were not available, replacing the system is far too expensive, or the systems were just too specialised. I understand this, but if these apply to you, perhaps it’s time to revisit these applications if the potential loss far outweighs the cost to secure them.

Anything Missing? Change management. Always remember to run all changes through your change management process. Also, be sure to test any changes you intend to make thoroughly before implementing them. You can also consider implementing all the hardening and mitigation techniques in your baseline image before deploying it so any new or updated systems being rolled out already have the mitigations in place.

Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party.  The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such.  Appropriate legal advice should be obtained in actual situations.  All images, unless otherwise credited, are licensed through ShutterStock

Views: 7

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service