In one of the more ironic, notice I did not say tragic, turns in the post-Snowden era, the National Security Agency (NSA) has published a report with advice for companies on how to deal with malware attacks. FierceITSecurity says the report (PDF) boils down to “prevent, detect and contain.” To be more specific, the report recommends that IT security pros:
Segregate networks so that an attacker who breaches one section is blocked from accessing more sensitive areas of the network;- Protect and restrict administrative privileges, in particular high-level administrator accounts, so that the attacker cannot get control over the entire network;
- Deploy, configure, and monitor application whitelisting to prevent malware from executing;
- Restrict workstation-to-workstation communication to reduce the attack surface for attackers;
- Deploy strong network boundary defenses such as perimeter and application firewalls, forward proxies, sandboxing and dynamic analysis filters (PDF) to catch the malware before it breaches the network;
Maintain and monitor centralized host and network logging product after ensuring that all devices are logging enabled and their logs are collected to detect malicious activity and contain it as soon as possible;- Implement pass-the-hash mitigation to cut credential theft and reuse;
- Deploy Microsoft (MSFT) Enhanced Mitigation Experience Toolkit (EMET) or other anti-exploitation capability for devices running non-Windows operating systems;
- Employ anti-virus file reputation services (PDF) to catch known malware sooner than normal anti-virus software;
- Implement host intrusion prevent systems to detect and prevent attack behaviors; and
- Update and patch software in a timely manner so known vulnerabilities cannot be exploited.
The author quotes from the report;
Once a malicious actor achieves privileged control of an organization’s network, the actor has the ability to steal or destroy all the data that is on the network … While there may be some tools that can, in limited circumstances, prevent the wholesale destruction of data at that point, the better defense for both industry and government networks is to proactively prevent the actor from gaining that much control over the organization’s network.
rb-
For those who have not been following along, the TLA’s have been attacking and manipulating anti-virus software from Kasperskey.
We also now know suspect that the TLA’s have compromised at least one and probably two hardware vendors. The Business Insider recalls, way back in 2013, as part of the Edward Snowden NSA spying revelations.German publication Spiegel wrote an article alleging that the NSA had done a similar thing — put code on Juniper Networks (JNPR) security products to enable the NSA to spy on users of the equipment.
Over at Fortinet (FTNT) they had their own backdoor management console access issue that appeared in its FortiOS firewalls, FortiSwitch, FortiAnalyzer and FortiCache devices. These devices shipped with a secret hardcoded SSH logins with a secret passphrase.
The article seems like advertising for the TLA’s hacking program.
Related articles
- NSA and GCHQ reverse engineering anti-virus software (kitguru.net)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow him at LinkedIn, Facebook and Twitter. Email the Bach Seat here.