Security insights from ThreatLocker
Over the last month, we have observed a major shift in the way businesses and organizations communicate internally. As millions of new users are introduced to remote-collaboration tools, the risks associated with these services continue to increase.
Last week, Eric Yuan, Founder and CEO of Zoom announced, “In March this year, we reached more than 200 million daily meeting participants, both free and paid”, up from a maximum daily average of 10 million in December. Just recently, Zoom faced a number of security issues putting millions of users at risk. While these vulnerabilities have already been remediated, many have banned the use of this video conferencing tool.
While the latest Zoom vulnerability has been a hot topic, no remote collaboration tool is immune to a cyber attack. Last month, a vulnerability was also discovered in Slack, which allowed automated account takeovers. Banning the use of these tools might not be an option for your business and switching to another remote collaboration tool does not guarantee better protection, therefore it is critical that you incorporate certain restrictions on these tools so that they are not weaponized against you.
Here are a few security best practices you should be implementing to stop your applications from stealing your data:
Did you know the average employee uses 5-10 applications to perform their job? With that in mind, operating systems are pretty much left wide open so any application, malicious or not, can run, leaving your business vulnerable to zero-day threats or the latest malicious software, including ransomware.
We highly recommend you restrict access to files and folders based on what your users need to perform their job functions. By doing so, if they happen to suffer a ransomware attack, the damage will be limited to what they were permitted to access.
Confidential files and other sensitive information is often shared by employees using tools like Slack. With remote workers on the rise, the volume of information being shared on remote collaboration platforms has drastically increased, making these tools a major target for cybercriminals. You should stop Slack and other remote collaboration tools from accessing your files and documents when it is not needed. This will limit the damage that could be done if you were to be hit with a ransomware attack.
Many users are unaware that once an application is running, it has complete access to everything else in their system. By not restricting what users can access, you leave your system exposed to vulnerabilities or the misuse of legitimate software. It’s critical for you to be protected rather than harmed by your own applications.
Lateral movement between applications, files, and registry editors should be restricted as much as possible. A cybercriminal’s ultimate goal is to gain full access into your network, carry out malicious behavior, and then sit and wait for the perfect opportunity to steal or encrypt as much of your data as they can in order to receive the biggest payout.
In addition to restricting your users’ access to files and applications, you should control how applications interact with other applications.
For example, PowerShell, a task automation and configuration management framework from Microsoft, is needed to manage Office 365. However, you should limit access to one IP address and take it a step further by preventing PowerShell from creating files or documents and accessing your file shares. By doing so, a malicious file shared through Office 365 cannot harm you by exploiting this tool.
Furthermore, if both PowerShell and Microsoft Office are required in your environment, Microsoft Office should not interact with PowerShell. This is made possible with the Ringfencing solution which allows you to define rulesets governing how an application can interact with other applications in addition to what resources an application can access.
We recommend you create Ringfencing policies to stop user frontend applications from interacting with system tools. From there, you can create policies to stop applications like RegSRV32 and PowerShell from accessing the internet.
While this might sound complicated, ThreatLocker has a library full of predefined policy sets that can be applied in seconds.
Patch your operating system and third-party applications in a timely manner. You can have the best security software in the world and at best, it will be 75% effective if your computers are not patched and updated.
By using our built-in definitions combined with Application Whitelisting, your applications are automatically updated and won’t be blocked.
You might recall our previous blog post The Hidden Dangers of Chrome Extensions. In February of this year, Google removed over 500 malicious plugins from the Chrome Store.
Most users are under the impression that these extensions are safe, however, this is not always the case.
The malicious behavior of the extensions that have since been removed ranged from pop ups to malicious code being injected into legitimate websites. Users were tricked into believing that they were submitting data to an authentic site such as Macy's or Best Buy, while all along, the extension was harvesting their data.
Many users also do not realize that these extensions have the ability to directly call on other applications. While the extension itself may not have access to your documents, it can call on other Windows applications and weaponize them by accessing or encrypting your files.
In order to stop a Chrome extension from being weaponized and used against you, we recommend you stop them from running in the first place. If it is not running, it cannot steal your data.
You should block all extensions from running without approval from your IT department.
As users adapt to working from home, it’s important they are familiar with your security policies. Encourage your users to remain vigilant and exercise caution just as they would in the office.
The prevalent Trickbot and Emotet malware families have evolved to take advantage of the pandemic. Microsoft has observed 76 threat variants to date globally using Covid-19 themed lures. Continue to update your users on the latest phishing scams while also reminding them that email is only one of the many points of entry for a cyber attacker.
You should require all passwords to be secure and complex and enforce two-factor authentication for an extra layer of security and control. Also require that USBs, external drives, and cables must be approved by your IT department.
It is critical that your users understand their responsibilities when it comes to ensuring a secure work environment.
We hope that you found this information useful. Please continue to check back on our blog as we share updates to keep you informed during these challenging times.