Once upon a time, a Windows workstation could be hardened merely by running a series of scripts or a set of group policies. The security team could review guidance around security configurations from Microsoft, the US National Institute of Standards and Technology (NIST), or the Center for Internet Security (CIS) and tick that box when the auditors came around.
That was then — now, merely hardening the operating system is nowhere near enough to ensure that workstations won’t become an entry point for attackers. Vigilance must be extended to a wide array of locations that attackers consider your weak spots.
Let’s look at some of the avenues through which attackers will exploit those weaknesses.
Help desk and administrators
Targeting help desk and IT administrators is a front-and-center tactic that attackers will use to convince users they see as weak links or easy targets in an organization. Identifying those on the help desk is easy: attackers prey upon the necessity to make access to IT support accessible and convenient.
Many public organizations advertise quite widely how to reach support on their public websites or social media — searching LinkedIn will often reveal those key personnel in a company simply by job title. Once an attacker determines who’s on the help desk, they can send phishes to these individuals posing as an employee, which can be as easy as sending a phishing attack as a text message to a cellphone.
Many firms and organizations such as hospitals, schools, and governments don’t have the ability to provide dedicated phones for two-factor authentication and must rely on staff members’ personal phones to allow access to their firm assets.
With any business phone that has access to two-factor authentication applications, consider the use of security and management software that will vet the links and websites that are accessed from the device. Software such as Microsoft Defender for Endpoint can be deployed to phones to better protect both iPhone and Android users.
If an employee refuses to install such software on their personal phones, always have alternatives available such as Yubikey hardware tokens. With a constant stream of zero-day vulnerabilities that impact both Android and iPhone, consider that these devices are no longer immune from security issues and must be monitored and managed as well.
Policing third-party reporting
Consider guidelines for support incidents with your third-party vendors as well. A case in point is a recent Okta breach that utilized an HTTP Archive (HAR) file, a JSON formatted file that represents your most recent network activity as recorded by your web browser.
With so many applications on the web these days, vendors will often ask customers to create a HAR file in order to debug an access issue. These HAR files can and often do contain sensitive information and cookie files that can be used by attackers. The Network tab in Developer Tools of all browsers can be used to record an HTTP session. If you’ve never reviewed what a HAR file can contain, review by going to a website and performing the following:
In Chrome, go to the webpage of a sensitive site.
Developer Tools can be accessed via the menu (Menu > More Tools > Developer Tools). In that, select the Network tab from the newly opened panel.
On the Network tab, make sure the round button in the upper left corner is in red. If it’s grey, double-click it to begin recording the interactions.
Enable the preserve log to record all the web requests and responses.
To export the HAR file, click the down arrow button in the network tab itself. Save the HAR file to your computer. (You can also use a program like httpwatch to review the transaction in real-time.)
Now open it up in a HAR analyzing program or even Notepad. You may observe that it contains information in regard to authentication tokens, cookies, session tokens, passwords, and API credentials. If a technical support team requests these files, ensure that your support staff knows that they often contain sensitive or proprietary information and it needs to be sanitized before sending the information to any third party for analysis.
Make sure all staff have at least MFA
In an infamous hack earlier this year, the US State Department was targeted by Chinese attackers who found code-signing certificates embedded in a memory dump that ended up in a public repository. The memory dump was from a Microsoft employee with access to sensitive levels of information.
But attackers will also go after individuals in your organization who report to other levels. Once again, the use of social media and LinkedIn is a key way to investigate who is related to whom and to target individuals in the organization who may have a relationship with one another. Thus, ensuring that all staff have multifactor authentication and don’t just rely on a username and password to gain access to resources is key.
Recently CISA has released a document on phishing guidance that points out that mere antivirus is not enough. They go on to indicate that multifactor authentication is the primary mitigation for a tactic to obtain login credentials.
Another common attack is malware phishing, in which the bad actor sends a malicious link to a target and tricks them into launching an attack. Mitigations for this type of attack include application-allow listings, and running an endpoint detection and response agent. But don’t just have this sort of protection on workstations, consider these protections on phones and devices as well.
Consider additional protection such as DNS tools that pre-scan the websites and links that your users are going to. These tools do not have to break the bank and can even be obtained at low cost or no cost to your organization. Ensure that even those who work from home set up their home routers to point to such DNS filtering tools as OpenDNS and instruct users on how to set up categories that they wish to block.
Web policies need to be hardened too
If you want to go even farther in ensuring that your firm is protected, you can consider web policies that will block users from all websites unless they have a business need to the organization. I’ve seen this done successfully in school environments where the staff and children in the school are younger and have no need for full access to the internet.
Restricting sites may seem draconian for some firms, but if you can, consider flipping any deny policies you may have in place to an “only if allowed” mindset instead.
Finally, review the logging that all of your applications and third-party interactions have and their retention duration — often, it’s only upon review that you determine how the attacker gained access.
Microsoft was urged by CISA and others to expand and make more logging a default procedure after the attacks on the State Department earlier this year. They had initially promised to roll out the much-needed Mailitemsaccessed logging to all tenants by October of this year. Now, however, buried in a roadmap linked from a Microsoft blog, this promised tool to identify what an attacker has accessed won’t come out until September of next year.
Bottom line, don’t just harden the operating system these days, harden your authentication, harden your help desk, and harden those log files that you keep. You’ll need all of these hardenings in place to beat the bad guys.