Many security organizations only focus on critical and high findings from vulnerability scanning tools. This can often lead to a false sense of security, thinking that only what a tool labels as critical or high is necessary to deal with, and not exploring the rich treasures found in the informational data these scanning tools can yield.
There are currently over 200 known, profiled ransomware variants in the wild. Less than half of those variants have documented, successful tools/strategies for remediation. In the absence of remediation and removal, the best protection by far is prevention. We will be focusing on pre-compromise prevention and not after the fact detection or recovery.
One of the best kept secrets of Tenable Nessus is the amount of rich informational data it can collect. For the purposes of this article, we will be focusing on two types of findings few people analyze.
Together they can be a powerful guide to assess your network security posture and help ensure your organization is as resilient as possible from malicious actors.
1. Restrict hosts from each other on the network if they have no need to communicate. Workstations, as a rule, should not need to directly connect to each other, especially over file sharing protocols, e.g., CIFS. The Microsoft Windows Firewall can be used to keep hosts isolated from each other, which can be a great protection against lateral propagation in the event of a compromise.
2. Enable User Account Control (UAC). UAC is a mandatory access control enforcement facility. It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes a privilege increase or elevation. In this way, only applications trusted by the user may receive administrative privileges, reducing the risk of malware compromising the operating system(s).
3. Make sure reputable Anti-Virus software is installed. Arguably, all AV software is equally ineffective, but necessary, nonetheless.
4. Ensure AV is set to scan email attachments upon opening. Check the AV systems settings to allow maximization of the software’s potential effectiveness. If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens an attachment. If the antivirus program raises a red flag, the attachment is blocked from being opened. If this setting is disabled, Windows does not call the registered antivirus programs when file attachments are opened.
5. Disable or restrict Remote Desktop Protocol. RDP should never be exposed directly to the internet. In the event RDP is necessary, make sure it is restricted as heavily as possible and not publicly exposed on the internet.
6. Disable Microsoft Office Macros. Microsoft Office documents (Word, Excel, PowerPoint, etc) can contain embedded code written in a programming language known as Visual Basic for Applications (VBA). These Macros are often used by malicious actors to execute arbitrary code. If they are not being used, they should be disabled.
7. Make sure reputable Anti-Virus software is installed. Arguably, all AV software is equally ineffective, but necessary, nonetheless.
8. Ensure AV is set to scan email attachments upon opening. Check the AV systems settings to allow maximization of the software’s potential effectiveness. If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens an attachment. If the antivirus program raises a red flag, the attachment is blocked from being opened. If this setting is disabled, Windows does not call the registered antivirus programs when file attachments are opened.
9. Disable or restrict Remote Desktop Protocol. RDP should never be exposed directly to the internet. In the event RDP is necessary, make sure it is restricted as heavily as possible and not publicly exposed on the internet.
10. Disable Microsoft Office Macros. Microsoft Office documents (Word, Excel, PowerPoint, etc) can contain embedded code written in a programming language known as Visual Basic for Applications (VBA). These Macros are often used by malicious actors to execute arbitrary code. If they are not being used, they should be disabled.
This list is by no means exhaustive, and there are many other settings and configuration options you should be reviewing to make sure you stay secure. The settings from the items in this list above can be mined from the Nessus scans. This is just a few examples of the revealing intel Nessus can harvest in its informational data. Sadly, this rich data is often ignored or thought to be noise.
© 2023 All Rights Reserved