All software is vulnerable so lock it by default, ThreatLocker

All software is vulnerable so lock it by default, ThreatLocker

Image:
All software is vulnerable so lock it by default, ThreatLocker

'Don't trust anything. Zero trust is the mindset we should apply'

Many exploits take advantage of functionality that has little real world-utility in the first place, according to Ben Jenkins, director of cybersecurity at ThreatLocker.

Take the recent Follina vulnerability, in which opening a corrupted Microsoft Word document starts a chain of events which uses PowerShell scripts to ultimately download and execute malware on the victim's device.

"Why does Office need to be able to call PowerShell?" asked Jenkins during a presentation at the Computing Cybersecurity Festival on Thursday. "I've never received a good answer to that question."

So, one way to block attackers exploiting Follina, while waiting for Microsoft to provide a patch (the average time to patch a zero-day is 34 days) is to prevent Office from calling PowerShell. Users are extremely unlikely to notice any difference. Another is to disallow PowerShell from connecting to the internet.

Follina is just one example of a flaw in a popular productivity application. Between them, 125 critical vulnerabilities have been identified in Microsoft Office, Google Chrome, Adobe Reader and Dropbox, and those are a small fraction of the 20,000 CVEs reported every year.

As serious as a vulnerability like Follina or PrintNightmare might be, at least they are the responsibility of one vendor to patch, in this case Microsoft. Worse are flaws like Log4Shell, because Log4J is included in thousands of vendors' software and hosted on an estimated 3 billion devices.

Because of the complexity of the landscape, the rate of emergence of new flaws, the increasing prevalence of 'living off the land' attacks ("using Windows to hack Windows"), and the lag before patches are made available, a zero trust, lock-by-default approach to application security is becoming essential.

Zero trust has several variants, but as it pertains to implementing security controls the definition is simple, said Jenkins: "It's the principle of least privilege. Allow what you need, block everything else".

The tools and methods that allow organisations to achieve this include ringfencing, application whitelisting, storage control, network access control and elevation control.

With these tools, admins can ensure that no executable can run unless it has been approved, or that it can only run within specified parameters. Applications can be blocked from connecting to the web; USB devices can whitelisted to reduce the risk of malware entering that way; networks can be locked down to all but essential applications; and the right to install TeamViewer or any other risky applications restricted strictly to admins.

"Don't trust anything," Jenkins advised. "Zero trust is the mindset we should apply."

He recommended that this philosophy be extended to all areas of business technology.

"By doing all this we can exchange the paradigm, change the way that we view security in this day and age."

Register now for days two and three of the Cyber Security Festival 2022, taking place online on the 15th and 16th June.