20 May 2018
Post “Protecting against ransomware using PCI DSS and other hardening standards” (1) published this week by Paul Norris in SC Media UK is really worth reading. Hardening is a proven method to reduce the attack surface of a computer network. If well done, the spreading of ransomware and thus the impact on an organization can be limited.
Hardening, patching, etc. serve a common goal in cyber war: Describing the limits of conflict. Everett Dolman writes in chapter 5 of “Pure Strategy: Power and Principle in the Space and Information Age” (2):
“Tactical thinkers seek to define and describe situations. Decision-making in real-time tactical mode requires it. The more knowledge of the limits to conflict, the more creatively the tactical genius can deploy, maneuver, and engage forces. Knowing completely what cannot be done allows for an investigation what can be done.”
Hardening, patching, etc. decrease the number of options / attack vectors an attacker can use for getting on and exploring a network. IT security groups can then focus on the remaining attack vectors, and prepare for the unknown.
Let me give two examples to illustrate this.
- If all external storage devices are technically blocked in your organization an attacker cannot use them for delivery of weaponized documents. Furthermore, if users have no chance to change this your IT security group can focus on investigating other attack vectors.
If you implemented the measures for mitigation of high and medium risk findings described in the DoD “Windows 7 Security Technical Implementation Guide” (3) you can be sure that attacks based on bypassing UAC to get elevated privileges are no longer possible.
But be aware that the attacker also knows what cannot be done after a standard is implemented…
Have a great week.
Norris P. Protecting against ransomware using PCI DSS and other hardening standards [Internet]. SC Media UK. 2018 [cited 2018 May 20]. Available from: https://www.scmagazineuk.com/opinion/protecting-against-ransomware-using-pci-dss-and-other-hardening-standards/article/761956/
Dolman EC. Pure Strategy: Power and Principle in the Space and Information Age [Internet]. Taylor & Francis; 2004. (Strategy and History)
Department of Defense. Windows 7 Security Technical Implementation Guide [Internet]. STIG Viewer | Unified Compliance Framework®. 2017 [cited 2018 May 20]. Available from: https://www.stigviewer.com/stig/windows_7/