Tag Archives: protection measures

Poweliks it is still stuck in my mind

17 August 2014

It may sound funny, but Poweliks is still stuck in my mind. The bad news for me is: Poweliks resides only in Windows registry.

The good news is: To start at every login the malware uses the Windows registry, namely the outdated method of using the [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] key.

And this is exactly the vulnerability of Poweliks we can use for taking counter measures!

The Windows policy ‘Do not process the legacy run list’ could be used to block Poweliks. If enabled this policy blocks the programs listed in the run key from getting executed during login. That’s it!

Do Not Process Legacy Run List Policy

Do Not Process Legacy Run List Policy

To enable the ‘Do not process the run once list’ policy start the local group policy editor gpedit.msc and navigate to section User Configuration\Administrative Templates\System\Logon. Double click the policy, select option ‘Enabled’, enter a comment and click ‘Apply’.

Use policy ‘Run these programs at user logon’ to whitelist the programs which you want to start at login. To prevent unwanted programs from getting started during system boot, enable the ‘Do not process the run once list’ in Computer Configuration as well.

Sounds somewhat strange, like fighting fire with fire. A much better solution would be to isolate all applications in AppContainers like Internet Explorer and run them at integrity level “Low” when connected to whatever network.

Microsoft, please do us this favour in Windows 10 the latest!

NMH survival strategy

26 July 2014

Business people are quick in demanding the highest IT security standards, but when it comes to the implementation, the security measures should not have any impact on their daily business.

What impact is a just about acceptable? The answer to this question depends on many factors. Moreover, there is no universally applicable answer to this question.

Last week this question came up in a discussion about the impact of protection measures on scientists. My answer was: Lets try the NMH (No Medium High) impact approach.

No impact

Start with protection measures that have no impact on daily work. Many technical measures and few organizational measures could be implemented in the background, in the best case without a downtime.

Present your approach and the measures to the business groups. Show that there is no impact on their daily work. I bet, everyone will welcome this approach. And, if it works, everyone will trust you and you will feel like a super hero.

Medium impact

In the next step develop measures with low or medium impact on daily work. It is very important that this is done in close collaboration with the business groups. This measures are mostly organizational measures or small changes of the way of working, e.g. waiving of USB sticks, encryption of emails if sensitive information is exchanged, or the set up of a data handling policy.

Offer at least equal or better and easy to use alternatives. Agree with the business groups in the set of measures that should be implemented, in the schedule and the remaining risk as well. Make clear that the business groups have to cover the remaining risk! Implement the changes in close cooperation with the business groups.

High impact

Finally, discuss measures that have a high impact on the way of working, e.g. strong passwords, two factor authentication to systems which are used for access to core business data or classification and tagging of data.

If there are legal requirements to implement those measures, that’s a more easy job. Anyway, you have to make the advantages clear! Finally , the business groups have to agree in the set of measures which should be implemented. In the worst case, they take the remaining risk and reject any proposals for high impact measures. If there are no legal requirements that’s ok.

From my point of view with the NMH approach you will get a high level of security without infuriating the business groups too much!

Become a superhero!