Turning The Tide Against Malware

By Allan Muchmore, Muchmore Consulting

 Muchmore Consulting

On June 28, 2017, two Seattle law firms contacted our consulting group requesting that we check their email systems.  They were receiving bounce message when e-mailing the London office of DLA Piper.  Our clients found it unlikely that the third largest law firm in the world could be having problems receiving a simple email.  But Piper was having problems.  I happened to be in London at the time where newspaper headlines proclaimed DLA Piper’s systems were completely down.  Firm members had no phones, no email, and no access to documents, costing the firm millions in lost revenues, damage to their reputation and, of course, bounced e-mails.  But such high-profile cyberattacks occur so often, the attack was barely news in the US.

The Malware Problem

The never-ending news of data breaches from cyberattacks serves notice that corporate networks are not reasonably secure.  The current downward spiral of cyber security began once criminals learned how to monetize malicious software (malware) and hired teams of programmers to replace the lone hacker.

The resulting flood of new malware has overwhelmed traditional anti-virus software’s ability to reliably recognize and block new malicious files. When the criminals prepare a concentrated attack, they set up a series of malicious programs to be released over a period of days. Security software cannot keep up with these new releases.  During this time, many firms’ sole defense rests on personnel not being tricked into clicking on the wrong file or link. This thin line of defense has resulted in the never-ending parade of data breaches.

Nearly every single security breach you read about in the news began with a firm member tricked into giving a hacker the needed foothold in the corporate network.  When the hackers leverage that foothold to run their code on firm computers at will, they gain the ability to do anything with the firm’s confidential data that firm employees can do: read, copy, delete or modify the data.

Ransomware is a newer type of malicious code that modifies data in a particularly devious way.  It encrypts a firm’s documents, effectively destroying the primary copy of documents unless a ransom is paid to decrypt the information.  Though a good backup is an excellent defense against current forms of ransomware, there are signs of new techniques on the horizon.  For example, a new generation of malware could automate the public revelation of confidential or embarrassing information unless a ransom is paid.

An Effective Response

We have been very successful in protecting against malware by focusing on the weak spot--preventing firm members from running foreign software on the network. This approach recognizes that any software code running on your network effectively entrusts the author with your firms’ data, and should be appropriately vetted.

Our method of implementing these protections on Windows networks have started with restricting “local administrator permissions.”  This restriction is commonly seen in larger business networks, though it is not universal.  We combine these permissions with the use of Software Restriction Policies (SRP), a little-used feature built into Professional versions of Windows for over a decade, to remove the final weak point of code execution.  We chose SRP’s because these rules are universally and freely available amongst our clients’ Windows computers, which includes large numbers of Windows 7 Professional installations.  Firms with Windows 7 Ultimate or Windows 8 or 10 installation should consider using Applocker, which is more flexible to implement.  

 

The configuration we prefer includes:

  • Configuring firm members to work with an account that is not a member of any “administrator” group on the computer or the network.  On a technical level, not having local administrative privileges prevents users from making changes to any portion of the local computer outside Users folder or registry section.  Practically, this prevents the account used for typical work from installing or updating most software programs or making system changes to the computer.
  • Restricting the ability of user accounts to make changes to network shares that contain executable files.
  • Employing Windows Software Restriction Policies through domain Group Policy to prevent the running executable file types within folders in their the user profile, which includes the foldersDownload, Desktop, Documents, and the temporary folders for Outlook and Internet Explorer temporary files.  The excluded files types include EXE, CMD, BAT, VBS, DLL and over thirty other file types.  Practically, this prevents a user from launching program code received or downloaded from the internet.
  • Creating an “override” user account with local administrative privileges on the computer, but not the network.  The account allows a trained firm member to use the “Run as Administrator” option to launch an appropriate program or installation routines.

Over the last two years, these changes have been completely effective in preventing firm members from inadvertently running malicious software, including those from email attachments, hacked websites or infected documents.  Within a week of implementation, I had a complaint from an accountant unhappy about not being able to open an “invoice” from an important vendor. This invoice was malware sent from a hacked account that slipped by the antivirus software, but was blocked by the SRP.  When checking log files, we periodically encounter similar instances of files that evaded commercial security software and were blocked by the SRPs.

Though powerful and effective, implementing these policies on existing networks configured with looser security has proved challenging.  These challenges include:

  • Creating exceptions for software applications that do not follow proper rules for application development.  In particular, some programs insist on writing to system areas of the computer.  We usually encounter this problem with specialized legal programs written by smaller vendors, or with programs that use restrictive copy protection routines.  These programs can require custom SRP rules or require cumbersome steps for installation of the software.
  • Dealing with legitimate software that is explicitly designed to circumvent IT policies. For example, programs such as Webex and Goto Meeting are designed for attendees to run at the time of a meeting, circumventing the need for IT support.  Since these programs are designed to evade administrator restrictions using techniques also used by malware, the software restriction policies can make the software more difficult to run even with the override password.
  • Attorneys and other firm members sometimes have important reasons for wanting software installed on short notice.  For example, they receive documents that requiring a specialized viewing program.  The override password can be used by trained staff to carefully install the software.  But some firms have started using the more secure option of providing secondary or floating laptops with broader privileges to install software.  Since these laptops do not contain data or full access to the central network, any inadvertently executed malware cannot access the network.
  • Program updates might require a new framework for automation since users can no longer simply accept a prompt to accept the updates.  We use Windows Software Updates Services (WSUS) to centrally control Microsoft updates.  For third-party software, there are many excellent products.  We favor Ninite for updating freely-available programs such as Java and Adobe products.  Though we receive notes from firm members that are frustrated by not being able to update their own software, the security benefits of this system are dramatic.  We have seen several instances in which savvy computer users were tricked by fake update prompts only to be blocked by the restriction policies.  Centrally managing updates also allows selective testing for buggy updates, before rolling them out to an entire firm.

Conclusion

Though these technical policies have so far been completely effective in preventing malicious software even when other systems fail, we are under no illusion this setup represents the end of the road of cyber defenses. Computer security is not a technical problem to be solved, but a battle against a smart and motivated enemy. Hackers have modified their software in the past to work around measures that started off with similar effectiveness and they will do so again.

But regaining basic control of which program code is allowed to run on a network does represent a fundamental shift from the current paradigm of individual, on-the-fly decision making.  The widespread adoption of this approach, combined with other standard security precautions, should allow firms to once again make cyber-theft a rare and exceptional occurrence.

Muchmore Consulting (www.muchmoreconsulting.com) is geared to provide the full spectrum of technology support exclusively for law firms in the Seattle area.  Our services include infrastructure planning, network help desk support, security consulting and forensic services.