Cyber Security and Compliance is becoming an increasing concern to many today. In particular, in-depth understanding of a companies security posture and then aligning that with an executive-level strategy that effectively empowers operational-level implementation is increasing is a challenge that continues to increase in complexity.

Hastwell have recently brought to the Hastwell Tribe Silvio Danilovic who has started building a new Cyber Assurance and Compliance Consulting practice to help our customers with these challenges.
While Hastwell have provided technology solutions to address security requirements for years, these new capabilities will broaden our skillsets and enable to provide a full suite of security and compliance services inside of Information Technology and beyond.

If you would like to better understand your security and compliance posture better, please contact us today.

Background

Over the past two weeks, an escalation in conflict between Russia and Ukraine has resulted in a significant increase in observed cyber-attacks. From mid-February the Ukrainian Government and banking institutions have been experiencing a series of distributed denial of service (DDoS) attacks. More recently, a new wiper malware variant name HermeticWiper was discovered in Ukraine and a number of Ukrainian Government organisation websites have been defaced.

Website defacement message. A new message in red font translates to “Do you need proof, see the link at the end.”

Many Western Governments, including Australia, are now issuing warnings to prepare for cyber-attacks that may disable, disrupt or destroy critical infrastructure. It is expected that future attacks may target Western nations in retaliation for sanctions imposed on Russia.

Whilst the ACSC is not aware of any current or specific threats to Australian organisations, it is expected that businesses may be affected through unintended disruption or uncontained malicious cyber activities. As such, the ACSC is recommending Australian organisations adopt an enhanced security posture and increase monitoring for threats.

What to Expect

The following Tactics, Techniques and Procedures (TTPs) are likely:

• Initial Access – Spear phishing emails may be sent with malicious HTML attachments or links to malicious domains, using URL shortening services to mask the link. Brute force techniques may be used to identify valid M365 or domain credentials, targeting VPN and other Internet-facing services.
• Persistence – Threat actors have been observed maintaining persistent access for at least six months using a variety of downloaded malware, DLLs and PowerShell scripts.
• Privilege Escalation – Cloud Administrator’s privileged accounts have been targeted to generate AAD tokens, create users and grant roles to users and applications.
• Credential Access – Distributed and large-scale targeting using password spray and password guessing has been observed.
• Lateral Movement – As compromised accounts are identified and have their passwords reset, threat actors have pivoted to other accounts to maintain access.
• Collection – M365 resources such as SharePoint pages, user profiles and emails may be accessed using compromised credentials.

How to Stay Secure

The ACSC is recommending that organisations urgently adopt an enhanced cyber security posture through the following:

1. Review the Indicators of Compromise (IOC) contained ACSC’s advisory to determine if related activity has occurred on your organisation’s network.
2. Ensure that logging and detection systems in your environment are fully updated and functioning and apply additional monitoring of their networks where required.
3. Assess your preparedness to respond to any cyber security incidents, and review incident response and business continuity plans.
4. Implement the Essential Eight mitigation strategies from the ACSC’s Strategies to Mitigate Cyber Security Incidents as a baseline.

The ACSC is monitoring the situation and is able to provide assistance or advice as required. Organisations that have been impacted or require assistance can contact the ACSC via 1300 CYBER1 (1300 292 371). Read the full ACSC advisory here: https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-02-australian-organisations-should-urgently-adopt-enhanced-cyber-security-posture.

Sources

ACSC – 022-02: Australian organisations should urgently adopt an enhanced cyber security posture

https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-02-australian-organisations-should-urgently-adopt-enhanced-cyber-security-posture

Palo Alto Networks Unit 42 – Russia-Ukraine Crisis: How to Protect Against the Cyber Impact (Updated Feb. 24 to Include New Information on DDoS, HermeticWiper and Defacement)

https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/

Here is a summary of the Top Tips from Contact Center Pipeline on how to do it.

1. Artificial Intelligence (AI) – new cloud-based technologies and AI-powered systems can capture, aggregate, and evaluate large amounts of digital interactions quickly and at scale, often from historically dispersed and siloed systems. The additional datapoints also shed more visibility into the customers’ journeys to that point. Agents can leverage these insights to quickly ramp up on the customers’ histories and jump into issue resolution rather than making the customers repeat the information and context they had already provided. Agents with access to these customer touchpoint insights can create more personalized contact experiences that addresses the customers’ needs quickly and seamlessly. The customers take away positive experiences that will then set the expectation bar higher for future interactions.
2. ChatBots – for repeatable tasks or enquiries that might come in outside of standard business hours look to automate responses to common issues or basic enquiries with a chatbot. Contact centre average handle times (AHTs) are on the rise. What used to be three-to-four-minute calls centered mainly around lower-level questions or requests are now clocking up to six to eight minutes on complex and sensitive issues. The combination of super-skilled agents and smart technology support have enabled contact centres to step up and deliver better live experiences over the past year. However, customer expectations are dynamic, and often the last experience is the one they take with them.
3. Business intelligence (BI) and analytics tools – drive improvements and operational efficiencies. Quick wins include:

• • Increasing First Contact Resolution (FCR) by analysing performance indicators, eg negative customer sentiment, silence time, high escalations, or long hold times.
  • Identifying agent coaching and learning opportunities by tracking silence time and handle time.
  • Reducing inbound call volume by identifying recurring questions or requests that could be handled with AI and automation or simply adding information to a website/IVR or chatbot.
  • Reducing handle time by evaluating and tweaking agent scripts.

This quick access to reliable customer intelligence will help business leaders to make informed, data-driven decisions for optimal outcomes for your customers and business.

Hastwell works closely with multiple leading vendors of Contact Centre Solutions. Reach out to us today if you are ready to improve your capability and deliver positive outcomes for your business.

Windows 11 has some pretty strict hardware requirements, if you’re using Microsoft Endpoint Configuration Manager (MECM) to manage your fleet and applications Hastwell can provide a free Windows 11 Readiness Report. This report will give you a great indication if you’ll be able to consider using Windows 11 on your current workstation fleet.

On top of the system requirements for Windows 11, you’ll also need to ensure your deployment infrastructure is up-to-date and able to deploy the new operating system. At a minimum, you’ll need to update your Windows Assessment and Deployment Kit (ADK) to version 10.1.22000. Your Microsoft Endpoint Configuration Manager (MECM) will need to be running version 2107 or later.

In addition to the hardware and deployment requirements, you’ll need to update your Group Policy templates, and ensure your print servers are using v4 print drivers.

Our specialist Microsoft Infrastructure team can assist you with this process by analysing your environment, developing your standard operating environment or packaging applications to ensure the end user has a consistent experience across your entire fleet.

Where to from here? Check out our website to learn more about how we can support your Microsoft environment or contact me and we’ll provide you with a free Windows 11 Readiness Report to analyse your environment and provide advice on the next steps.

Gartner’s 2021 Strategic Roadmap for SASE Convergence report recommends security and risk management leaders develop a roadmap for adoption of SASE.

But what is SASE? At its heart, the SASE model is the combination of branch networking technologies such as SD-WAN and VPN with cloud-delivered security services such as Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA) and Firewall-as-a-Service (FWaaS). Such a model allows for provision of branch sites and remote users with minimal infrastructure, whilst ensuring full security capabilities can be offered.

Traditional network security architectures were designed around providing access to central enterprise data centres. These models have augmented over time to compensate for cloud computing and work from home initiatives — the latter having been greatly accelerated due to COVID-19. With many users and applications now outside of the enterprise, these access requirements are changing.

The multitude of vendors and security solutions deployed across the perimeter today should be addressed by considering how a cloud-delivered model of security may ensure consistent policy and protection.

The SASE security model is likely to help organisations in a number of ways:

• Reduce complexity — Consolidating existing security stacks into a cloud-based service model will minimise the number of security products being operated, supported and maintained.
• Increase performance — Minimising branch site infrastructure in preference to cloud-based models allows scaling when and where it is needed.
• Cost savings — Investing in a single vendor platform reduces the number of point products being procured and managed.
• Flexibility — Security services can be delivered from the cloud as required for each asset being protected.
• Zero trust — A SASE solution will provide complete session protection, regardless of whether users are on or off the enterprise network.

While a full SASE implementation may not be on the cards for all organisations today, there are a number of initiatives that can be considered in starting a journey towards the SASE security model. Organisations should:

• Consolidate vendors as perimeter security products are refreshed and renewed, with the view to have a single SASE vendor.
• Consider cloud-based security services covered by the SASE model as existing hardware products are refreshed.
• Consider minimal-infrastructure deployments to WAN sites, offloading security to the cloud.
• Consider replacing existing remote user VPN connections with a Zero Trust model.
• Engage network and security teams closely to ensure a common solution set can be deployed with shared responsibility.

Many organisations are now transitioning through their SD-WAN journey in order to reduce legacy WAN provider costs and uplift remote site bandwidths through local Internet breakout. As a result, these organisations are having to consider how to apply an equivalent, or better, security posture across the environment. SASE could well be the answer.

https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model

This review was based on the ACSC’s experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing, and assisting organisations to implement the Essential Eight.

At Hastwell we see a lot of organisations who struggle to address all controls in the strategy. A number of notable recent changes now address this:

• The ACSC no longer expects all organisations to meet Maturity Level Three. Rather, they encourage organisations to assess their threat environment and select the appropriate maturity level.
• Focus has shifted to a risk-based approach rather than a compliance-based approach, recognising that many organisations have legacy systems, carry technical debt or have systems that aren’t based upon secure-by-design principles which inhibits full implementation of ACSC’s advice.
• There is an increased emphasis on implementing the mitigation strategies as a package, eg addressing all controls in Maturity Level One before moving onto Maturity Level Two.

The Essential Eight Security strategies outline the bare minimum security controls that every business must implement. How does your business compare against the new model?

As a result, Apple releases urgently a critical security update for the second time this month and third time since January.

Make sure you urgently upgrade to iOS 14.4.2, iPadOS 14.4.2 and watchOS 7.3.3 (security-only patches).

Apple releases iPhone, iPad and Watch security patches for zero-day bug under active attack | TechCrunch

So why aren’t more organisations implementing application whitelisting? From my experience it comes down to three reasons:

1. Confusion over exactly what application whitelisting is
2. Limited guidance in how to approach an application whitelisting implementation
3. Disruption to the business once application whitelisting is enforced

To begin with, I often encounter clients who are confused with the terms application whitelisting and application control – made even more unclear by the ACSC’s recent terminology change from the former to the latter. Oftentimes clients are asking for the ability to control who can execute what application packages – this is the traditional application control approach provided by legacy endpoint security vendors. However, from the perspective of preventing malicious code from executing, the who is not important. With application whitelisting, we are really only interested in whether or not the executables contain known, safe code. The who is typically covered using existing security controls within the organisation – administrative/privileged account access, software deployment rights and application authentication.

For this article, I am sticking with the traditional terminology of application whitelisting, where we are looking to only allow execution of approved executables, DLLs, scripts & installers. The misunderstanding of this distinction can leave businesses and IT professionals with an unclear understanding of what they are required to implement to align with the recommended security controls. The ACSC does, however, provide a good explanation of what application whitelisting is (and more importantly what it is not) in their publication Implementing Application Control.

Despite the name of the aforementioned article, the practical guidance provided by the ACSC for implementation of application whitelisting is very limited. A high level approach is given (identify applications, develop the execution rules and then maintain the rules), along with appropriate methods of enforcement (cryptographic hash rules, publisher certificate rules & file path rules), but the information provided is not enough to guide organisations through their journey. The US National Institute of Standards and Technology (NIST) offers a more in depth approach to implementation in their Guide to Application Whitelisting, though they stop short at recommending specific products or vendors, leaving readers unsure of how to execute.

Where most organisations progress to is trialing an implementation with Microsoft’s AppLocker – the software control mechanism built into Windows. Here, one of the best resources is the US National Security Agency (NSA) Information Assurance Directorate’s comprehensive guide to implementing Application Whitelisting using Microsoft AppLocker. But the deficiencies soon become apparent. Managing application whitelisting policies through Group Policy (assuming you are lucky enough to have Windows Enterprise licencing) is difficult and limited. Hopefully, you have a reasonable SIEM for collecting Windows logs to review blocked executions. If you progress past the audit stage into enforcement, you find yourself puzzling over how your IT Helpdesk will allow your CEO to execute the latest Zoom plugin she just tried to update from home.

So, what’s the solution?

• Understand what application whitelisting is and what it is not
• Familiarise yourself with a best practice implementation
• Prepare your environment – an organisation running a Standard Operating Environment (SOE), with restricted administrative privileges and SCCM software deployment is going to have a much easier time maintaining an application whitelisting solution
• Choose the right product – consider dedicated application whitelisting software that provides the ability for your IT Helpdesk or privileged users to enter an override code to temporarily allow execution when safe to do so
• Make use of features outside of cryptographic hash whitelisting – file paths, trusted publishers, parent process whitelisting and Microsoft blacklists can all reduce the overhead in managing exceptions
• Develop and document your new procedures – educate your IT Helpdesk and your users on what they can do to request (or even self-override) a blocked execution when appropriate

Many organisations can transition application whitelisting from audit mode to enforcement mode after a few weeks of monitoring executions and adding relevant exceptions. How you manage those exceptions going forward, though, will ultimately determine the success of your deployment.