Month: March 2024

Categories
Information Security

Implementing Effective IT Asset Management

Effective IT asset management (ITAM) is vital for maintaining a streamlined, secure, and efficient IT infrastructure. This detailed guide is structured around the three primary components of ITAM: static inventory, dynamic tracking, and regular reconciliation. Each component is pivotal for the comprehensive management of IT assets. We delve deeper into each component, offering insights and strategies for IT professionals.

1. Crafting a Comprehensive IT Asset Management Policy

The IT asset management policy is the cornerstone of your ITAM strategy. The blueprint dictates how IT assets are acquired, deployed, maintained, and retired. This policy should address all facets of asset management, including procurement processes, usage guidelines, security protocols, and disposal procedures.

Key Elements to Include:

– Asset Lifecycle Management: Detailed processes for each phase of an asset’s life, from procurement to disposal.

– Roles and Responsibilities: Clearly define who manages, uses, and maintains various IT assets.

– Security and Compliance: Guidelines for ensuring that asset management practices adhere to relevant security standards and regulatory requirements.

2. Understanding the Core IT Assets: Incorporating Static Inventory

A static inventory is a detailed catalog of all IT assets within an organization. This foundational inventory is a snapshot of the organization’s IT resources, detailing each asset’s specifications, locations, and status.

Developing a Static Inventory:

– Asset Identification: Identify all IT assets, including hardware (workstations, servers, network devices) and software (licenses, applications).

– Documentation: Document critical information about each asset, such as the purchase date, warranty details, configuration settings, and associated users or departments.

– Centralized Database: Store this information in a centralized database that authorized personnel can easily access and update.

3. Dynamic Tracking: The Pulse of IT Asset Management

Whereas static inventory provides a snapshot, dynamic tracking involves continuously monitoring and updating the status of IT assets. This ensures that the inventory reflects real-time usage, condition, and location of assets.

Implementing Dynamic Tracking:

– Automated Tools: Utilize ITAM software to automate the tracking of hardware and software changes, usage patterns, and performance metrics.

– Regular Updates: Establish protocols for updating the asset database following any changes, such as asset reassignments, upgrades, or decommissioning.

– Incident Management: Integrate dynamic tracking with incident management systems to quickly address and document any issues or changes affecting IT assets.

4. Regular Reconciliation: Ensuring Accuracy and Efficiency

Regular reconciliation compares static inventory with dynamic tracking data to identify discrepancies. This ensures the accuracy of the asset database and helps make informed decisions.

Steps for Effective Reconciliation:

– Scheduled Reviews: Conduct audits of the IT asset database to verify the accuracy of recorded information against actual asset conditions and locations.

– Discrepancy Resolution: Develop a process for investigating and resolving any discrepancies found during audits, such as unrecorded assets or inaccuracies in asset details.

– Continuous Improvement: Reconciliation findings will be used to refine ITAM processes and policies, enhancing the overall effectiveness of asset management.

5. Hardware Retirement

Hardware retirement is a critical IT asset management process focused on the secure, efficient, and environmentally responsible decommissioning of outdated or no longer needed IT hardware. This process ensures that all such assets are disposed of in a way that protects sensitive data, complies with regulatory requirements, and minimizes environmental impact.

Managing End-of-Life Assets:

– Clear procedures for the retirement of hardware assets are essential for maintaining security and compliance.

– Establishing regular retirement cycles.

– Securing certificates of destruction for data-bearing devices and ensuring environmentally responsible disposal.

6. Data Security Measures

Data security measures are essential protocols and practices implemented to protect sensitive information from unauthorized access, breaches, data loss, and cyber threats. These measures safeguard data’s confidentiality, integrity, and availability across its lifecycle, from creation and storage to transmission and destruction. Adequate data security is multifaceted and includes technological solutions, policies, and procedures to protect digital and non-digital information.

Securing Data:

– Data Sanitization: Implement strict policies to ensure that all sensitive information is securely removed from assets before disposal.

– Certification and Documentation: Obtain and maintain documentation, such as certificates of destruction, to prove compliance with data security regulations.

For IT professionals, mastering the art of IT asset management requires a balanced approach that includes developing a robust ITAM policy, maintaining an accurate static inventory, implementing dynamic tracking for real-time updates, regularly reconciling data to ensure accuracy, and securely managing the retirement of outdated assets. By focusing on these critical components, IT departments can ensure their organizations’ IT assets are handled efficiently, securely, and aligned with business goals.

Categories
Compliance > Privacy

Guarding Digital Assets: Proactive Data Privacy Measures for Remote Work

The challenge of ensuring data privacy is paramount in today’s globally interconnected landscape, where an increasing number of businesses are adopting remote work models. Using strong security measures to protect and safeguard sensitive data while working remotely is vital. This article aims to explore some of the key strategies and protocols one can put into practice to safeguard data privacy, irrespective of your place of work.  

Importance of Data Privacy in Remote Work 

Remote work offers various advantages such as flexibility, reduced commuting, better work-life balance, and global talent access.  

As the boundaries between professional and personal spaces blur, it becomes essential to prioritize data privacy.The potential outcomes of poor cybersecurity practices in remote work environments can lead to:   

  1. Reputation Damage: The customer’s data leak or compromise can tarnish the company’s brand image, leading to a loss of trust among stakeholders, potential clients, and investors.
          
  2. Legal or Regulatory Compliance: Non-compliance with data protection laws, such as the European Union’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), can lead to hefty fines, penalties, and legal repercussions.
     
  3. Intellectual Property: Proprietary information is vital for businesses to maintain a competitive edge. Unauthorized access or breaches by competitors or malicious actors can jeopardize a company’s market position and potential revenue.
          
  4. Data Breaches: Exposure of sensitive data, such as Personally Identifiable Information (PII), financial information, company’s customer data, or trade secrets, through data breaches, can have a devastating impact on a company’s reputation. The consequences can lead to financial losses and reputation damage, and they may suffer legal and regulatory penalties.
          
  5. Financial Losses: Cyber-attacks can lead to substantial financial losses for individuals and organizations, such as a Ransomware attack. Financial fraud, such as unauthorized transactions or identity theft,can arise if remote work systems, like laptops or smartphones, are compromised, leading to personal or business losses.  

Key Challenges in Data Privacy for Remote Work 

Hardware and Software Vulnerabilities 

When working outside the controlled environment of an office, remote employees frequently use personal devices or unsecured networks, which might not be up to date with the latest security patches, thus making them more susceptible to cyber threats and data breaches.  

Phishing, malware, and socially engineered attacks 

Remote workers are susceptible to cyberattacks like phishing, malware, and social engineering attacks, especially when they access corporate data from public networks or unfamiliar devices. 

Inconsistent Security Protocols 

Without standardized protocols across all remote work setups, the chances of data breaches increase manifolds. 

Enforcing organizational policies and regulatory requirements: 

Enforcing organizational policies and regulatory compliance can be challenging with remote work due to the lack of physical presence of IT staff and supervisors.  

Steps to Promote Data Privacy in Remote Working. 

Implementing and following security best practices can help safeguard valuable data resources and drastically reduce the chances of costly cyber-attacks.  

End-to-end Encryptionand Backups 

While handling data, ensure data is encrypted at rest and in transit over the networks. This ensures that data is indecipherable, even if intercepted, to unauthorized users.Encrypting the communications channels helps safeguard information. Regular backing up of data to cloud storage or an offline storage device can protect against data loss, offer protection against ransomware attacks, and serve as a repository. Users can access and share data from any location.  

Use VPN (Virtual Private Network) 

Use Virtual Private Networks (VPNs) to establish secure and encrypted connections. VPNs help shield sensitive information from cyber threats, especially when using public networks.Also, avoid public Wi-Fi networks and use trusted networks or a personal hotspot.  

Update and Patch Software 

Keep all company-provided software and devices updated with the latest security patches. This protects against vulnerabilities that cybercriminals might be able to exploit.In addition, install software that is company-approved and from trusted sources, and always adopt safe browsing practices.  

Use strong password and Multi-factor Authentication (MFA) 

Always use long and complex passwords to protect computing resources. Avoid sharing passwords and using the same passwords on multiple accounts. In addition to using unique, strong passwords, incorporating an additional layer of security, like a one-time passcode or biometric authentication, and MFA to ensure unauthorized access is restricted.Combining these factors makes it harder for hackers to impersonate a victim’s identity.  

Implement Zero-Trust Network Access:  

Zero-Trust, a security framework, requires strict verification of the user and devices that try to access the network. Every user and device, whether inside or outside of the organization’s network, must be authenticated, authorized, and validated continuously before access is granted. By default, for all users and devices, the access control is set to “deny.” the connections are assumed to be malicious unless authorized to access.  

A zero-trust strategy will help secure access to corporate resources only from trusted networks and devices.  

Establish Security Awareness Training Program 

An effective strategy to maintain a secure workplace environment is educating and conducting regular security awareness training sessions to inform employees about the latest threats and best practices. Training sessions may include recognizing phishing emails, the risk of using unsecured network connections, using strong and secure passwords, reviewing the company’s cybersecurity policy, or job-specific training. Regular employee training and remedial training (for those who fall for simulated phishing) will help employees to be vigilant, promote awareness, and reduce the probability of falling victim to cybercriminals.  

Conclusion 

When working remotely, data privacy is not just a technical challenge but is also a critical business necessity. Businesses can not only protect their data by implementing robust security measures, but also can build trust among its employees and stakeholders, promote sustained growth, and improve their reputation. To stay ahead of the curve, one must regularly review and update their data privacy measures.  

Categories
General Cyber and IT Security

Introducing New Managed Detection and Response Capabilities: Enhanced Security for Microsoft 365

Announcing two new capabilities within our Managed Detection and Response (MDR) services, specifically designed to enhance the monitoring and security of your Microsoft 365 environment. These additions are part of our ongoing commitment to provide the best possible protection against evolving cyber threats.

  1. Microsoft 365 Account Isolation: Our first new feature, Microsoft 365 Account Isolation, is a significant step forward in securing M365 user accounts and sensitive data. Compromised accounts can lead to Business Email Compromise (BEC) attacks and even data exfiltration. Let us help you remediate this faster by acting on the suspected accounts to prevent further compromise and loss when your IT staff or MSP are not available to respond.

This capability allows us to:

  • Isolate Compromised Accounts: In the event of a suspected compromise, we can now quickly isolate affected accounts, minimizing the risk of data breaches or further infiltration.
  • Faster Remediation: Our SOC analysts can disable accounts and revoke all user sessions when suspicious activities are detected, ensuring faster remediation action.  We will also have the ability to re-enable accounts if needed.
  1. Microsoft Risky Users Alerting: The second feature, Microsoft Risky Users Alerting, provides enhanced monitoring of account activity classified as Risky Users within your Microsoft 365 environment. Previously we were unable to see this activity.  To take advantage of this enhanced monitoring, you must have a Microsoft Identity Protection with a P2 license level.  Additional permissions will be required and we can provide instructions to help you make the necessary changes.

Microsoft documentation classifies Risky users as:

  • The user has one or more Risky sign-ins.
  • One or more risk detections have been reported

        For more information on Risky Users, see the official Microsoft Identity Protection documentation.

What This Means for You

  • Enhanced Security: These new capabilities can significantly bolster your defense against cyber threats, particularly in visibility and protecting your Microsoft 365 environment.
  • Peace of Mind: With these new capabilities, you can be assured of a safer and more secure digital workspace.
  • Seamless Integration: These features are integrated into our existing MDR services, ensuring a smooth and uninterrupted experience.

Next Steps

  • Opt-in for these new capabilities: Contact us via email at soc@securit360.com or by telephone at 205-419-9066 or toll-free 844-474-1244. Not yet a client? Contact us through this form.
  • Establish rules of engagement: We can discuss your preferences for utilizing the account isolation features such as:
    • Should we disable accounts upon suspicious activity?
    • Or only use isolation when we receive email or voice approval?
  • Setup Additional Permissions in Microsoft Entra ID (formerly Azure) / 365: Your team will need to enable some additional API permissions within your Microsoft Entra ID / 365 environment to allow these additional capabilities.
    • We have instructions we can provide to you during the setup process

We are committed to continuously enhancing your cybersecurity posture, and these new MDR capabilities are a testament to that commitment. Thank you for your ongoing support and cooperation in maintaining a secure and resilient digital environment.

 

Categories
Social Engineering

The Power of Social Engineering: Building Resilience in the Digital Age

Understanding Social Engineering in the Digital Landscape

In an era dominated by technology, the threat landscape for cybersecurity has evolved, with social engineering emerging as a prominent threat. Social engineering involves manipulating individuals to divulge confidential information or perform actions that may compromise security. This article explores the intricacies of social engineering threats and provides insights into effective mitigation strategies.

Social engineering exploits human psychology rather than relying on technical vulnerabilities. Attackers use various tactics, such as phishing emails, pretexting, baiting, and quid pro quo, to deceive individuals into divulging sensitive information or performing actions that compromise security. These tactics often prey on trust, authority, fear, or urgency to achieve their malicious objectives.

The Multifaceted Nature of Social Engineering Attacks

Social engineering is not just limited to a single type. Various tactics have evolved, each with its distinct approach:

  • Phishing: Attackers create seemingly legitimate emails, messages, or websites to trick individuals into providing sensitive information. This can also be targeted towards C-suite level targets in what is known as Whaling.
  • Pretexting: The attacker creates a fabricated scenario to obtain information or access that would otherwise be denied.
  • Baiting: Malicious software or files are disguised as enticing items, luring individuals to download or click on them.
  • Quid Pro Quo: Attackers offer something in return for information, exploiting the natural tendency to reciprocate favors.
  • Tailgating: An attacker seeks physical entry into a restricted area by following someone who is authorized to enter.

By understanding these, we can strategize and create barriers against potential threats.

Key Principles to Foster Digital Resilience

Stay Informed

It’s vital to stay updated on the latest techniques and trends in the world of social engineering. Knowledge acts as our first line of defense. Employers should conduct regular training sessions to educate employees about social engineering tactics. They should also foster a culture of skepticism, encouraging individuals to verify requests before divulging information.

Creating a Robust Organizational Culture

A resilient organization is not just about advanced security software or robust firewalls; it’s about cultivating a culture of vigilance. This involves:

  • Open Communication: Encouraging employees to speak up about suspicious activities without fear of reprimand.
  • Regular Drills: Simulating social engineering attacks to ensure that employees can recognize and respond appropriately.
  • Rewarding Vigilance: Recognizing and rewarding those who successfully identify threats can boost morale and increase overall security consciousness.

The Role of Technology in Enhancing Security

While human awareness and training remain paramount, technology serves as the backbone in countering these threats:

  • Advanced Email Filtering: This helps in identifying and isolating phishing attempts.
  • Two-Factor Authentication (2FA): Adds an extra layer of protection even if login details are compromised.
  • Regular Software Updates: Ensuring that all software, especially security software, is up-to-date to counter any potential vulnerabilities.

Final Thoughts

Social engineering threats pose a significant challenge to cybersecurity by exploiting the human element to breach defenses. By fostering a security-conscious culture, implementing robust technical measures, and staying vigilant, organizations can mitigate the risks associated with social engineering and bolster their cybersecurity posture in an ever-evolving digital landscape. Building resilience is not an endpoint but a continuous journey of adaptation and learning.

Categories
Compliance

Check The Expiration Date

The Payment Card Industry (PCI) Security Standards Council (SSC) develops standards and resources that help protect the people, processes, and technologies across the payment ecosystem to help secure payment transactions worldwide.  The PCI SSC is led by a policy-setting Executive Committee composed of representatives from the Founding Members and Strategic Members which includes American Express, Discover Financial Services, JCB International, Mastercard, UnionPay, and Visa Inc.

The PCI Data Security Standard (DSS) is a global standard that was established to protect payment account data. The PCI DSS is comprised of twelve technical and operational requirements that are spread across six different goals.

If an entity stores, processes, or transmits the payment card Primary Account Number (PAN), then a Cardholder Data Environment (CDE) exists to which PCI DSS requirements will apply.

The current version of the PCI DSS is 4.0.  This version was officially released in 2022 with a transition period of two years.  The previous version, 3.2.1, expires on 3/31/2024.  Some requirements in v4.0 are considered best practices until 3/31/2025, after which they will be required and must be fully considered during a PCI DSS assessment.

Some of the changes incorporated into Version 4.0 of the PCI DSS include:

  • Continue to meet the security needs of the payment industry.
  • Promote security as a continuous process.
  • Increase flexibility for organizations using different methods to achieve security objectives.
  • Enhance validation methods and procedures.

For a comprehensive view of changes in the new version as well as other standards and supporting documentation, please refer to the PCI SSC Document Library

Compliance questions, including questions about whether it is acceptable to submit a PCI DSS v3.2.1 assessment report after the standard is retired on 3/31/2024, should be directed to the organizations that manage the compliance program, such as payment brands and acquirers.

Categories
Digital Forensics | Incident Response

Transforming Your Security: Insights from Coaching a Collegiate Cyber Defense Team

Background

By day, I am a full-time Information Security professional with nearly 20 years of industry experience. I have worked for companies as small as a few dozen employees to some of the largest organizations in my state and other mid-to-large sized companies in between. About 5 years ago, I answered the call to give back and began to work in the evenings as an Adjunct Professor in a local Cyber Security program. It has been rewarding to work to train the next generation of the cybersecurity workforce.

Early in my tenure, my campus fielded a Cyber Security Competition Team. Throughout the year, there are competitions where youngling cyber practitioners are given real-world challenges and opportunities to get some priceless experience. The other coaches of this team and I are proud that most of our students get job offers on the spot from companies of all sizes and industries based on their performance in these competitions. To date, our job placement rate is near 100%.

The following contains lessons learned that I had the opportunity to observe and experience firsthand throughout the genesis and maturation of a Collegiate Cyber Defense Team. As a highly experienced and credentialed security practitioner, I am still amazed at how many companies struggle with cybersecurity. I share the following, hoping to show many that good security doesn’t have to be hard or expensive and that even old security dogs can learn new tricks.

Lesson #1. No plan survives contact with the enemy.

Everyone has a plan until they get punched in the mouth.” 

-Mike Tyson

Any theory can be good until it hits the battlefield. When we first started, we followed the methodology that when you have a compromised box, the first thing you should do as a part of containment and eradication is identify the missing patches and quickly apply those patches to keep the Threat Actors (TA’s) out.  In theory, this works and makes sense. Patch Management is a part of good hygiene that every network should implement. However, we only have six hours to complete our mission during the competition. We don’t have endless days post-detection. In this environment and conditions, we must change our focus.

Initially, our teams were quickly getting onto their perspective boxes and attempting to download the patches, wasting hours they didn’t have. The result was a constant seesawing back and forth with the Offensive Team (Red Team)* because they could not properly contain the systems using this method. So, in this situation, rushing to patch as a mitigation step just didn’t work. So that led us to change how we were doing things going forward.

Our methodology shifted to applying patches at the very end of the process versus being one of the first things our teams do. Now, our teams focus on getting control of their boxes and removing the threat actor. Typically, they just find the sorts of Indicators of Compromise (IOCs). Once the student has maintained network control over their system, other mitigation steps and compensating controls are deployed. This further decreases the pressure for patching. From year to year, we saw a rapid increase in the performance of the team by then focusing on the core containment and eradication rather than on the remediation steps. Patching is still important. It is just not as important as we had initially thought. Compensating controls can equally mitigate the vulnerability, often much quicker than patch deployment. This leads us to our next lesson.

Lesson #2. Do the basics and do them well. 

Ransomware Threat Actors are very good at the basics, and this shows against companies that aren’t.”   

-SANS DFIR Aug 2023

Everyone has heard of the KISS (keep it simple, stupid) process method. This is especially true when defending your system against a strong, active, offensive adversary. Many students who join and compete on the Cyber Team have little to no real-world IT experience. They spend their weekends preparing for the competition by reviewing basic checklists and tasks. These exercises are done repeatedly, just like practicing free throws in basketball.

At one of our most recent events, a student on the team was new to managing a Linux BIND server. When the starting gun fired, almost immediately, the entire network services went down. This is not uncommon in these sorts of competitions. Students in all positions on all teams struggled to get going and get their services back up and running. This student, who was new to BIND, followed their training and worked off the checklists and task lists.  Shortly after that, the BIND server was back up and running and remained up for the entire competition despite a constant barrage from the Red Team. This student’s work was recognized during the competition. This student received public credit from judges and a merit award for their work.  When the student was asked by other students what they did to get working while others still failed, the answer was that they just stuck to the checklists. While others tried kitchen sinks and chased sexy tactics, this student “KISS’d” the Red Ream goodbye. Doing the basics well can be its own no/low-cost mitigation tool.  This leads us to our lesson.

Lesson #3. Network control is a force multiplier.

Don’t be afraid to challenge the pros, even in their own backyard.”

-Colin Powell

You rarely get some security theories exercised in real life. Observing these competitions has allowed me to see some theories put to the test. To give some context, the network environment is prepared before the students can log in and begin. The Red Team pillaged the network the night before, leaving their rootkits and shells behind. Often, systems are further damaged to hamper the response efforts of the students. I think this is a bit much. The Red Team already has the advantage of network reconnaissance and unfettered access to plant their tools. It is unfair for some of the country’s best Red Teamers to get to further damage systems, handicapping the rookie students who are outclassed in skills and experience. I’m not alone in this sentiment. The other coaches on our team agreed.  We decided to take it to the Red Team to prove that none of their tools would work if we controlled the network.

In our first attempt, we fully leveraged all aspects of the Layer 7 Firewall from Palo Alto that was being utilized in this round of the competition. (In each round, different technologies are used, such as PFSense or Cisco).  We had one very enthusiastic student buy into what we were trying to do.  He took Lesson #2 to heart and learned the basics of that security appliance. On competition day, within the first hour, this student completely evicted the Red Team from the network and kept them out for the duration of the competition. He showed that a properly configured and fully utilized Layer 7 firewall is tough to bypass, even by the pros who more than had a head start. Our success led to future competition rule changes, including the increased use of legacy traditional firewalls with fewer capabilities. We proved that someone with the right security tool can properly defend themselves against a literal army of invaders with Cobalt Strike. Score one for the home team.

Now that we had made a name for ourselves, future rounds were met with the wrath of the Red Team. Brittle egos are slow to mend. Whenever the Red Team wanted to handicap the field, they ensured that any firewall, other than a Layer 7 firewall, was used. This proved that our concept was sound, but now we had to adapt. The battle line had moved.

We moved the control of the network to the host level. In our basic checklist and task lists, we included steps to manage the endpoint firewall manually, whether it was IPTables or Windows Firewall. Students drilled on locating the connections to their system and evaluating whether it was truly needed. In other words, we implemented Zero-Trust networking a little before it became a marketing craze. It didn’t matter what was protecting the perimeter; the hosts were actively rejecting connections from sources that were not allowed. Eventually, the Red Team would pivot to a trusted host to launch an attack, but the time was running out by that point of the competition. Time and again, when our students achieved control of their host and managed the local firewall properly, the Red Team faced greater difficulty in achieving their goals, even on servers with multiple vulnerabilities. In a nutshell, any server regardless of Operating System, even if out of date and running with critical vulnerabilities can still be thoroughly secured without negatively impacting business. This leads us to our next topic.

Lesson #4. Know the rules—all steps of the process matter.

If you can’t describe what you are doing as a process, you don’t know what you’re doing.” 

-W. Edwards Deming

This lesson comes from one of the first national competitions where the team placed very strongly in second place. The distance between first and second place was measured in milliseconds. Many of the other teams in the final round had what I referred to as ringers. While our students were all in associate and bachelor’s degree programs, other teams fielded students who were not only in graduate-level degree programs but who often worked full-time in IT/IS already. These teams have stronger technical acuity and can sprint harder during these timed competitions.

Leading up to the competition, our coaches reviewed all the documentation on how the events would be scored. After all, this is still a game, despite the attempts to emulate real-world security events.  All sections were covered for review, including a new section. The judges would quiz each team on the Change Management Process in this new scoring section. While change management is an important aspect of any information security program, it doesn’t have the flashy appeal that battling an active adversary does—blocking and tackling matters. We took the time to teach the Change Management Process to the team thoroughly.

During the competition, our team took some lumps in the first round. We were back in the pack. Later in the day, while one team was in the hot seats taking on the Red Team, the other teams were quizzed on Change Management. Our team responded well to the quiz and took 1st place in that aspect of the competition. They leapfrogged their way to the final four. During the live finale, the team came up just milliseconds short of taking first place. Without the preparation of all security processes and not just focusing on active defense, the team delivered an overall strong security performance. In the end, this is the overall goal to begin with. This is something that many companies need to emulate—all steps in the information security process matter. Oh, and the team got their due when they returned in 2022 and won the competition, besting 1100 other national teams. This leads us to our final topic.

Lesson #5.  Microsoft Defender is actually really good at what it does.

Microsoft is not about greed. It’s about innovation and fairness.” 

–Bill Gates

I remember when Microsoft Defender Antivirus, formally known as Microsoft Defender for Endpoint, formally known as Microsoft Defender Advanced Threat Protection, formally known as Microsoft Defender, formally known as Windows Defender Antivirus, formally known as Windows Defender, formally known as Microsoft AntiSpyWare, first debuted. I was at Microsoft Tech ED 2008 in Orlando. I sat in on a couple of presentations of what the developers were trying to do with the product. It wasn’t just a Symantec knockoff.  It was original from the ground up.

Fast forward 15 years later. As previously mentioned, during the first stages of the competition, the Red Team gets access to the network to plant their tools and handicap the students. During one round, all the Windows servers (2012 and newer) had Defender disabled and sabotaged to prevent it from running during the competition. During the daily debrief, the captain of the Red Team talks about their observations. When asked about Defender, he admitted that the Red Team intentionally gutted Defender. “If we had let it run, most of our tools wouldn’t work.” That strongly indicates how good this “out of the box” security product is. It drives Red Teams to sabotage it to achieve their objectives. The Offensive Security Team at SecurIT360 highly regards this product in their testing.

Don’t take their word for it. Check out this blog referred to as “Last Antivirus Standing”. Java Exploit Code Obfuscation and Antivirus Bypass/Evasion (CVE-2012-4681) (security-obscurity.blogspot.com).  The author took an 8-year-old JavaScript virus and in minutes, made the most subtle tweaks to get it past 43 of 44 antivirus engines with relative ease. The lone antivirus that detected the virus during every mutation was Microsoft Defender. Long story short, Microsoft Defender is a good, solid security solution, especially for those with smaller budgets. Anyone telling you that Microsoft Defender is garbage is either financially incentivized to tell you something different or doesn’t know what they are discussing—most of the best Red Teamers out their respect Defender as a good defensive tool. The facts are there. I was fortunate to see it put through testing that most people don’t. Leveling the playing field against offensive adversaries seems like a pretty fair move to me. Thanks, Bill, and company.

Wrapping up

Teaching and coaching cybersecurity has been enlightening and rewarding. Although the victories were celebrated, watching the students grow in skill and confidence was the true honor. As mentioned, I was fortunate enough to have the opportunity to witness firsthand the battles waged by a Collegiate Cyber Defense Team against some of the country’s best Red Teams. Lessons gleaned from those clashes were shared here in hopes of helping others who are on the frontlines of today’s cyber battlefields defend themselves. Our program succeeded on a wafer-thin budget compared to competing schools with 10x to 30x the resources. The lessons shared here show how any company, even those facing the same fiscal challenges, can improve security, one small step at a time.

And yes, the tears of Red Teamers are delicious, even if they are very short-lived.

SecurIT360 is an independent, vendor-agnostic technology company focused on developing programs and systems specifically catered to our client’s needs. While some vendors are listed here, we work with each customer and their selected IT solutions on a custom basis and not “one-size fits all” approach.

* In the context of cybersecurity, a “Red Team” is a group that pretends to be an enemy. A “Blue Team” is a term for cybersecurity team who are responsible for defending networks and computers against attack.   Red team – Wikipedia. https://en.wikipedia.org/wiki/Red_team.