Wednesday, August 29, 2012

Stop Shamoon before it is too late

Shamoon is striking in the middle east, it is attacking oil and gas companies, one Saudi company was the first, others  most probable in the queue and there is a potential for other types of orgnizations to be attacked, it is matter of time.

In this blog i will list actions can be taken,based on the malware analysis done by AV companies, to stop shamoon or at least reduce its impact. However for more details you may browse the following
Shamoon the Wiper - Copycats at Work
Shamoon the Wiper in details
Shamoon, Saudi Aramco, And Targeted Destruction
The Shamoon Attacks
I am listing two plans, short term plan and long term plan which requires budget and time

Short Term (The foundation):
For IT employees
All must be non administrators.
Use Remote Access Server between the IT network and servers at Data Center.
Always use "rus as administrator" and stop login as administrator for day to day support, operations or tasks.
Reset all admins passwords for servers,applications,databases network and security devices.
Never use default passwords or top worst passwords.
No shared accounts or passwords.

For non IT employees and desktop/laptops
Reduce the user privileges if any has an administrator access.
Block the removable storage if no device control in place.
If device control in place, stop all executable file.

Proxy or content filtering
Block the download of executable files, inf, bin, dll, conf and config.
Block access to network related to botnets, C&C and suspicious web servers.

Use VLANs to segregate network based on floor or department or business unit.
Implement a separate isolated IT management. same applied to mission critical infrastructure.

Remote users using VPN
Allow remote users to access certain resources , stop IP Any Any rules.

Remote offices
Only allow remote offices to access the resources they need, stop IP Any Any rules.

Security monitoring
Install any open source log collection.
Establish daily monitoring and analyzing security logs.

Long term (must be business risk based)
Implement SIEM solution.
Implement device control solution.
Implement two factor authentication solution for servers, network devices and critical infrastructure.
Implement network monitoring and forensics solution.
Implement Malware network analysis solution.
Establish a process to analyze, identify and detect attacks and shall be integrated into a security incident process , NIST computer incident guide can be used.
Establish Cyber Security Intelligence framework.

Time is ticking, they are advanced and using unique techniques, but you can make their attacks fail if proper security controls in place.

No comments:

Post a Comment