Virtually every corporate desktop and laptop has Microsoft Office, web browsers and PDF apps like Acrobat or Acrobat Reader. These are the apps through which most attacks get started today. Basically, they are the gateway to your network for bad guys.
Why? Is it that these apps are just poorly written and riddled with security vulnerabilities? That’s been the case in the past and continues to be an issue today, but the primary reason for why these apps are such an enduring and successful attack vector is that they all have one thing in common. They directly handle untrusted content from the Internet. They parse documents, render text and images, run JavaScript, dynamically link to other content, run macros, etc, etc. Once a web page, email or file gets past your NGFW and AV, it’s up to these applications to carefully process potentially malicious content and make it really easy for the user to interact with it – without being tricked into running malicious code.
That has proven immensely difficult.
First of all, these apps were never designed with a zero-trust model in mind when dealing with their respective content types. Web browsers have matured more in this aspect. So has Outlook. But other Office apps and PDF readers still lag in this area.
But time has proven over and over again that even new browsers built from the ground up with security in mind remain vulnerable, because it’s fundamentally difficult to safely render and interact with rich content from untrusted sources.
As bad as all of that is, there’s an even bigger issue.
Many successful attacks that vector through these apps don’t exploit any vulnerability in the app itself. They aren’t “tricking” the application to run arbitrary code. Instead, they simply trick the user to do something with the app that they shouldn’t do. Such as:
- Enable macros in an Office document
- Click on a link in Outlook
- Open an attachment
- Open a file downloaded from a web page
And then the bad guy is off and running.
In this webinar, we will explore 4 ways to deal with the risks of these front-line applications:
- Securing the application itself
- Configuration
- Patch management
- Educating the user
- Monitoring these applications for suspicious behavior
- Enforcing least privilege over these applications
There’s only so much you can do in terms of #1 and you are going to have limited impact with #2.
But there’s a lot we can do with detective controls in #3 and preventive controls in #4.
I will show you how careful analysis of Security and Sysmon logs can help you spot when a program like Word appears to be doing the bidding of an attacker.
Then our sponsor, BeyondTrust, will show you how Endpoint Privilege Management allows you to enforce a new level of flexible least privilege on these front-line applications. For instance, Word should be allowed to open and write DOCX files, but should it be able to unload an EXE file or call PowerShell?
Join us for this practical and technical real training for free event!