ICS Cyber Convergence

Advanced Persistent Threat (APT), as a term, is perhaps over-used in cybersecurity. Like the Boogie-Man that strikes fear into the minds and hearts of children at night, APTs work just as hard to ensure that CISOs and CIOs never rest easily. But just like the Boogie-Man, the trick to not being afraid of APTs is to understand them. Unfortunately, understanding APTs isn’t as simple as a bed time story.

The first signs of APTs came from targeted, socially-engineered emails dropping Trojans designed for exfiltration of sensitive information. They were identified by UK and US CIRT organizations in 2005. Although the name "APT" was not used, the attackers met the criteria that determines an APT. The term "advanced persistent threat" is cited as originating from the Air Force in 2006 with Colonel Greg Rattray.

Another complexity to understanding APTs are their definition and identifiable characteristics. The internet is filled with different definitions and varying character-traits that can often make this step confusing and ambiguous. One popular definition on the Internet of an APT sums up the definition of an APT nicely is:

“An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltration of information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.” –National Institute of Standards and Technology

Within the computer security community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated hacking attacks aimed at governments, companies and political activists. The use of the term APT seems to be growing with the rising number of APT-related attacks, which according to a PC World story from a couple of years ago, noted 81 percent increase from 2010 to 2011 of APT attacks.

In a book released a couple of years ago called Reverse Deception: Organized Cyber Threat Counter-Exploitation, the authors define the following APT criteria:

  • Objectives – The end goal of the threat, your adversary
  • Timeliness – The time spent probing and accessing your system 
  • Resources – The level of knowledge and tools used in the event (skills and methods will weigh on this point) 
  • Risk tolerance – The extent the threat will go to remain undetected 
  • Skills and methods – The tools and techniques used throughout the event 
  • Actions – The precise actions of a threat or numerous threats 
  • Attack origination points – The number of points where the event originated
  • Numbers involved in the attack – How many internal and external systems were involved in the event, and how many people's systems have different influence/importance weights
  • Knowledge source – The ability to discern any information regarding any of the specific threats through online information gathering (you might be surprised by what you can find by being a little proactive)

Even though Advanced Persistent Threats play a strong role in cybersecurity planning, especially for large organizations, a lot of the fear and feeling of uncertainty about them can be eliminated by a simple understanding of what they are and what their pattern of attack typically looks like. Although the solution to removing the fear is never as simple as checking your closet, or server, at night before leaving, understanding the threat and partnering with an organization like Lockheed Martin can make your networks more secure.

Read more

This month marks the 10th anniversary of National Cyber Security Month in the U.S. and DHS.gov is dedicating the third week of the month to awareness on the topic of cyber security as it relates to critical infrastructure and the internet of things. This month is a great opportunity to raise awareness on the importance of cyber security with your customers, your employees and your boards. 

Just a decade ago cyber security was mainly a concern of bankers, not critical infrastructure operators! Today, critical infrastructure cyber security has become a focus for industrial control system asset operators, compliance regulators and company board rooms.  

What’s changed? The threat landscape. Threat actors have expanded beyond individual hackers and organized crime syndicates to nation-state actors, terrorists, and political activists. Attack vectors and attack campaign methodologies (think APTs) have matured, morphed and proliferated. 

According to a study by ABI Research the global oil industry is expected to spend $1.87 billion by 2018 in cybersecurity. It’s no wonder a recent report published by the IIA Research Foundation found that 58% of all board members want to be involved cyber security preparedness. 

No matter the risk factors the unique challenge for ICS remains the samemeasuring cyber security risks across an organization’s disparate asset base, heterogeneous systems and hard to reach (often antiquated) end-points and then communicating that risk to key decision makers. For electric utilities in particular we see a trend that cyber security program efforts are often eclipsed by immediate compliance mandates tied to more tangible and inevitable non-compliance penalties. And while compliance to regulations is undeniably important, it doesn’t guarantee security. (Watch the full webcast; Navigating the Crossroads of Compliance and Security)


Tattoo this somewhere: Being compliant does not make you secure”.
– Mark Weatherford on Navigating the Crossroads of Compliance and Security 

Without situational awareness within both the OT operations and IT systems, measuring, communicating and effectively mitigating cyber security is nearly impossible.  

How can you turn awareness into meaningful actions?

  1. Find ways to share resources to elevate the cyber security conversation within your organization
  2. Leverage centralized reporting tools for both transparency and trend analysis for increased situational awareness
  3. Partner with organizations dedicated to developing purpose built solutions to combat ever-evolving threats

Having tracked the trending needs of utilities and energy companies we intend to continue our commitment for the next ten years by arming our customers with solutions to move beyond cyber security awareness into action.


How can the Oil & Gas industry translate their disciplined approach to health, safety, and the environment (HSE) to cybersecurity?

cybersecurity_oil_and_gas_thumbFind out how an integrated and intelligent approach to energy industry cybersecurity can help your organization move towards a more stringent application of cybersecurity.

Download the whitepaper Cybersecurity in the Oil and Gas Industry

 

  New Call-to-Action

Read more

The Shellshock vulnerability has put most of the operational technology (OT) world into a state of panic. Especially, it has been very confusing to OT operators in the critical infrastructure industries on how to deal with it. Here is a step-by-step process on what the OT operators can do to get a handle on the vulnerability.

The Steps

  1. Find out which machines in my asset base have bash
  2. Find out which bash versions on machines where bash is installed
  3. Find out whether the assets are critical, whether the vulnerability is exploitable on the assets
  4. Create workflow for patching the vulnerability
  5. Enable technologies to check for active exploitations on the bug

Find all machines where there is a bash installed. Search for the software: 
On nix machines, bash software is installed under several names, bash-i386, bashx86–64 etc. If your software has wildcard search or auto suggest features (such as Industrial Defender ASM™), and as you type bash, all the software that has the words ba will be displayed.shelhshock1

Create a policy to find out all versions of bash software:
Instead of searching, if the software allows to write a policy, the users should use the policy expression capability to check for policy deviations on bash.

shellshock2

The following is an example of how ASM users can check for machines which have any version of bash

Finding out whether the machines have a specific version of software:
OT operators can use policies to find out specific versions of bash running in OT environments.

The users can use the below policy on ASM to find out whether the machines have been fixed to a specific versions.

ASM users can check for machines having not only vulnerable versions of bash software but also to check whether they have been patched to non-vulnerable version of bash as well.

shellshock3

Finding out whether the vulnerability is actively being exploited: 
Snort has published signatures that alert on CGI scripts trying to exploit bash. Industrial Defender posted signatures for customers on Sep 29 to the Support Site.

The following is a screenshot from ID NIDS product detecting the attack.shellshock4

Just because an asset has bash that is vulnerable, it does not mean that it’s exploitable. It is exploitable only when the shell is exposed to applications through CGI or SSH scripts.



Read more

Five-question checklist for improved cyber situational awareness

Recently, Hold Security, a firm in Milwaukee, announced that a Russian crime ring had stolen 1.2 billion user credentials and 500 million e-mail addresses from 420,000 websites. According to an article by the New York Times, if true, the cyber-heist would be the largest in history.

Hold Security did not name the victims of the attack, citing nondisclosure agreements with victim companies.

In the face of attacks like this, it would be nice if Chief Information Security Officers (CISOs) had a crystal ball to keep their networks safe. But that's not really necessary. Attacks like this are as defendable as they are inevitable with the use of emerging tools including threat intelligence and outcome-based cybersecurity.

crystal_ballOutcome-based security is a management scheme that measures the success of a security program by first identifying a desired outcome. Data from automated scanning and monitoring can be tracked and evaluated to determine if results have been achieved, making security teams and asset owners accountable for these results.

The concept of outcome-based security is finding acceptance in both the public and private sectors. The Government Accountability Office, the auditing service of the U. S. Congress, has recommended that the Department of Homeland Security (DHS) and its partners develop outcome-oriented measures for the communications sector.  This would provide federal decision makers with additional insight into the effectiveness of protection efforts for communications networks and the Internet.

We use outcome-based cyber security to achieve specific results. It helps us understand what inputs have to change to achieve a desired outcome. But identifying and achieving a desired outcome also requires threat intelligence.

Intelligence is the common denominator among experienced staff, detection and remediation technology and your cyber security processes and procedures. Threat intelligence helps you understand your attackers, an essential element in staying ahead of them.

Threat intelligence coupled with outcome-based cyber security can provide a “crystal ball.” Understanding your own goals and the goals of your attacker help you find the best way to stop them.

If you’re in Oil and Gas, the target might be production levels data. If you’re in healthcare, it might be access to patient records or payment information. Whatever the target, knowing the attacker’s goal helps you understand the multiple steps that an Advanced Persistent Threat can take toward it. The Cyber Kill Chain, a key ingredient in Lockheed’s Intelligence-Driven Defense (IDD), identifies the various spots at which the attacker can be stopped before reaching that goal.

When using IDD, you may want to monitor attackers in order to analyze their actions as they pass each step before stopping them as a means of gathering intelligence and understanding possible outcomes or options of the attack. This also provides situational awareness.

Situational awareness is about gathering as much information as possible about the attackers, your own systems and the environment in which they operate.

  1. Where in the world are the attackers coming from?

  2. What steps did they take to get through each level or security?

  3. What technology and methodologies are the attackers employing?

  4. What are they trying to exploit?

  5. And how can we predict their next move and control the outcome of their attack?

Outcome-based cybersecurity lets us act proactively to identify our own goals regardless of where the threats are coming from.


Discover the new look of defense.
Download the whitepaper: Intel Driven Defense

A new class of threats, appropriately dubbed the “Advanced Persistent Threat” (APT), represents well-resourced and trained adversaries that conduct multi-year intrusion campaigns targeting highly sensitive economic, proprietary, or national security information. Read the case studies in this whitepaper.

New Call-to-action

 

 

Read more

Defending against advanced persistent threats

Why Lockheed Martin Industrial Defender Solutions is the best team to defend critical infrastructures and champion cyber security

Quick - what do you think of when I say "Lockheed Martin"?

Defense?

Of course you do! Over the past 100 years Lockheed Martin has built a global reputation on the backs of high profile defense contracts. But Lockheed Martin offers more defense than you may have realized. Perhaps one of the best kept secrets that's not a secret after all is Lockheed Martin also delivers commercial cyber security business solutions to critical infrastructures among the Fortune 500; 79% of utilities, 35% of oil & gas and 46% of chemical processing.

In a recent visit to the Global Vision Center in Arlington, VA I toured the facility's 100 Moments exhibit. From witnessing Amelia Earhart's records (plural), to Air Force One, to the International Space Station solar array panels - the Lockheed Martin mark has proven to be a symbol of innovation. The centennial mission, "Helping the Future Arrive" includes tackling the challenges faced by critical infrastructures.

To that end, Lockheed Martin combines the intel analytic capabilities provided to the Department of Defense for decades with available technology to bring something unique and different to critical infrastructure markets including electric utilities, oil & gas and chemical processing.

"Industrial Defender's expertise in cyber security for critical infrastructure is a natural extension of our commercial cyber security business. Their experience in addressing cyber threats to industrial control systems complements our information technology cyber security expertise and strengthens the value we deliver to our customers."

-Marillyn Hewson, Lockheed Martin Chairman, President and CEO


Lockheed Martin and Intelligence Driven Defense®

Lockheed Martin is a global security company. The critical systems and networks of our customers come under attack every day. And every day we continue to safeguard some of the most sensitive information and mission-critical systems in the world. Lockheed Martin’s Computer Incident Response Team has created an intelligence-driven defense process, Cyber Kill Chain®, which allows cyber security professionals to proactively remediate and mitigate advanced threats in the future.

Necessity being the mother of invention - these programs we developed to elevate the traditional Defense in Depth model to go beyond reactive and proactive measures. The goal? Predictive intelligence.

Cybersecurity_maturity

How do Industrial Defender solutions fit?
Automation in Industrial Control Systems Environment

Where does your organization fall on the cyber security maturity scale? What could predictive intelligence mean for your organization?

Kathleen Wolf Davis, Editor-in-Chief of Intelligent Utility recently interviewed Mark Browning, VP of IT at Exelon, to discuss how he is “investing in innovative thinkers and problem solvers” and highlights automation as a critical part of become more proactive. But what about predictive? "...Browning also revealed that Exelon is rethinking their processes---their ways of business. They want to become data-driven and more predictive, less reactive. And they are dying to 'automate, automate, automate,' he said."

At Lockheed Martin we believe intelligence driven defense and automation is a powerful combination to combat the APTs that threaten critical infrastructure operations. When asked how the Industrial Defender ASM contributes to the greater Lockheed Martin story, Industrial Defender Solutions CEO, Brian M. Ahern, commented on the natural fit, "...we share a common perspective on the importance of protecting global critical infrastructure from an increasingly hostile threat landscape. The combined capabilities of Industrial Defender Solutions and Lockheed Martin will enable us to offer a comprehensive suite of technology and services designed to face modern day threats and business challenges to both enterprise information and operational technologies. Joining forces is a natural fit for Industrial Defender Solutions and our growth plans."


Watch the video for the larger Lockheed Martin story on Intelligence Driven Defense©


Find out how you could benefit from automation in your industrial control systems environment.

New Call-to-Action  

Read more

As a global security company and as a member of the cyber defense community, Lockheed Martin joins their competitors and colleagues on a weekly basis to share relevant intelligence that can help all parties better protect the interests of the critical infrastructures they serve.

The critical systems and networks of our customers come under attack every day. And every day we continue to safeguard some of the most sensitive information and mission-critical systems in the world. Lockheed Martin’s Computer Incident Response Team has created an intelligence-driven defense process, Cyber Kill Chain®, which allows cyber security professionals to proactively remediate and mitigate advanced threats in the future.

There are seven steps every Advanced Persistent Threat (APT) and attacker must take to accomplish their mission.

What is the Cyber Kill Chain®?

Cyber_Kill_Chain

  1. Reconnaissance - Research, identification and selection of targets, often represented as crawling Internet websites such as conference proceedings and mailing lists for email addresses, social relationships, or information on specific technologies.
  2. Weaponization - Coupling a remote access trojan with an exploit into a deliverable payload, typically by means of an automated tool (weaponizer). Increasingly, client application data files such
    as Adobe Portable Document Format (PDF) or Microsoft Office documents serve as the weaponized deliverable.
  3. Delivery - Transmission of the weapon to the targeted environment. The three most prevalent delivery vectors for weaponized payloads by APT actors, as observed by the Lockheed Martin Computer Incident Response Team (LM-CIRT) for the years 2004-2010, are email attachments, websites, and USB removable media.
  4. Exploitation - After the weapon is delivered to victim host, exploitation triggers intruders’ code. Most often, exploitation targets an application or operating system vulnerability, but it could also more simply exploit the users themselves or leverage an operating system feature that auto-executes code.
  5. Installation - Installation of a remote access trojan or backdoor on the victim system allows the adversary to maintain persistence inside the environment.
  6. Command and Control (C2) - Typically, compromised hosts must beacon outbound to an Internet controller server to establish a C2 channel. APT malware especially requires manual interaction rather than conduct activity automatically. Once the C2 channel establishes, intruders have “hands on the keyboard” access inside the target environment.
  7. Actions on Objectives - Only now, after progressing through the first six phases, can intruders take actions to achieve their original objectives. Typically, this objective is data exfiltration which involves collecting, encrypting and extracting information from the victim environment; violations of data integrity or availability are potential objectives as well. Alternatively, the intruders may only desire access to the initial victim box for use as a hop point to compromise additional systems and move laterally inside the network.

What does the Cyber Kill Chain mean for industrial control systems owners and operators?

Managing automation environments is absolutely not the same as doing so within corporate IT domains. It’s been said that “OT is IT with consequences.” Think about the impact of a security incident – from the OT perspective;  critical infrastructure operations may be disrupted or lives may be put at risk. Driving security and compliance within automation systems is challenging in an entirely different way. 

To be successful in the world of security and compliance management for automation systems, you have to understand how critical infrastructure operates, the goals and objectives that are the priority for critical infrastructure owners, and the underlying technology that must be supported as part of this exercise. 


A new class of threats, appropriately dubbed the “Advanced Persistent Threat” (APT), represents well-resourced and trained adversaries that conduct multi-year intrusion campaigns targeting highly sensitive economic, proprietary, or national security information.

Whitepaper: Intel Driven Defense
Discover the new look of defense.

New Call-to-action

 

 

Read more

The expanded use of mobile technology could potentially create havoc in the right hands, especially when acquiring passwords and sensitive information for espionage."

Last week, we talked about how cyber security is like Chess. In order to be effective, you have to prepare and anticipate your opponent’s moves and styles of attack before they happen. Today we will look at the other side of the cyber coin: attackers. What future capabilities do we think they will have, and what can we do to start preparing for them?

There are about three major capabilities that future Advanced Persistent Threats (APT) and attackers will have:  

Trickle Down

I think it’s safe to say that one advantage that future hackers will have is a set of modern tools not commonly available to them today. Some examples of this future capability include the ability to use high-performance computing when orchestrating attacks. For example, they will be able to more universally leverage fiber for faster data speeds, meaning they can make their opening moves more quickly.

Inter-connected IP

This one isn’t so much a tool as it is an evolving vulnerability. At the most simplistic level, cyber criminals will become more savvy in understanding how interconnected all the pieces are within the cyber ecosystem. Take oil and gas, for example. In the future, all the parts with this industry will require a stronger relationship with the other. In the near future this could translate to a hacker’s ability to access an off-shore oil rig belonging to one company through a vulnerability found in a drone searching for new sources of gas that belongs to a different company.

In healthcare and medicine, this scenario gets even more alarming. This is especially true as our diagnostic systems and medical components get more complicated and complex. In the near future, we may even find the need to secure medical implant devices the same way we defend commercial airspace today.

Mobile Power

It’s pretty safe to assume that in ten to 20 years my new smartphone will have the same or greater computing power as a top-of-the-line gaming machine today. The expanded use of mobile technology could potentially create havoc in the right hands, especially when acquiring passwords and sensitive information for espionage.

If we can make any final assumptions about the future of cyber security, it’s not that any one of these particular scenarios is worthy of our preemptive defense. Rather the orchestration of all three scenarios is what we have to prepare for by continuing to monitor our network faster, learn as much from our intruders as possible, and protect the individual IP itself, no matter where it travels. After all, the old cliché still plays true today, and will in the future: those who don't study the past are doomed to repeat it. 

Read more

One of the most common terms in any large organization is Risk Management. Risk Management has grown from a vertical role shared by multiple organizational executives into a separate horizontal practice in which a series of professionals can often dedicate entire careers. But what exactly is Risk Management? What is IT Risk Management? What is a Risk Management Framework? And why is it a vital component of an effective cyber security platform? For me, Risk Management is a rigorous business discipline that if applied and communicated correctly can ensure a business continues to achieve a strategy for profitable growth. It’s also the language of executives and one that cyber security executives should be extremely well versed in.

Originating as a business discipline, risk management is the process of understanding what could possibly impact your company in a negative way, and having an action plan for each possible threat. Risk Management is about mapping and understanding the likelihood of these financial threats to your organization in a manner that looks at probability and severity.

The purpose of Risk Management is two-fold. Be prepared for the worst, and help leaders make better-informed decisions. IT Risk Management is a subset of an enterprise-wide risk management strategy. Like business, IT can’t always avoid bad things from happening. Servers will fail, attacks will persist and some will eventually succeed. Therefore, it’s important to forecast uncertainty, map threats, and create countermeasures to potential threats as it pertains to the use of technology within an enterprise.

Part of this Risk Management approach toward IT is the combination of information security policies and activities with risk management principles. The result is a lifecycle known as an IT Risk Management Framework.

Seemingly every corporation has its own approach towards IT risk management. However, all IT Risk Management Frameworks share some basic traits. For example, IT Risk Management Frameworks tend to be a step-by-step process, or workflow, focused on:

  • Identifying threats
  • Mapping the severity and probability of each threat
  • Determining the impact of each threat
  • Implementing control recommendations

it-risk-management-workflow

 

Following even a basic framework like the one we just described carries several major benefits to IT cyber security, such as:

Documentation: IT Risk Management Frameworks encourage organizations to document and put down a centralized view of threats and actions.
Structure: These frameworks augment incident response services to provide a bigger-picture perspective of organizational cyber health and security.
Gap discovery: These frameworks help organizations find and close or monitor vulnerabilities within their networks and structure.
Collaboration: IT Risk Management Frameworks are models that organizations can share to provide better security for the company as a whole. For example, Lockheed Martin’s Office of Counterintelligence Operations works to identify adversaries attempting to gather information about Lockheed Martin programs. It does so by gathering information about our Corporation, our personnel, and/or our customers, and uses mitigation strategies to deal effectively with these threats. But success means collaborating with corporate security teams, counterintelligence leads and other functional organizations. This collaboration is made possible in large-part through a common approach or framework towards risk management.

Risk is a natural part of the business and Information Technology. The key is to manage the cyber security risks in an effective way. If performed successfully, cyber security executives can leverage the risk management toolset to communicate clearly to their executive teams and more importantly secure funding for important security programs.


Did you miss the webinar introducing Lockheed Martin Industrial Defender?

A Unified Approach to IT and OT Cyber Security for Critical Infrastructure Industries

Demystifying NERC CIP
, Inc.
Read more

During our engagements we often hear many people say they are “air gapped” since their control system is not directly connected to the internet, or simply bury their heads in the sand about the problem. DHS released their quarterly newsletter (link to PDF, also copied below) that confirms a public utility was compromised and their control system was accessed. Actually, it states there were two seperate hacks, and both were by external adversaries on systems configured to allow remote access.

While remote access a necessity for many utilities (i.e.: allowing vendors to perform system maintenance without costly travel or due to an emergency), when DHS reviewed the logs they determined the systems were likely accessed previously - something that would have been picked up by most network intrusion detection systems. As DHS pointed out, "This incident highlights the need to evaluate security controls employed at the perimeter and ensure that potential intrusion vectors (ex: remote access) are configured with appropriate security controls, monitoring, and detection capabilities." 

Public Utility Compromised

A public utility was recently compromised when a sophisticated threat actor gained unauthorized access to its control system network. After notification of the incident, ICS-CERT validated that the software used to administer the control system assets was accessible via Internet facing hosts. The systems were configured with a remote access capability, utilizing a simple password mechanism; however, the authentication method was susceptible to compromise via standard brute forcing techniques.ICS-CERT provided analytical assistance, including host-based forensic analysis and a comprehensive review of available network logs. It was determined that the systems were likely exposed to numerous security threats and previous intrusion activity was also identified.
ICS-CERT conducted an onsite cybersecurity assessment in response to this incident to assist the asset owners with evaluating the overall security posture of their infrastructure. In addition, ICS-CERT made practical recommendations for re-architecting and securing the control network. This incident highlights the need to evaluate security controls employed at the perimeter and ensure that potential intrusion vectors (ex: remote access) are configured with appropriate security controls, monitoring, and detection capabilities.

So what can you really do?

The incident described above as well as the other incident detailed in the report serve to further strengthen the need for utilities to be able to implement and enforce secure configurations. Industiral Defender ASM's policy management application allows control system professionals to do just that - in a completely non-intrusive way with no agents and ultra-low bandwidth utilization. 

Do you have Internet facing devices?

If you've never heard of ShodanHQ.com, you need to visit it immediately and search for your assets. Simply put, this site allows you to easily search for your devices and see if you have any that are directly internet facing. Start by disabling guest and default accounts, then move onto the slightly more complicated task of configuring those assets not to be internet facing.

 

 

Read more

Microsoft has released vulnerability advisories in Internet Explorer that could allow remote execution (https://technet.microsoft.com/en-us/library/security/2963983.aspx). Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.

What can Industrial Defender Customers Do?

Industrial Defender customers can download the policy below to find out which assets have the vulnerable software. The policy essentially searches software baselines across assets and flags assets which have Internet Explorer 6,7,8,9 or 10. The steps that the customers should follow:

  • Import the policy into ASM, assign the policy to a group
  • Promote the policy
  • Assign the policy to your Windows asset group (or create one if you don’t have an asset group which constitutes Windows assets)
  • Execute the policy

 
Policy (Copy the below into a XML file, that could be imported onto ASM 5.6)

<PolicySet_x0040_5.6>

<PolicyInfo>

   <PolicyName>IE Explorer 2963983 - Apr 28</PolicyName>

   <PolicySetID>1</PolicySetID>

   <PolicyID>1</PolicyID>

   <PolicyStatusID>9</PolicyStatusID>

   <PolicyOwner>e0aee1a9-91dc-44f4-8088-c07de21ea7ec</PolicyOwner>

   <DraftDescription>First Draft</DraftDescription>

   <ApprovalComment>Tests for IE version 6,7,8,9,10,11</ApprovalComment>

   <ApprovedBy>e0aee1a9-91dc-44f4-8088-c07de21ea7ec</ApprovedBy>

   <PromotionComment>Tests for IE version 6,7,8,9,10,11</PromotionComment>

   <DatePromoted>2014-04-28T13:21:07.783-04:00</DatePromoted>

   <PromotedBy>e0aee1a9-91dc-44f4-8088-c07de21ea7ec</PromotedBy>

   <CreateDate>2014-04-28T13:00:54.627-04:00</CreateDate>

   <CreateBy>e0aee1a9-91dc-44f4-8088-c07de21ea7ec</CreateBy>

   <UpdateDate>2014-04-28T13:21:07.783-04:00</UpdateDate>

   <UpdateBy>e0aee1a9-91dc-44f4-8088-c07de21ea7ec</UpdateBy>

   <PolicyGroupName>IE explorer group</PolicyGroupName>

   <PolicyDescription>IE explorer group</PolicyDescription>

</PolicyInfo>

<SoftwareInventoryPolicy>

   <SoftwareInventoryPolicyID>1</SoftwareInventoryPolicyID>

   <PolicySetID>1</PolicySetID>

   <NameExpression>@s IN ('Windows Internet Explorer 6', 'Windows Internet Explorer 7', 'Windows Internet Explorer 8', 'Windows Internet Explorer 9', 'Windows Internet Explorer 10', 'Windows Internet Explorer 11')</NameExpression>

   <VersionExpression>%</VersionExpression>

</SoftwareInventoryPolicy>

</PolicySet_x0040_5.6>

 

Does Industrial Defender Software has vulnerable explorer version?

Only the Industrial Defender ASM product has IE installed and this new vulnerability does affect it. Although ASM has IE installed on it, Industrial Defender does not recommend using the browser locally on the ASM appliance. ASM should always be accessed remotely from an external browser.

For best practices, we recommend customers to set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones as per Microsoft’s security bulletin https://technet.microsoft.com/en-us/library/security/2963983.aspx

Read more