Question

- List some of Windows Server threats and the security controls?

Answer 1

Malware is the term used to describe the malicious applications and code that can cause the damage to the resources and interrupt the normal use of devices.
It can allow unauthorized access, use the system resources,can steal passwords from our system, lock you out of your computer etc.

Transmission of malware or any other type of viruses:-
1) From removable media like pendrive's or any other physical connected devices etc.
2) From downloads over the internet.
3) From e-mail attachments.

Types of threats to windows server:-
Adware
Backdoor
Behavior
BrowserModifier
Constructor
CoinMiners
DDoS
Exploit
Hacktool
Joke
Misleading
Macro malware:- Macro malware hides in Microsoft Office files and delivered as email attachments or reside in ZIP files.
MonitoringTool
Program
PWS
Ransom
RemoteAccess
Rogue
SettingsModifier
SoftwareBundler
Spammer
Spoofer
Spyware
Tool
Trojan
TrojanClicker
TrojanDownloader
TrojanNotifier
TrojanProxy
TrojanSpy
VirTool
Virus
Worm

Fileless threats in windows server:-
1) No file activity performed:-
It never requires write a file on to the disk.Where the malicious code may be hide in device firmware (BIOS), a USB peripherals (like BadUSB attack), or may be even in the firmware of the network card.
All these examples do not require a file on the disk to run and can live only in memory, surviving even reboots, disk reformats, and OS re-nstall.Difficult to detect and difficult problem for a virus scanner to find it.

Example:- DoublePulsar backdoor which can be exploited by the EternalBlue vulnerability.

2) Indirect file activity:-
It doesn't directly write files on to the file system, but they can close up using files indirectly.
Example:-Poshphy backdoor.
Attackers install the malicious PowerShell command within the WMI(Windows Management Instrumentation) repository and configured a WMI filter to run the command periodically.

3) Files required to operate:-
Automatic execution of files when the machine starts.
Example:- Kovter's file execution.

Normal solutions to avoid malware or any other types of attacks:-
1) Keep the system software up to date.
2) Beware of any malicious websites or links.
3) use a non-administrator account for normal use.
4) Don't connect any unknown removable drives.
5) Beware of links and email attachements to avoid phishing attacks.
6) Backup files (3-2-1 rule: make 3 copies, store in at least 2 locations(offline/online),with at least 1 offline copy).
7) Use strong passwords that can't be hacked.
8) Don't login into any unauthorized/untrusted website or any mobile app.
9) Don't open any suspicious emails or any attachments etc.

The Microsoft provides some software solutions to protect against threats:-
1) Automatic software update :- To avoid Exploit attacks.
2) Microsoft Edge(browser which can detect threats or malware etc).
3) Microsoft safety scanner:- It helps remove malicious applications from your computer.
4) Office 365 Advanced Threat protection:- It helps to block dangerous emails using the machine learning algorithms.
5) Microsoft Defender ATP:-It scans the system thoroughouly,if any unwanted or malicious code found,it will notify to you.
6) Windows Hello:- It follows 2 step authentication for more security purposes.
7) Controlled folder access:- It can detect the any malware or malicious code in the file system.If any malware is found,it will notify ti you.
8) Enable PUA(potentially unwanted applications) detection:-To avoid CoinMiners attack.
9) AntiMalware Scan Interface (AMSI):- To avoid fileless malware
10) Enable or disable macros in Office documents.
11) It can prevent macro malware from running executable content using ASR(Attack surface reduction) rules.
12) Microsoft Exchange Online Protection (EOP) to avoid phishing attacks.
13) If you are already attacked by phishing attack,report that spam to that organization.
14) Educate your employees so that they can easily identify the social engineering and spear-phishing attacks.
15) Maintain a highly secure build resources,code and update the infrastructure.

Phishing:-
phishing attacks are the scams that oftenly use the social engineering baits or lure the content.It can attempt to steal the sensitive information through emails, websites, text messages, or any other forms of electronic communications.

Macro malware attacks:-
Each ASR rule contains following three settings:-
1) Not configured:- Disable the ASR rule
2) Enable the ASR rule
3) Audit:- Evaluate how the ASR rule would impact your organization if enabled.

You can enable the attack surface reduction rules by any of these methods:-

1) Microsoft Intune
2) Mobile Device Management (MDM)
3) System Center Configuration Manager (SCCM)
4) Group Policy
5) PowerShell

Ransomware:-
Other important type of threat is ransomware attack.Examples of ransomwares like Spora, WannaCrypt (called as WannaCry)and Petya (called as NotPetya).

Rootkits:-
A undiscover successful rootkit can remain in place for years if it is undetected.During this time it steal the information and resources of yours.

Supply chain attacks:-
Main goal is to access the source codes, build processes, or update the mechanisms of system.
Types of attacks in this threat:-
1) Compromised software building tools or updated infrastructure
2) Signed malicious apps using the identity of the develpoment company.
3) Specialized code stored into hardware or firmware components
4) Pre-installed malware on devices (phones,USB,cameras, etc.)

Trojans:-
They have to be downloaded either manually or another malware needs to download it and install them into your system.
How trojans work:-
1) Download and install other malwares like viruses or worms.
2) Use the infected device for fraud.
3) Record the keystrokes and websites that you visited.
4) Send sensitive information about the infected device to the hacker including passwords, login credentials for the websites, and browsing history.
5) Give the malicious hacker control over the infected device.

Worm:-
A worm is a type of threat(malware) that can copy itself and often spreads through the entire network.
It can spread through email attachments, text messages, file-sharing programs, social networking sites, network sharing, removable drives(pendrives,USB) and software vulnerabilities.

Due to time consumption, i can't explain more.So I hope that you will like the answer.

Thank you so much.