{"id":1362,"date":"2014-01-13T11:00:48","date_gmt":"2014-01-13T17:00:48","guid":{"rendered":"http:\/\/www.poweradmin.com\/blog\/?p=1362"},"modified":"2019-12-17T09:57:59","modified_gmt":"2019-12-17T15:57:59","slug":"the-death-of-windows-xp-and-industrial-pc-security","status":"publish","type":"post","link":"https:\/\/www.poweradmin.com\/blog\/the-death-of-windows-xp-and-industrial-pc-security\/","title":{"rendered":"CIFS Monitoring & Industrial PC Security"},"content":{"rendered":"

CIFS \u2013 How to Protect Legacy Industrial PCs (IPCs) <\/strong><\/span><\/h2>\n

\"Protect<\/a>Before the popularity of cloud began to take over, the only choice that companies large and small had with regard to IT infrastructure, was to build their own network. This of course consisted of servers, web servers and workstations, all connected together for the purposes of information sharing, and was based on permissions as to who could access what.<\/span><\/p>\n

While it\u2019s safe to say that cloud offers an alternative to smaller businesses when it comes to IT infrastructure, it\u2019s not always the answer for larger organizations and this means that servers and IPCs are often still on-site.<\/span><\/p>\n

However, change is constant and this also means that many companies have \u2018legacy\u2019 IT hardware and software that they need to maintain. Implementing a completely new network is a costly affair and while choices exist with regard to hybrid cloud, for example, it\u2019s not always a viable option when it comes to capital expenditure and downtime.<\/span><\/p>\n

This means that many companies and organizations are still running legacy products, which may no longer be supported. This is especially true of Microsoft products and it\u2019s now old news that the company will be pulling support for XP in April this year. Add to this that support for Windows 2000 (best MS OS ever, IMO) ended some four years ago now and the security risks to these systems are substantial. This is where CIFS monitoring (also known as File Integrity Monitoring or FIM)<\/a> can play a role in security.
\n<\/span><\/p>\n

What Support Does Microsoft Provide?<\/strong><\/span><\/span><\/h2>\n

\"Windows<\/a>With the aforementioned OS, at its most basic level it means that there will be no updates to the software, which could cause driver issues, but more importantly, leaves it with \u2018holes\u2019 in the OS in which malware can attack.<\/span><\/p>\n

Generally, for newer OSs, Microsoft releases patches and updates to ensure that any vulnerability found in the OSs are \u2018closed\u2019 so that the risk of infection from malware and attackers is minimized. Unless there\u2019s a real emergency, these are usually released on \u2018 Patch Tuesday<\/a>\u2019, which occurs on the second Tuesday of every month.<\/span><\/p>\n

However, from April of this year, this will no longer apply to Windows XP and although the software (trying to turn hardware) giants acknowledge that this will leave many open to various types of infection, including \u201cpermanent 0-days\u201d, complaining about it isn\u2019t going to make any difference.<\/span><\/p>\n

Won\u2019t Antivirus Solutions Pick These Up?<\/strong><\/span><\/span><\/h2>\n

\"Is<\/a>Sometimes. AV products only work by protecting against threats that they already know about. So if a new threat, especially a 0-day threat comes along, then it\u2019s inadequate protection, especially for businesses. A 0-day threat basically means that it\u2019s not yet been recognized as a threat by the AV vendors and so can\u2019t be cleaned or quarantined before doing the damage.<\/span><\/p>\n

Worms can be especially damaging, as they travel across a network quickly and while different variants have diverse effects, it\u2019s not something that any business needs on their network. Worms can completely disable programs, making them impossible to open and use, (this includes AV products) or can simply travel around the network stealing information as they go. Worms often also come packaged with other forms of malware, such as trojans, which can contain keystroke loggers and more.<\/span><\/p>\n

Possibly the most famous worm is Stuxnet<\/a>, which attacked an Iranian nuclear plant with the intention of causing the engines to spin out of control. A similar worm, which was dubbed the \u2018Son of Stuxnet\u2019 was Duqu<\/a>, which stole information rather than causing damage. Both of these are accepted to have been created by a state, rather than an individual hacker, and most security experts agree that it was an Israeli and US collaboration.<\/span><\/p>\n

Worse than either of these was a worm known as Conficker, which in theory had the ability to take down the entire\u00a0internet. <\/em>Imagine how much we rely on the net for national power systems, emergency services and so much more and it\u2019s a scary idea. The author of Conficker was never caught and the worm never dropped its payload<\/a>, but it\u2019s thought that millions of PCs around the world remain infected.<\/span><\/p>\n

The interesting thing about Conficker was the ability of its creator to stay one step ahead of the world\u2019s top security experts at all times, thwarting every attempt to stop it. If you\u2019re interested in learning more, then give Mark Bowden\u2019s (also author of Black Hawk Down)<\/em> book WORM: The First Digital World War<\/em><\/a>a read, it\u2019s fascinating stuff.<\/span><\/p>\n

What if my IPC Isn\u2019t Internet Connected?<\/strong><\/span><\/span><\/h2>\n

\"Internet<\/a>One of the most interesting things about Stuxnet, is that it attacked an unconnected (to the internet) system and it\u2019s commonly thought that an insider infected the Siemens-based control systems with a USB drive. However, the worm also existed \u2018in the wild\u2019 before being picked up by the AV companies. The plant systems were not connected to the net, as many IPCs aren\u2019t, but it didn\u2019t stop them becoming infected.<\/span><\/p>\n

One way to help ensure that your legacy IPCs are protected is with the use of Common Internet File System (CIFS) monitoring, which can take snapshots of Windows and Linux-based systems regularly in order to pick up any changes in the file system.<\/span><\/p>\n

According to ECN\u2019s Dan Schaffer<\/a>, \u201cAn industrial security device with CIFS monitoring capability can alert the engineering staff of a possible malware infection on day zero, even if the malware was previously unknown.\u201d<\/span><\/p>\n

This means that CIFS monitoring<\/a> is a viable alternative and\/or addition to AV products when it comes to protecting legacy IPCs. It warns if any system files have been altered, deleted or added and alerts the relevant member of staff to the problem so that they can take immediate action. This means that even zero-day exploits can be discovered quickly and dealt with before doing any serious damage.<\/span><\/p>\n

Further advantages include:<\/span><\/p>\n