- Oct 1, 2019
- 1,120
Hi,
The company my girlfriend is working for had a ransomware attack in one of their regional offices in another country. As a result the company is changing from a BringYourOwn policy with an annual allowance to purchase your own hardware to a ChooseYourOwn policy in combination with a "walled garden" data security approach. In short employees can choose an Apple smartphone and a Windows tablet, 2-in-1 or laptop and they are not supposed to use these devices privately (deviced will be monitored). These company devices will only save documents to the company cloud and refuse to open documents from disk and usb et cetera.
To prepare and support the employees to this change, all employees got a day of IT-security awareness training. Before that day, they were informed that they would have to sign a company policy addendum in which they confirmed that they were aware of the new policy, understood the new policy and promised to comply to this new policy. The impact of non-compliance were "a yellow card" (official reprimande) when a breach was detected and the employee could convince that it was not caused by employees lack of applying rules of "well mannered netiquettes and good parent ship of company data. A red card (employee would be fired) when such a breach was caused by irresponsible digital behavior or such an event would happen for the second time.
To prevent employees from breaching the new company while converting from BYO to CYO, they could (voluntary) handover the PC the used for mixed work/private (BYO) situation. Their PC would be scanned for documents containing meta data with company tag words. This check would be supervised by a member of the Employees Council. This check produced an automated list. In the afternoon the employees could mark which documents (or folders) were related to company documents. After explicit okay from the employee these documents were removed from the BYO PC and moved to a sandbox where they were checked (on malware). This procedure should prevent company IT-personal peeking into private data (that is why a member of Employee Council was present and only files which had the company tags were listed, not read). The program looking for company tags in the meta data of Office documents was a portable program ran from an USB stick.It was obvious HR and IT had thought carefully about the process to take both privacy and security into consideration.
As a bonus the guys from the IT-department would perform a PC health and virus check on the BYO PC and would install Libre Office and a good free AntiVirus (the company uses Kaspersky, probably reason why they installed Kaspersky Free). Employees could indicate that they had a paid Office license and or paid antivirus subscription (to prevent loosing privately owned licenses with Libre Office and Kaspersky Free)
I had installed a digital Office 2016 Pro and had kept Windows Defender (set on on MAX and with a Hard_Configurator profile allowing EXe and TMP to execute). I added this profile to this post. When my girlfriend informed me about the new policy, I kept the PC as is and told her we had a valid Office 2016 license (to prevent installing libre office).
I did not remove H_C on purpose and did not remove WD Exploit Protection setting for Office and Edge (the Code integrity Guard normally blocks DLL's of third--party AV's), just to see what happened. For comparison when I would install Avast free, the WD exploit Protection setting Code Integrity guard would block a DLL of the behavior blocker which wanted to hook into Office programs and Edge browser.
The surprise was not that Kaspersky Cloud FREE worked well with Hard_Configurator, but with the Windows Defender Exploit Protection settings I have enabled for the Office programs and Edge-Chromium. Most third-party AntiVirus solutions don't handle these exploit protection settings well (especially enabling the Code Integrity Guard), but Kaspersky Free did not give a beep.
Windows Defender Exploit Protection Settings for Micro Office programs and Edge browser (important: don't enable Code Integrity Guard for non-Microsoft programs, it will break that program, Code Integrity Guard only works with Microsoft signed programs).
Word - Excel - PowerPoint
- block low integrity images
- block remote images
- block untrusted fonts
- enable Code Integrity Guard
- disable extension points
- enable "do not allow child processes"
- enable "force randomization for images (Mandatory ASLR)"
- enable "validate image dependency integrity"
Outlook
- block low integrity images
- block remote images
- block untrusted fonts
- enable Code Integrity Guard
- disable extension points
- enable "force randomization for images (Mandatory ASLR)"
- enable "validate image dependency integrity"
Edge-chromium
- block low integrity images
- block remote images
- enable Code Integrity Guard
- disable extension points
- enable "force randomization for images (Mandatory ASLR)"
- enable "validate image dependency integrity"
To use this Restrict Dangereous File extensions profile with Hard_Configurator rename the attached text file " from Kaspersky_FREE_Cloud_Companion.txt to Kaspersky_FREE_Cloud_Companion.hdc.
The company my girlfriend is working for had a ransomware attack in one of their regional offices in another country. As a result the company is changing from a BringYourOwn policy with an annual allowance to purchase your own hardware to a ChooseYourOwn policy in combination with a "walled garden" data security approach. In short employees can choose an Apple smartphone and a Windows tablet, 2-in-1 or laptop and they are not supposed to use these devices privately (deviced will be monitored). These company devices will only save documents to the company cloud and refuse to open documents from disk and usb et cetera.
To prepare and support the employees to this change, all employees got a day of IT-security awareness training. Before that day, they were informed that they would have to sign a company policy addendum in which they confirmed that they were aware of the new policy, understood the new policy and promised to comply to this new policy. The impact of non-compliance were "a yellow card" (official reprimande) when a breach was detected and the employee could convince that it was not caused by employees lack of applying rules of "well mannered netiquettes and good parent ship of company data. A red card (employee would be fired) when such a breach was caused by irresponsible digital behavior or such an event would happen for the second time.
To prevent employees from breaching the new company while converting from BYO to CYO, they could (voluntary) handover the PC the used for mixed work/private (BYO) situation. Their PC would be scanned for documents containing meta data with company tag words. This check would be supervised by a member of the Employees Council. This check produced an automated list. In the afternoon the employees could mark which documents (or folders) were related to company documents. After explicit okay from the employee these documents were removed from the BYO PC and moved to a sandbox where they were checked (on malware). This procedure should prevent company IT-personal peeking into private data (that is why a member of Employee Council was present and only files which had the company tags were listed, not read). The program looking for company tags in the meta data of Office documents was a portable program ran from an USB stick.It was obvious HR and IT had thought carefully about the process to take both privacy and security into consideration.
As a bonus the guys from the IT-department would perform a PC health and virus check on the BYO PC and would install Libre Office and a good free AntiVirus (the company uses Kaspersky, probably reason why they installed Kaspersky Free). Employees could indicate that they had a paid Office license and or paid antivirus subscription (to prevent loosing privately owned licenses with Libre Office and Kaspersky Free)
I had installed a digital Office 2016 Pro and had kept Windows Defender (set on on MAX and with a Hard_Configurator profile allowing EXe and TMP to execute). I added this profile to this post. When my girlfriend informed me about the new policy, I kept the PC as is and told her we had a valid Office 2016 license (to prevent installing libre office).
I did not remove H_C on purpose and did not remove WD Exploit Protection setting for Office and Edge (the Code integrity Guard normally blocks DLL's of third--party AV's), just to see what happened. For comparison when I would install Avast free, the WD exploit Protection setting Code Integrity guard would block a DLL of the behavior blocker which wanted to hook into Office programs and Edge browser.
The surprise was not that Kaspersky Cloud FREE worked well with Hard_Configurator, but with the Windows Defender Exploit Protection settings I have enabled for the Office programs and Edge-Chromium. Most third-party AntiVirus solutions don't handle these exploit protection settings well (especially enabling the Code Integrity Guard), but Kaspersky Free did not give a beep.
Windows Defender Exploit Protection Settings for Micro Office programs and Edge browser (important: don't enable Code Integrity Guard for non-Microsoft programs, it will break that program, Code Integrity Guard only works with Microsoft signed programs).
Word - Excel - PowerPoint
- block low integrity images
- block remote images
- block untrusted fonts
- enable Code Integrity Guard
- disable extension points
- enable "do not allow child processes"
- enable "force randomization for images (Mandatory ASLR)"
- enable "validate image dependency integrity"
Outlook
- block low integrity images
- block remote images
- block untrusted fonts
- enable Code Integrity Guard
- disable extension points
- enable "force randomization for images (Mandatory ASLR)"
- enable "validate image dependency integrity"
Edge-chromium
- block low integrity images
- block remote images
- enable Code Integrity Guard
- disable extension points
- enable "force randomization for images (Mandatory ASLR)"
- enable "validate image dependency integrity"
To use this Restrict Dangereous File extensions profile with Hard_Configurator rename the attached text file " from Kaspersky_FREE_Cloud_Companion.txt to Kaspersky_FREE_Cloud_Companion.hdc.
Last edited:
