Professional Documents
Culture Documents
Solving Common Security - Thawte
Solving Common Security - Thawte
an
Security eBook
Contents
Solving Common IT Security Problems
This content was adapted from Internet.coms eSecurity Planet and Enterprise IT Planet Web sites. Contributors: David Strom, Michael Horowitz, Sonny Discini.
2 4
8 10
10
12
12
had my laptop stolen once, about five years ago, from the trunk of a locked car parked at a shopping mall. You never forget that experience of being violated, of being stupid. (And it seems to be getting more common, according to a story in the LA Times about thieves who follow customers home from Apple Stores.) So what can users do to be more proactive, given the number of laptops that go missing every month? One way is to use one of a growing number of recovery software tools that automatically phone home (in the Internet sense of the word) and help you and the authorities, should they be interested, in trying to track it down. Think of what LoJack does for locating cars, with the added information that having an Internet connection can bring (indeed, the company is one that offers a laptop tool). While it sounds like a great idea, there are several issues with using these tools. First, most of them are designed for individuals, not corporations. Absolute Softwares Computrace has an enterprise version called Complete in their LoJack for Laptops line, which has tools that offer more asset tracking and remote hard disk destruction that arent found in an individual product. zTrace Technologies zTrace Gold, MyLaptopGPS for Windows, and Brigadoons PC/Mac PhoneHome products all offer quantity pricing for business customers, but not much else in terms of added features over their individual versions.
OS-Based Options
Third, the versions that are offered differ as to features between Mac and Windows, with the Mac (if it is supported at all) usually being a poor cousin. If you have a mixed network, this could be a determining factor as to which product you end up deploying. Taking Computrace as an example again, the Mac version doesnt include the special embedded BIOS agent that comes with their Windows product.
Back to Contents
Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.
Phoenix Technologies offers something similar for its OEM BIOS customers called FailSafe, but not for the general public. And GadgetTrak has software for both Mac and Windows, but prices them differently.
Well-Rounded
Next, these tools are just part of an overall laptop security solution that should also include disk encryption and password-protecting the boot drive. If these tools live on the hard disk and if you havent enabled a firmware or disk password, any intelligent thief can just reformat your hard drive and remove this protection, or just remove the hard drive itself. So it makes sense to start by putting password protection on all of your machines as first line of defense. Disk encryption is especially important if you need to protect confidential corporate or business data, not to mention personal data, such as bank account passwords as well. That brings me to my last point: Do you really need a vendor-operated central monitoring station, or can you set up your own central place where alerts can be sent? GadgetTrak, Oribicules Undercover for Macs and iPhones, Prey (for Mac, Windows, and Linux), and PC/Mac PhoneHome
are all tools that dont make use of any central monitoring station. Instead, the software sends info to your e-mail (and for GagetTrak, to Flickr) accounts directly. With some of these products, upon booting they look for the presence or absence of a special URL that indicates the laptop has been stolen. If so, they send information, such as the current IP address, a snapshot from a Webcam, screenshots, and other details to your e-mail address. One user of Undercover had his laptop stolen about two years ago, also from his car. (Have you realized never to leave a laptop in a vehicle now?) Within a few days, we had screenshots and camera images of the thief and working with local authorities, we were able to recover the laptop within a week, said Lenny, a friend of mine who has run several major corporations and is a big fan of their software. While options vary depending on need, OS, and budget, the ideal approach to protecting laptops is to cover your bases: use password protection and disk encryption, and employ a collection of tools, including a monitoring product with a corresponding tracking piece on each laptop and remind users to never leave a laptop in a car.
Back to Contents
Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.
he recent attacks against Google and other companies highlighted spear phishing attacks. The term refers to scam e-mail messages designed to trick the recipient into infecting his or her own computer with malicious software (malware). The end result of the phony yarn, spun in the body of an e-mail message, is that the duped user visits an infected Web page, opens a maliciously crafted document, or runs a malicious program. Unlike regular phishing e-mails that are blasted out to millions, spear phishing, as the name implies, is specifically targeted. Anyone that works with secrets that the bad guys want may be sent an e-mail message targeted specifically at them. The message will appear to come from someone they know and the topic will be something that the sender would normally discuss. Everything about the message is fraudulent, including the From address. The fraud is successful, in part, because people trust the From address of an e-mail message. No one should; forging the From address is childs play. But, since the From address is correct 99 percent of the time and many dont know that it is easily forged, this gets the spear phishing message in the door, so to speak.
As I recently wrote, the most important aspect of Defensive Computing is skepticism. Corporate executives may be skeptical when dealing with people, but lack awareness of common online scams. Just a few days ago, Roger Thompson of AVG described the hacking of the Oklahoma Tax Commission Web site. To be infected, the end user simply had to agree to an Adobe license agreement. The agreement looked legit, but it was from bad guys rather than Adobe, and agreeing to it installed malware. Here I assume we are configuring a computer for someone with access to corporate secrets, someone whose lack of technical know-how makes them an easy target for online scammers. What steps can we take to protect this person from themselves?
Restricted Users
Running as a limited (a.k.a., restricted or standard) user is job one. For the sake of backward compatibility Windows users, by default, run as Administrators, which lets them change anything, anytime, anywhere. Despite this default behavior, Microsoft recommends, and all techies agree, that people are safer running as limited users.
Back to Contents
Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.
Windows Vista and Windows 7 users may feel that UAC protects them, even when logged on as an administrator. It does not. Ive been testing life as a restricted user for a while on both Windows XP and Windows 7. It works better on Windows 7; XP has a number of quirks in the implementation. But regardless of any quirks, this is perhaps the biggest weapon in the Defensive Computing software arsenal. Barring severe bugs in Windows, it should prevent the installation of any software (assuming the bigshot is not given an Administrator password). If, for whatever reason, running as a limited user is not an option, Windows XP users can still get most of the protection it offers with the free DropMyRights program. This Microsoft program is used to front-end another program and drop its rights. For example, an Administrator class user can click on an icon for the Adobe Reader, which actually runs DropMyRights. It, in turn, runs the Adobe Reader, but only after dropping the rights down to those of a limited user. Thus, if an infected PDF file tries to install software, it fails. Running as a limited user however does not prevent malicious software from running, just from running out of certain folders (and from being permanently installed). More steps are needed.
Other browsers are updated with bug fixes when they are needed. IE has to live in a huge bureaucracy that dictates it only gets updated once a month. It makes headlines when IE is patched when needed, as opposed to on schedule. Not good for security. In addition to the slow IE patching imposed by the once-amonth schedule, Microsoft has a history of just being slow. For example, the IE bug that was exploited recently to attack Google and others was initially called a zero-day vulnerability; techie terminology for a newly discovered bug. It turns out not have been zero day at all, more like 120 days. Microsoft was alerted to the problem four months before it was exploited on Google. And, were still not done with IE issues. Computerworld reports that design flaws in the browser can let it expose the entire C: disk. There is no such thing as removing Internet Explorer, but we can hide it. First, lock it down as best as possible. On the Security tab (of Internet Options) set the Internet and Local intranet zones to high security. Turn on protected mode and DEP (note that DEP requires companion support in both the processor and BIOS). Then get rid of all visible signs of Internet Explorer. Remove it from the desktop, task bar, and the Start button. Its still there, only now the only way to run it is to navigate to C:Program Files/Internet Explorer/iexplore.exe
Internet Explorer
It took security expert Steve Gibson a while to come around to my Defensive Computing posture, but he finally did. No more Internet Explorer. Just say no. Friends dont let friends use Internet Explorer. In part this is unfair to Microsoft, as IE is not necessarily any buggier than competing browsers. But it is buggy enough, and it has a huge target painted on its back. Plus, Microsoft makes a bad situation worse by being slow to fix bugs. If for no other reason than this, any other Web browser is safer than IE.
Back to Contents
Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.
Another possibility is using the portable version of Firefox rather than a normally installed copy. Not only does this allow a limited/restricted/standard user to update the browser with new patches, it also makes the software harder to find by any malware looking to infect it. Another program that Id ban from the computer of anyone involved with corporate secrets is Adobe Acrobat Reader. Like Internet Explorer, the Adobe Reader has a big target painted on it. It has also been rather buggy over the last couple years. At one point, Adobe thought it was a good idea to only issue bug fixes every three months. And the procedure for updating the software is harder than it needs to be. In addition to the Reader itself, Adobe installs two programs that run every time Windows starts, which is an accident waiting to happen. In fact, simply hovering the mouse over the name of a PDF file causes an Adobe program (AcroRd32Info.exe) to run, no clicking required. This is true even if the Adobe Reader is not the default program for opening PDFs (tested on Windows XP with Adobe Reader 8.2.0). Its all just too intrusive for my taste. There are many other PDF readers, any one of which will be a lesser target. I use the one from Foxit Software. It doesnt do everything that Adobe Reader does, but it should be enough for almost everyone. If, for some reason, Adobe Reader cant be uninstalled, then at least dont make it the default program for opening PDFs, and be sure to turn off Javascript.
While Internet Explorer and Adobe Reader are the most frequently targeted applications, bad guys also exploit other popular software. Thus, the less software installed the better. With this in mind, I would uninstall QuickTime, Java, Shockwave, Real Player, and any other popular software that is not absolutely needed. Flash is a difficult choice. Because its popular, you can expect bad guys to exploit known vulnerabilities as they are discovered. But, its also needed frequently. As a compromise, consider the Flashblock Firefox extension. It works by blocking Flash objects on Web pages and replacing them with placeholders. If a particular Flash object is needed, all you need do is click on it to run it. As I write this, the Flashblock extension has been downloaded nearly 8 million times. Perhaps the king of popular software is Microsoft Office. Consider replacing it with Open Office, the theory being, again, software that is a lesser target. Open Office is not as functional as Microsoft Office, but for non-techies, such as corporate bigshots, it should be functional enough. Did you know that the recent bug in Internet Explorer, the one that was so critical that Microsoft released an immediate fix without waiting for the second Tuesday of the month, also affected Microsoft Office? This didnt get much press. In Microsofts own words:
We are also aware that the vulnerability can be exploited by including an ActiveX control in a Microsoft Access, Word, Excel, or PowerPoint file. Customers would have to open a malicious file to be at risk of exploitation. To prevent exploitation, we recommend that customers disable ActiveX Controls in Microsoft Office.
Support for ActiveX controls in Office documents is a security accident waiting to happen. I read the instructions for disabling ActiveX controls in Microsoft Office 2003. They were so confusing, I couldnt follow them. The safest thing to do is replace Microsoft Office with competing software.
Back to Contents
Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.
Hardware Encryption
On the hardware side, I have two suggestions. First, set a password for the hard drive in the computer. This should be a simple thing to do and hard drive passwords are more secure than both BIOS level startup passwords and operating system passwords. The best encryption is, arguably, full disk encryption and if an executive has sensitive files on his or her computer, this might make sense. But sensitive files should not be kept on a laptop or desktop computer. They are best stored on an external hard drive, one that can travel with the bigshot to places that a computer cant go. Two encrypted hard drives, the Lenovo ThinkPad USB Secure Hard Drive and the Aegis Padlock, stand out for not needing any software running on any computer; thus they can work with computers running Windows, OS X, or Linux. Each has built-in buttons that are used to enter a password. Until a valid password is given, the computer cant see anything on the drive. After the password is validated, the drives work like normal unencrypted hard drives. The computer is totally unaware of the encryption. For the user, there is no learning curve, just a password.
Another big advantage to an external encrypted hard drive is that it can be easily and quickly locked just by unplugging it from the computer.
Exploiting Friends
Is all this too much trouble? Am I over reacting? The operation that Google uncovered at the end of 2009 was very sophisticated. The Financial Times reported that personal friends of employees at Google, Adobe, and other companies were targeted by hackers. Friends? The article, by Joseph Menn, says
...the attackers had selected employees at the companies with access to proprietary data, then learnt who their friends were. The hackers compromised the social network accounts of those friends, hoping to enhance the probability that their final targets would click on the links they sent.
Yikes.
Back to Contents
Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.
ecuring the enterprise against cyber attacks has become one of the highest priorities of corporate leadership. To achieve this objective, networks, systems, and the operations teams that support them must vigorously defend against a variety of threats, both internal and external. Furthermore, for those attacks that are successful, defenses must be capable of detecting, thwarting, and responding to follow-on attacks on internal enterprise networks as attackers spread inside a compromised network.
What this really means is that offense and defense must keep each other informed, and as such, the overall foundation of security is built on this flow of communication. Enterprise security teams have struggled with this, but now they may have an effective model to apply.
Back to Contents
Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.
Now, when tailoring your controls to be enterprise-specific, consider the following sub controls. Low Hanging Fruit: The intent of identifying low hanging fruit areas is to highlight where security can be improved rapidly. That is, to rapidly improve its security stance generally without major procedural, architectural, or technical changes to its environment. Improved Visibility and Attribution: Improving the process, architecture, and technical capabilities of organizations so organizations can monitor their networks and computer systems, gaining better visibility into the IT operations. In other words, these controls help increase an organizations situational awareness of its environment. Hardened Configurations: This type of control focuses on protecting against poor security practices by system administrators and end users who could give an attacker an advantage in attacking target systems. Hardened system configuration aims to reduce the number and magnitude of potential security vulnerabilities as well as improve the operations of networked computer systems. There are 15 controls that can be handled via automation and five that require manual application. The SANS Institute provides specific details about each of these controls. The 15 that can take advantage of automation are:
8. Controlled Use of Administrative Privileges 9. Controlled Access Based on Need to Know 10. Continuous Vulnerability Assessment and Remediation 11. Account Monitoring and Control 12. Malware Defenses 13. Limitation and Control of Network Ports, Protocols, and
Services
16. Secure Network Engineering 17. Penetration Testing 18. Incident Response Capability 19. Data Recovery Capability 20. Security Skills Assessment and Appropriate Training
The consensus effort to define critical security controls is an evolving effort. In fact, changing technology and changing attack patterns will necessitate future changes, even after the current set of controls has been finalized. In a sense, this will be a living document moving forward, but the controls described in this version are a solid start in the quest to make fundamental computer security defenses a well understood, repeatable, measurable, scalable and reliable process throughout the federal government. Although there is no such thing as absolute protection, proper implementation of the security controls identified will ensure an organization is protecting against the most significant attacks. As attacks change, additional controls or tools become available, or the state of common security practice advances, it is critical to review these controls and make changes as needed. Treat this list as a living document with frequent evaluations to ensure that the most effective practices are indeed in place.
1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Laptops,
Workstations, and Servers
Back to Contents
Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.
hese days wireless networking products are so ubiquitous and inexpensive that just about anyone can set up a WLAN in a matter of minutes with less than $100 worth of equipment. This widespread use of wireless networks means that there may be dozens of potential network intruders lurking within range of your office WLAN. Most WLAN hardware has gotten easy enough to set up that many users simply plug it in and start using the network without giving much thought to security. Nevertheless, taking a few extra minutes to configure the security features of your wireless router or access point is time well spent. Here are some of the things you can do to protect your wireless network:
extremely convenient since you can locate a WLAN without having to know what its called, but it will also make your WLAN visible to any wireless systems within range of it. Turning off SSID broadcast for your network makes it invisible to your neighbors and passers-by (though it will still be detectable by WLAN sniffers).
10
Back to Contents
Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.
11
Back to Contents
Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.
f youve ever Googled Wi-Fi security, (or youve been reading this eBook) you probably have the basics down: dont use WEP, use WPA or WPA2; disable SSID broadcasting; change default settings. If youre looking for more advanced security tips for your WLAN, consider these the following five tips for bringing enterprise-level protection to even the smallest of networks.
is especially useful when employees leave the company or a laptop is stolen. If youre using the Personal mode, youd have to manually change the encryption keys on all the computers and access points (APs). The special ingredient of the Enterprise mode is a RADIUS/ AAA server. This communicates with the APs on the network and consults the user database. Consider using the Internet Authentication Service (IAS) of Windows Server 2003 or the Network Policy Server (NPS) of Windows Sever 2008. If you want to go vendor-neutral, try the popular open source server, FreeRADIUS. If you find setting up an authentication server requires more money and/or expertise than you have, consider using an outsourced service.
12
Back to Contents
Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.
You might consider mounting the APs out of sight and installing external antennas where youll get the most signal. This will let you confine the AP even more while taking advantage of the increased range and performance of an aftermarket or higher gain antenna. APs arent the only piece of equipment to be worried about. All networking components should be secured. This even includes Ethernet cabling. Though it might be a little farfetched to some, a determined hacker could cut an Ethernet cable to tap into the line. Along with mounting, you should keep track of the APs. Create a spreadsheet logging the AP models used along with the MAC and IP addresses, and note where the APs are located. This way you know exactly where the APs should be when performing inventory checks or when tracking down a problem AP.
List devices authorized to access the wireless network: Its best to deny all devices and explicitly allow each desired device by using MAC address filtering on the network router. Though MAC addresses can be spoofed, this provides reasonable control of which devices employees are using on the network. A hard copy of all approved devices and their details should be kept to compare against when monitoring the network and for inputting into intrusion detection systems. List of personnel authorized with Wi-Fi access to the network: This could be regulated when using 802.1X authentication (WPA/WPA2-Enterprise) by only creating accounts in the RADIUS server for those who need Wi-Fi access. If 802.1X authentication is also being used on wired side, you should be able to specify whether users receive wired and/or wireless access by modifying the Active Directory or using authorization policies on the RADIUS server itself. Rules on setting up wireless routers or APs: For example, that only the IT department can set up more APs, so employees dont just plug in an AP from home to extend the signal. An internal rule for IT department might cover defining acceptable equipment models and configuration. Rules on using Wi-Fi hotspots or connecting to home networks with company devices: Since the data on a device or laptop can be compromised and the Internet activity be monitored on unsecured wireless networks, you may want to limit Wi-Fi connections to only the company network. This could be controlled by imposing network filters with the Network Shell (netsh) utility in Windows. Alternatively, you could require a VPN connection back to the company network to at least protect the Internet activity and to remotely access files.
13
Back to Contents
Solving Common IT Security Problems, an Internet.com Security eBook. 2010, Internet.com, a division of QuinStreet, Inc.