Ask The Experts Series – Workstation Malware

This time around we had a question from a reader (thanks for the question!):

“My organization is very concerned about malware on desktop machines. We run anti-virus on all user systems but have difficulty keeping them clean and are still having outbreaks. What else can we do to keep infected machines from hurting us? –LW”

Phil Grimes (@grap3_ap3) responds:

In this day and age, preventing infection on desktop workstations is a losing battle. While Anti-virus and other measures can help protect the machine to some extent, the user is still the single greatest point of entry an attacker can leverage. Sadly, traditional means for prevention don’t apply to this attack vector, as tricking a user into clicking on the “dancing gnome” often launches attacks at levels our prevention solutions just can’t touch.

Realizing this is the first, and biggest step to success here.

Once we’ve embraced the fact that we need better detection and response mechanisms, we start to see how honeypots can help us but also how creating better awareness within our users can be the greatest investment an organization might make in detection. Teach your people what “normal” looks like. Get them in the habit of looking for things that go against that norm. Then, get them to want to tell someone when they see these anomalies! A well trained user base is more efficient, effective, and reliable detection mechanism an organization can have. After that, learn how to respond when something goes wrong.

John Davis added: 

Some of the best things you can do to combat this problem is to implement good, restrictive egress filtering and ensure that users have only those local administration rights to their workstations that they absolutely need.

There are different ways to implement egress filtering, but a big part of the most secure implementation is whitelisting. Whitelisting means that you start by a default deny of all outbound connections from your network, then only allow those things outbound that are specifically needed for business purposes. One of the ways that malware can infect user systems is by Internet surfing. By strictly limiting the sites that users can visit, you can come close to eliminating this infection vector (although you are liable to get plenty of blowback from users – especially if you cut visiting social networking sites).

Another malware infection vector is from users downloading infected software applications to their machines on disks or plugging in infected portable devices such as USB keys and smart phones to their work stations. This can be entirely accidental on the part of the user, or may be done intentionally by hostile insiders like employees or third party service providers with access to facilities. So by physically or logically disabling users local administration rights to their machines, you can cut this infection vector to almost nil.

You still have to worry about email, though. Everybody needs to use email and antivirus software can’t stop some malware such as zero day exploits. So, for this vector (and for those users who still need Internet access and local admin rights to do their jobs), specific security training and incentive programs for good security practices can go a long way. After all, a motivated human is twice as likely to notice a security issue than any automated security solution.

Adam Hostetler also commented:

Ensure a policy for incident response exists, and that it meets NIST guidelines for handling malware infections. Take the stand that once hosts are infected they are to rebuilt and not “cleaned”. This will help prevent reinfection from hidden/uncleaned malware. Finally, work towards implementing full egress controls. This will help prevent malware from establishing command and control channels as well as combat data leakage.

Got a question for the experts? If so, leave us a comment or drop us a line on Twitter (@microsolved). Until next time, stay safe out there! 

Ask the Security Experts: Facebook Security For Teenagers

We’re starting a new series: “Ask the Security Experts.” We’ll pose an information security question and our panel of experts will do their best to answer.

 

Our panel:

  • Adam Hostetler, Network Engineer, Security Analyst
  • Phil Grimes, Security Analyst
  • John Davis, Risk Management Engineer

Our Question

What should I tell my teenage children about privacy and security on Facebook?

Adam Hostetler:

Teach them how to use Facebook privacy settings. Go into the settings
and explain how it works, and that they should only post updates and
photos to their friends and not in public. Also, how to set their
account so they can only be found by friends of friends. As for apps, be
very careful about what Facebook apps they use, and pay attention to the
permissions they request. For their account, always use a strong
password. Do not give out account information to anyone (except
parents). Lastly, they should always log out of the account when they
are done. Never close the browser with the account still logged in.

Phil Grimes:

I fight this battle daily. I constantly remind my kids that what goes online now stays online forever. I have discussed privacy settings with them and give them little reminders that help them think about security and privacy online — at least in terms of posting info and pictures. It never hurts to remind them who I am and what I do for a living, they tend to always think twice before posting.

As for the games, however, this is something that is almost impossible to combat in my house. I think I am the only person who does NOT play Facebook games. The keys here are simple. Accept the machines that play these games as lost assets. I image the disks so I can restore them quickly and easily, then cordon them off on their own network segment so WHEN they get popped, I can “turn and burn” to get them back online. This really works well for me, but another important factor is to NOT do anything sensitive from these machines. Luckily, my kids don’t do any online banking or anything like that. I have my wife conduct sensitive tasks through another machine.

John Davis:

I would say to watch the scams and traps that are strewn like land mines throughout the site. Watch the free give-aways, be wary of clicking on pictures and videos and look carefully at any messages that contain links or suggest web sites to visit. Also, be VERY careful about ‘friends’ of friends and other strangers that want to friend you or communicate with you. You very well may not be communicating with who you think you are. Finally, if you’re on Facebook frequently and have not been wary, chances are you have malware on your computer that hides itself and runs in the background where you are not aware of it. So be careful when using the site and scan your system frequently.

Ask The Information Security Experts: Management and Rational Decisions About Security

We’re starting a new series: “Ask the Security Experts.” We’ll pose an information security question and our panel of experts will do their best to answer.

 

Our panel:

  • Adam Hostetler, Network Engineer, Security Analyst
  • Phil Grimes, Security Analyst
  • John Davis, Risk Management Engineer

Our Question

How can organizations (whose management may be concerned about hyped-up zero day exploits) make rational decisions about what and how to protect their assets? 

John Davis:

I think you should start to bring management perspective by reiterating to them that there is no such thing as 100% security. You cannot be entirely sure of your network or information protection mechanisms. Tell them yes, zero day exploits are probably going to get past traditional AV, IDS and IPS. But emphasize that there are security measures that are effective in zero day situations. These include such controls as anomaly based detection mechanisms, system user security training, and incident response programs. If you can detect these attacks early and respond to them quickly and correctly, you can effectively limit the damage from zero day attacks.

Phil Grimes:

Read the available data in the 2012 Verizon Data Breach Investigations Report. This will help to show that zero day fears are mostly unwarranted. While the threat exists, statistics show that most events occur because of “low hanging fruit”, or issues attackers leverage that don’t need super elite skills and can often be mitigated easily on the victim’s side. The best things to do in this regard are to focus on being fundamentally secure (do the basics), and realize that detection and response are going to be the best tools to help recover from a zero day attack scenario. 

Adam Hostetler:

With the data we have (Verizon report, etc), it shows that zero day threats are not as dangerous as one might think. Explain to them that the threat exists, but is somewhat exaggerated due to some high profile cases. And if they have controls that could help combat any zero day threats, it would likely ease management’s fears.

“Ask the Information Security Experts” Series

We’re starting a new series: “Ask the Security Experts.” We’ll pose an information security question and our panel of experts will do their best to answer.

 

Our panel:

  • Adam Hostetler, Network Engineer, Security Analyst
  • Phil Grimes, Security Analyst

Our question:

There’s been a lot of attention lately about the leaking of passwords from sites like LinkedIn, Yahoo, Match.com, last.fm and others. What is the ONE THING that users of a site should do when these kinds of leaks happen? Each of you has such a wide variety of skills and focus, so what would you tell your Mom to do if she asked about this?

Adam: 
Figure out which sites you are using the same password on. Go to these sites and change them, use a unique password for each site. Keep these passwords in a password vault, such as KeePass or LastPass, with a strong master password.

Phil: 
Well, since NONE of our users should be reusing passwords, they should use their password vault tool to generate a new, strong password for the site(s) in question, change the password in their password manager, then change the password in the site itself. Also, take advantage of the password aging features of the password vault to remind you to change passwords on a regular basis. But changing the password of the affected site is the most critical thing, closely followed by NOT reusing passwords on multiple sites. 

There you have it! The bad guys will always try to find ways to cause trouble. Don’t make it easy for them. Use the tools mentioned and keep your data safe!