users

You are currently browsing articles tagged users.

Mobile workforces and security, changing the way we should think of our networks?

September 11, 2009 in security by Daniel Nyström | No comments

Network segments

Administrators tasked with creating a mobile platform that’s not only is reasonably secure, but also keeps internal resources safe from it might be scratching his head. Smaller organizations also have restricted budgets that prevents them from purchasing high-end security solutions to handle this. Larger organizations often turn to solutions like Microsoft NAP to ensure the integrity of clients entering the network, but in my opinion that kind of solutions are fundamentally flawed.

NAP (as an example) just verifies that a client fullfills certain requirements such as an up to date antivirus signature, full set of patches and other (known) criterias.

So what? What does that mean to the integriy of a machine? If a machine is infected or compromised in any way, it is because the existing protection measures obviously did not work. The network is still at risk because of that client and that’s not going to change just because the machine is compliant with a policy that has been based on verifying known factors.

Keep in mind that the amount of malware now hitting viruslabs all over the world is approaching 35 million samples per year, and keeping signatures and heuristic measures fit to tackle that problem is a hard job. Some would even argue that it’s impossible (altough I would not, we’re getting closer). Security simply cannot be measured in patches and signature file dates anymore.

So what can you do to handle the threat of mobile workstations, USB-sticks, PDAs, phones and other mobile devices?

I’ve thought about this for a while and came to a pretty simple conslusion:

Just assume they’re all compromised, and design your service and security architecture based on that assumption.

Internal networks are often considered secure, or at least semi-secure, environments in which people are authorized to use certain applications and access certain data in a way that assumes that the clients are not compromised.

In this kind of environment a worm outbreak often has a severe impact as it can spread quickly throughout the network. Attacks often become more serious than they need to be because restrictions, if any, are very loose and often modified to suit “ease of use” instead of security.

And why shouldn’t they be loose, the clients are secure, right?

The idea I’m trying to get some practical tools to fit into, is to consider all network segments as compromised except the one(s) actually holding the data that you need to keep secure.

In this model you could, for practical reasons, keep the perimeter around the internal network and other segments. One might even do some or even extensive content filtering of network traffic at that point. From a data security perspective, this net should still be considered compromised though as there’s no real way to ensure its integrity.

The only part of the network to focus your security measures on would be the “Data storage and application serving”-part. How you could do this is a practical thing, but you should avoid removing any data from that environment. The practical part of handling this could of course vary, but one could serve data to users in the local network by utilizing terminal services and/or more secure solutions such as Appgate SS. Using web-based (internal) versions of CRMs and other things might be something as well.

You should still do encryption, antivirus, firewalling and possibly DLP on the clients. But that is kind of secondary as long as your application and data access structure is constructed in a secure fashion. VPN connections from the outside world (Internet etc.) would of course terminate in the local network and be subject to the same filtering as other devices in it. Maybe remote clients application availability should also be the subject of further restrictions.

I’m not exactly clear on the details but I’m getting there. An increasingly mobile world needs security measures that’s adapted to this situation, not that are stuck in the old world of stationary devices locked in a specific part of the network(s).

Many organizations do stuff like this, but often in a limited manner and not with the same philosophy in mind. For example shielding servers in one network from the clients, allowing a subset of them access to certain places. Those with access are considered trusted and the data is still spread between servers and clients.

What I’m getting at is that people should try to make their own application and data servicing work like online, “cloud based”, services such as Google Docs, SalesForce etc. instead of using applications and handling data locally. Sure, they could use those actual products, but then they’re lacking control over their data and for some that’s just as bad.

Client machines is not to be trusted, and that is important to remember.

I’ll post some more on this, and try to give some practical suggestions, when I’ve wrapped my head around this a bit more…

Tags: , , , ,

The most disregarded aspect of AV testing,

April 1, 2008 in networking, security, work by Daniel Nyström | No comments

is without doubt the hands-on management aspects of the whole suites.

Every month I read news, blogs and press releases from both vendors and independents on detection effectiveness. Sometimes these news are about the accuracy of the vendors signatures, sometimes about the files the sig’s missed, sometimes it’s about the vendors brand new and shining behavioural analysis engines. But it is almost never about the technical management features of the products. What eventually makes the news in this aspect is either the new administration consoles that pop up every two to three years or if something fail in a spectacular fashion.

That kind of information is not really as newsworthy as a remedy to the latest threat, but one thing is for sure and that is that it doesn’t matter how good the detection ratios are if the client protections remain unmanaged, defunct or unlicensed.

Most of the time this is not a problem in larger networks where the appropriate funds and technical resources has been allocated, but if reviewing smaller companies or organizations (<500, sometimes larger) without dedicated security management you will often find problems.

The problems range from client communication malfunctions to management servers dropping dead for no particular reason. Often, these issues requires human interaction to resolve and this in turn increases the IT-services overhead. Sometimes this happens with our (Panda Security's) solutions and sometimes some other vendors (I consult for another company in the PCM Group and meet a lot of different environments).

I’m not saying this is the AV vendors fault, as it often turns out to be erroneous customer configurations and/or secondary system malfunctions (thank you Microsoft for your most excellent AD/DHCP/DNS solutions, thank you).

My point is that these problems, from a software point of view, should be a calculable risk.

People will make mistakes. People will be incompetent. People will be lazy. People will “install and forget”. People will be People. And we should be better at understanding and counteracting these factors.

The latest versions of Panda AdminSecure has some of this in functions that repair failing client protections automatically, but it surely is not enough. People should not be able to set permissions or deactivate polices that might be a danger to the protection functioning without some serious alarm bells going off. People should not be able to setup firewall policies that cripple the communication required and by that degrading the level of protection without the central management consoles showing large red flashing screens. If something is done by a Microsoft patch which might or do disrupt the correct functioning of any server components, the management tools should be able to tell the administrators this in a reliable fashion.

Surely there are those that think that this is complete bullshit and have the “if they’re morons and fail, plz let them burn” attitude. These people are ignorant of the overall picture and do not understand the underlying problem.

If there were no unprotected (not installed or malfunctioning protection) clients, there is a much smaller market for “corporate” malware creation. One effect of this is less money for the bad guys. Less money for the bad guys means they have less money to spend on maintaining developing new malware.

And of course, Less malware development => good for all.

In conclusion,

Security systems is all about reliability. How come AV’s are lagging on this particular point?

Users and less experienced technicians are unpredictable, but how hard can it be? We have built engines that can detect hostile code based on behavior, why not do the same to the admins ;)

Tags: , , , ,

Computer Security for Users

November 13, 2007 in malware, security, work by Daniel Nyström | No comments

Last week I held and on-demand seminar out at a company in Stockholm, Sweden.

This is my retelling of that seminar and I wrote this down mostly for my own sake, for learning and seeing the areas in which I had to improve in order to be more clear to non-technical people that is on the other end of my message being transmitted.

The CTO of the company had asked us to help him educate his users on their responsibilities when it comes to keeping a network secure, and what potential harm they could cause themselves and the company if not doing so.

This is the neverending problem. Educating users. So how did I go about re-inventing the wheel?
I started out by presenting six simple questions and statements:

  • Do you think that the information in your home computer is valuable?
  • Do you think that your home computer is adequately protected from viruses and other kinds of malware?
  • Do you think that the information in your work computer is valuable?
  • Do you think that your work computer is adequately protected from viruses and other kinds of malware?
  • Is the statement “There is less malware today than two years ago” true or false?
  • Is the statement “There is less risk for getting infected now than two years ago” true or false?

I asked the participants to consider the questions and statements and keep their answers in their head. Of course, they might have understood that a person from an anti-malware vendor might have a hidden agenda in these questions ;)

After this I presented some of the results from an internal study that concludes that most users of our anti-malware solutions think that the two last statements are true. That is, they think that there are less malware in the world and that there is less risk to get infected now than two years ago.

I then continued on to talk on how this is fundamentaly wrong and backed that up with the statistics from PandaLabs and the recent “InfectedOrNot”-survey of home users computers. I did not mention the corporate study, but if you are interested you can find both of these at Panda Security’s Research blog.

This study (of home users) are based on 1,5 million PC’s that were scanned with the online service www.infectedornot.com between May and July 2007. Among other things it concludes that out of all scanned computers with running and up-to-date antiviruses, almost 23% have active malware on their system. That is almost 1 in 4.

Why is this? Well, one thing that is largely responsible for this situation is the change of objective and goal of the malware today. Just a couple of years ago there were no banking or creditcard logging trojans, no spam-enabling botnets etc. Back then it was all about fame for the author, and that made it very easy for us antivirus guys. Today we are seeing a lot of new malware pop-up and a large amount of these are created with only one goal in mind, and that is financial gain for the creators. And as we all know, where there is money coming in there is money spent and what we are seeing today are professional malware writers making a business out of it. They have business plans and a whole development cycles and spends a lot of resources on pumping out variations on their goods to avoid the anti-malware radar. The “Storm worm” is a good and quite obvious example of this.
Of course this variation flood of the same malware creates a lot of strain on our (Panda Security‘s) and other vendors virus-labs and forces us to either become selective, or to have a huge backlog of malware. Up until recently this was the situation for us.

We have had to adapt to this situation more and more during the last couple of years and we are finally catching up thanks to different things. First, we have increased the amount of automated processes and minimized the human factor in malware analysis and second we have created and implemented new technology that helps us to proactively detect and report potential threats (TruPrevent). Other new technology such as our “Collective Intelligence” also helps in detecting new malware family’s at an early stage.

Anyways, the end result of this massive onslaught of new modifications is that we (all security vendors) are bound to miss at least one which in many cases leads to a user being compromised in one way or another.

Now I turned the focus to where the real impact is and that is; Who is the Target and who is the Victim?

As the motivation behind the malware has changed, it is more than ever the actual user behind the keyboard that is the target. It is her information, her payment cards, her banking info and it is her computer that the malware authors want to use in DDoS attacks and other criminal activities.

This is very important for the average user to understand because if they do not, they will not think before they act and fall prey for the criminal gangs of the digital world (OMG, that sounded like a SecurityFocus line ;) hehe).

OK, so what can the user do to secure his computer against these different kinds of threats? Well, as a start you (the user) should make sure that the following four bases are covered:

  • Check that your computer is up to date
  • Check that you have an anti-malware solution installed
    • And turn on all protection modules, they are there for a reason
  • Check that your anti-malware solution up to date
    • If it’s not, it is almost useless
  • Check that you have a firewall installed
    • If not included in your anti-malware, use XP/Vista’s builtin firewall

However, as I mentioned in the start of this article, there will be things that can slip through. So what do we do next? How do we protect ourselves from threats that even the largest companies that offer protection cannot touch? Many times this is just a matter of:

Sound reason & Knowledge

I then continued on to illustrate what sound reason is when you browse the internet, use your e-mail and use community’s or instant messaging. In this section I talked about issues such as attached files or filetransfers from unknown users or senders, why you should not just click Yes/I Accept/Next without reading and seriously considering why you are asked. I also discussed the social issues and identity security issues posed by sites like MySpace and in particular Facebook. You know, the real essentials of this whole seminar. What you really really should not do when being asked to do something, to use your sound reason.

And then we have the “Knowledge” part. How do you teach a user to behave in a secure way and recognise indicators of foul-play in 10-15 minutes? Quite hard wouldn’t you say? ;) I reasoned like this; Knowledge is part experience and part theory. If you have seen someone get their machine infected in some way or another then it is highly unlikely that you will repeat the same mistake (or… hopefully it’s “highly unlikely”). So I decided that the best way to learn users what to avoid was to actually show them some of the warnings they should pay special attention to and also demonstrate some social engineering tricks used by malware today.

One of those examples that worked the best was a login page for a large swedish bank which I had modified to “ring alarm bells” by faking an invalid SSL certificate. I then named that slide to “The internet banking service – Find the error”.

No one was able to spot the error.

And I was even using Vista which showed the whole adress bar in red with a big “Certificate Error”-shield at the end. Anyhow, I went on to tell them why this was a bad thing and from now on they are probably going to pay more attention to these kinds of errors.

Another example that seemed to make some people move around a bit in their chairs was the Storm worm’s halloween spreading mechanism with the dancing skeleton. Specially after I explained what storm was designed to be able to be used for (creditcard gathering, spam, ddos, well… everything). As I saw their reaction I even threw out an old classic a colleague of mine told me to say, “They can even turn on your webcam and see what you do in the room”. Heh.. yeah.. i know, a bit evil but it fit perfectly into my talk and they seemed to get the point now.

Now there was not very much time left for me to spend so I finished of with a recap of the questions in the beginning and also took a short slide on the corporate aspects. If they as private persons could suffer such financial loss and make it easier for others to conduct criminal activities, what could happen if their work-computers or computers that they connected to their workplace with got compromised? I asked them to consider the following possible implications of this kind of intrusion:

  • Money. Large amounts of money. Either through direct loss or industrial espionage.
  • Money. In the form of work-hours needed to clean up a widescale infection (including specialist help)
  • Brand and Reputation. The damage caused by their network spreading malicious software or distributing confidential client information.
  • Their personal freedom as in the restrictions put on their browsing, messaging and other aspects. Probably there is some checks on this today, but how will that change after an intrusion? Upper-management will want to restrict as much as possible to prevent this from happening again.

Yes, I know the last one is kind of a moot-point (as everything should already be locked down) but I needed to give them a personal connection to the trouble that could be caused, and -oh my god- if they cannot access their hotmail one day ;)

And then i finished of with the “The End – Questions?” slide and took some of them. What was interesting about the questions was that a lot of them was regarding the Codec-fakes that I had discussed in my “Sound Reason” section. I did not expect this to be as prominent as most issues we recieve through the supportline with infections has entered through the web-browser with the help of security vulnerability’s or other means, we almost never hear anything about the fake codec angle (good thing?/bad thing? :) ). But I guess that Sunbelt Software is really doing a good thing drumming on about the sites that are advertising those.

Ok, that was it. I would really like any comments that you might have, so please drop me a line at: daniel(dot)nystrom ( a ) icmpecho(dot)com!

Tags: , ,