Is my System Secure From Hackers

[Hungry Man]

noone_particular is correct. You're never 100% secure. Most security mitigation is about slowing the hacker down and making the hack too expensive. If a hacker wants to get past Chrome/ IE9 (example) they have to exploit Flash or Chrome or IE9 and then they need a second vulnerability to get past the sandbox. Or if there no scripts on the malicious webpage they need to come up with scriptless exploits etc. Every time you do these things you aren't 100% secure you're just forcing the attacker to play by your rules and eventually it's just too much to bother with.

As users we rarely have to deal with direct attacks. Breaking automated attacks is easy, if any single assumption made is wrong the attack will typically fail. Malware rarely has a backup plan - we only see that on the really advanced stuff like ZeroAccess and that wasn't even so complicated.

[noone_particular]

Quote:

They hacked HBGary. What chance have the avg home user got? None

HBGary was a targeted attack. The attack singled out individual users and used very specific information to deceive them. For all purposes, it was the people there that were hacked.
Example:
It would be like you receiving an e-mail from a family member that had a form attached that needed to be filled out for some legal problem. The family member is real, as is the situation that requires the form. The addresses are spoofed and the form is really malware.

There's no comparison between automated malware and a targeted attack of this type. That said, a properly implemented default-deny policy would have stopped the attack.

[EncryptedBytes]

Quote:

Originally Posted by noone_particular

HBGary was a targeted attack. The attack singled out individual users and used very specific information to deceive them. For all purposes, it was the people there that were hacked.

Thank you, I wanted to go into that kind of detail though didn't want to sound like I was on a soap box. Yes noone is 100% correct, while exploits did occur at the technical level to some small degree, the devistating attacks were permitted through social engineering. Which ties into my point on their lack of established policies and procedures for IT nicely.

[badkins79]

Quote:

Originally Posted by EncryptedBytes

Which ties into my point on their lack of established policies and procedures for IT nicely.

Remember, just because you have established policies and procedures doesn't mean they will be followed.

[EncryptedBytes]

Quote:

Originally Posted by badkins79

Remember, just because you have established policies and procedures doesn't mean they will be followed.

No they do not, but policies and procedures don’t just tie into the end user/employee they also encompass how different processes/areas within the organization operate, what types of controls are implemented, recovery, etc. If they are not followed it is up to senior management to make sure there is enough incentive to comply (termination, legal action) and that employees are complying (auditing, monthly reminders). If they don't (which is what happened with HBgary) you have a nice paper stack to heat your office during those cold winter months.

I realize every organization is different, big and small. That being said if you advertise yourself as a technology security company I hold you to a higher common sense standard. Especially the senior management who claim to be professionals in this field.

[badkins79]

Quote:

Originally Posted by EncryptedBytes

No they do not, but policies and procedures don’t just tie into the end user/employee they also encompass how different processes/areas within the organization operate, what types of controls are implemented, recovery, etc. If they are not followed it is up to senior management to make sure there is enough incentive to comply (termination, legal action) and that employees are complying (auditing, monthly reminders). If they don't (which is what happened with HBgary) you have a nice paper stack to heat your office during those cold winter months.

I realize every organization is different, big and small. That being said if you advertise yourself as a technology security company I hold you to a higher common sense standard. Especially the senior management who claim to be professionals in this field.

I agree with all of this. But sadly it is human nature for the employees to not care as much as the management. I have worked in areas which should have the highest security (top secret govt facilities) and I know that eventually people take all the shortcuts they can find.

[EncryptedBytes]

Quote:

Originally Posted by badkins79

I agree with all of this. But sadly it is human nature for the employees to not care as much as the management.

good ol' OSI layer 8

[J_L]

In most cases, it is too troublesome for all but the most determined hackers. Don't forget backup (particularly disk imaging) and keeping system up-to-date (SUMo Lite/Secunia).

[x942]

Quote:

Originally Posted by noone_particular

HBGary was a targeted attack. The attack singled out individual users and used very specific information to deceive them. For all purposes, it was the people there that were hacked.
Example:
It would be like you receiving an e-mail from a family member that had a form attached that needed to be filled out for some legal problem. The family member is real, as is the situation that requires the form. The addresses are spoofed and the form is really malware.

There's no comparison between automated malware and a targeted attack of this type. That said, a properly implemented default-deny policy would have stopped the attack.

So true. My organization employs default-deny. But it needs to go even further to be totally secure. For example we deny all executables for launching on our systems, prevent access to ANY ip address that is not in a white list, block all downloads besides needed ones (.docs mostly) and java/javascript/flash at the firewall, scan all incoming packets for malware, scan all computers for malware on the hour, reimage all computers every morning. Takes a while but is more than worth it.

[noone_particular]

So true. The time spent cleaning up one PC more than offsets any time savings from convenience and integration. Cleaning an entire network gets far too costly and time consuming, not to mention the value of what gets stolen, accessed, etc.

Too many places let their employees treat company PCs like their own personal playtoys. At a previous job, the quality department people spent a lot of their workday shopping online for clothes. I'll never understand why an employer allows that.

[Hungry Man]

Quote:

Originally Posted by EncryptedBytes

good ol' OSI layer 8

I call it the same thing lol

[LockBox]

Quote:

Originally Posted by x942

So true. My organization employs default-deny. But it needs to go even further to be totally secure. For example we deny all executables for launching on our systems, prevent access to ANY ip address that is not in a white list, block all downloads besides needed ones (.docs mostly) and java/javascript/flash at the firewall, scan all incoming packets for malware, scan all computers for malware on the hour, reimage all computers every morning. Takes a while but is more than worth it.

How does your company do this? Do they subscribe to a list and then add specific relevant URLs? Do you use Deep Freeze or something similar for your once-a-day "back to baseline?"

In my opinion, your company's protocol is certainly strict - but necessary.

[Hungry Man]

A security researcher friend of mine always likes to say "Your attacker will always know your system better than you." And that goes double for Windows.

[BlownPC]

I don't think we'll ever be 100% free from hackers.

In my opinion, it depends very much upon the user. Each one has to seek for information about how to stay safe on line. That's exactly what you guys do here.

[x942]

Quote:

Originally Posted by LockBox

How does your company do this? Do they subscribe to a list and then add specific relevant URLs? Do you use Deep Freeze or something similar for your once-a-day "back to baseline?"

In my opinion, your company's protocol is certainly strict - but necessary.

Sorry for the bump/late response I just found this when searching the forums.
We do this by using our firewall's ip tables to block all connections to ip range * (ALL) and than use an exclude list that we allow browsing too. We only allow a total of 10 sites (all corporate sites 8 of which are on our own subnet the other 2 are other companies we work with that require web site access). E-mails are all digitally signed and encrypted (transparently to our staff, they just have to insert a smartcard and enter a pin to authenticate with the mail server that signs/encrypts the e-mail), this step alone would have stopped the HBGary attacks as the attackers would have had to compromise the keys to read the e-mail to get the password AND to sign the e-mails to look like "Gary" in the first place.

We don't use Deep Freeze. We use a locked down version of RHEL preconfigured and imaged to an offline and encrypted HDD. Every morning we mount the HDD copy over the image files, drop it into a VM and update the system. After that we reimage every desktop (50 of them) and 10 laptops over the network using PXE and some scripts. It takes about an hour and a half from start to finish as they all install simultaneously.

For e-mails and potentially dangerous files (I.E. the occasional PDF) they are opened in VM's (again transparently to our staff thanks to XEN and shortcuts on the desktop).

All CD/DVD drives are disabled, Only the usb keyboard and mouse work (nothing else is recognized via USB), the towers are locked up in a metal cabinet to prevent tampering and we even have alarms on them to alert IT if they are forced open.

Paranoid? Yupp! But as a pentesting company I think we should be. We have never been breached either so I think this is good.

[EncryptedBytes]

Great policies What are your take on grey areas such as mobiles? Do you allow them to interact on the network or monitor other embedded devices? Personally if I was black boxing a pentest company I’d hit you guys through HR or employee mobiles after using OSINT via company job postings to see what generic software/OS to expect on your network. I am sure you see it too on more secure clients, the basics are covered, but the newer tech is allow to interact with the network slightly ignored.

Or they didn’t realize the coffee pot, telephone, printer, and refrigerator they put in has internet access.

Personally I am waiting for the pwnplugs to catch steam

[x942]

Mobile phones are running a custom version of Android. We baked (with some help) a custom rom that doesn't allow any app installs, forces Full Disk Encryption (LUKS as this is before ICS right now), All networking goes through our VPN on 3G or WiFi, calls are encrypted through a our PBX inside our LAN using ZRTP, texts are encrypted with text secure.

Now of course we can't always encrypt calls or texts as most people don't do this. So they are only encrypted between numbers known to support it. (all of our work cells basically). All of the stuff we did to Android any one could do (and it's been done too look at whispercore they did a better job at). We also hope to use SEAndroid soon to make it even more secure.

Now almost everyone working for my company has a pentesting/security background and probably wouldn't fall victim to social engineering, but that's one attack that's hard to protect against. Education is the best method but as some one who works with it everyday, there are some people who are just plain scary when it comes to this stuff. They can phish you for information just by having a normal conversation and reading your expressions, it's crazy!

Really I don't see us being a big enough target to warrant breaking into our offices and planting rouge devices, but we don't use WiFi at all and we do have WIDS (Wireless Intrusion Detection Systems) set up to alert us if new AP's pop up to close for comfort.

I'm sure someone, given enough time and desire, could find away in, but it would probably just be easier to kidnap me and beat me for the secrets lol Good ol' rubber hose cryptography always prevails.

[Dark Shadow]

I just found a back door unlocked.Just kidding,looks pretty good.

[noone_particular]

That's definitely a very restrictive policy. If they ever implemented those internet restrictions at my last job, the whining would be louder than the shop machines. It's well beyond anything I need, but then I don't have a business to protect and no need for portable devices. You've got a few things implemented that I'll be looking into,
"For e-mails and potentially dangerous files (I.E. the occasional PDF) they are opened in VM's (again transparently to our staff thanks to XEN and shortcuts on the desktop)."

There are several similarities between that setup and mine. I also block all non-whitelisted executables. While I don't restrict where the browsers can connect, I have applied default-deny to the content, severe restrictions on javascript, flash and Java blocked by default, allowed by exception. System configuration interfaces (or the executables that run them) locked out. Other internet applications are restricted to only the IPs they need access to. Tor is an exception to this but the PC it runs on is on its own subnet. Communication between the different subnets is blocked. If someone does manage to pwn it, that's all they get access to.

Quote:

Or they didn’t realize the coffee pot, telephone, printer, and refrigerator they put in has internet access.

In some ways I can see where this can be useful. For the most part IMO, the risks outweigh the benefits. I'm not looking forward to the time when that's all that's available. Even then, they can't make me plug it into the net.

[caspian]

Quote:

Originally Posted by Hungry Man

I suggest you use EMET.

And if you sandbox everything with Sandboxie and keep strong rules you're going to stop most everything from touching your system.

I had not heard of EMET. Is this what you are referring to?

http://support.microsoft.com/kb/2458544

[caspian]

Quote:

Originally Posted by DasFox

If you really need Windows for gaming, movies etc, then you install VirutalBox on Windows and run Windows inside VirtualBox for all your online activities, this way if Windows in VirtualBox gets messed up, you either replace the files, that is if you backed them up, or use the Snapshot feature which will put back Windows to an original state all cleaned, when you made a Snapshot of a clean system.

You mean you can do gaming and that kind of thing in Virtual Box? I thought VMs were really limited. Thanks for the tip. If I download something from Virtual Box, can I transfer it to an external HD?

[EncryptedBytes]

Hi caspian, VMs have come a long way for the everyday user. Though depending on the computer's processor, RAM and hard drive layout they can't be used by everyone without taking a performance hit. However if your computer can support them, they are no different than using your primary OS. Many people use them to test software/games/ and the OS itself in a virtual environment. Its as simple as clicking on an icon. They are very effective in the event something corrupts or becomes infected as you can simply wipe them and restart.

To answer your question, yes you can transfer data to an external drive or between Host OS and Guest OS.

* Note I have my VMs running off a second hard drive with an i7 processor, and 12 gb of RAM allowing my VMs to load up in 3-5 seconds. This may vary for other users and or may be too heavy an option.

[caspian]

Okay. I am pretty excited about this now. I have 6G of RAM right now so I will will see how much more I can add. This sounds truly amazing and fun! Thanks for the info.

[Hungry Man]

VMs aren't good for games, aren't they awful with GPU accelerated stuff?

That said, if you can allocate a large portion of RAM (4GB+) to the VM and have enough left over for your system and you get a second hard drive that holds the VM and you have a quad core so that you can allocate 4 threads to the VM with 4 to spare for your host you can actually get fair performance.

[EncryptedBytes]

Quote:

Originally Posted by Hungry Man

VMs aren't good for games, aren't they awful with GPU accelerated stuff?

Let me correct myself, intensive 3D gaming is a mess in VMs so I wouldn’t recommend trying to install Oblivion skyrim in a VM any time soon. I know some devs with VMware noted they benched marked several games and have done research with virtual GPU (page 5)

Quote:

In VMware’s hosted architecture, we have implemented
front-end GPU virtualization using a virtual device
model with a high level rendering protocol. We have
shown it to run modern graphics-intensive games and
applications at interactive frame rates while preserving
virtual machine interposition.
There is much future work in developing reliable
benchmarks which specifically stress the performance
weaknesses of a virtualization layer. Our tests show API
overheads of about 2 to 120 times that of a native GPU.
As a result, the performance of a virtualized GPU can
be highly dependent on subtle implementation details of
the application under test.
Back-end virtualization holds much promise for performance,
breadth of GPU feature support, and ease of execution time. In absolute terms, though, Max Payne
has the highest frame rate of our applications.
Table 1 reports the actual frame rates exhibited with
these applications under VMware Fusion. While our virtualized
3D acceleration still lags native performance,
we make two observations: it still achieves interactive
frame rates and it closes the lion’s share of the gulf between
software rendering and native performance. For
example, at 1600_1200, VMware Fusion renders Half-
Life 2 at 22 frames per second, which is 23.35x faster
than software rendering and only 2.4x slower than native.

Basically still being looked into to really run 3D, though I use VMs more for software testing than gaming needs. As at the end of the day, the VM is only as good as the hardware it uses.