To what end do you desire security?

In my 20+ years of computing, none of the many knowledgeable people I've known and whose opinions I've respected ever thought it mattered a hill of beans* which operating system one uses.

In order to take over a system, malware needs Administrator/Root Privileges. It's as simple as that.

I was taught to set up sound/secure user policies and procedures as the starting point for a security strategy. That protects me against tricks like this:

DNS changer Trojan for Mac (!) in the wild
Published: 2007-11-01
http://isc.sans.org/diary.html?storyid=3595

With sound policies and procedures in place, I chose the security products which best support my security strategy.

It's as simple as that!


----
rich

* A "hill of beans" in colloquial American is a symbol for something of insignificant value,
as in expressions like “it ain’t worth a hill of beans”.

 

My security approach does not at all mean I seek a specific O/S to achieve it. It only means the security I employ is somewhat different for Linux (which I use maybe only 10 -15% of the time) than it is for Windows. For Linux it is mainly the default setup whereas for Win it means a bit more involvement to get it setup. If Linux held a larger market share and therefore was a larger target for malware, I'd no doubt spend more time/effort on setting up its security, although even then it wouldn't be that much more because it's not my primary platform. At least for Win I've seen the light and settled on a simple approach, as my signature suggests. Trouble is my trolling efforts seem to be having little effect

 

So you would put Win95 up against OpenBSD, XTS-400, or Fedora (with SELinux)? Can you really say that using Win95 doesn't matter? The truth is, there is no way to "configure" Win95 to be anywhere near as secure as these other OS's. It simply is not capable of it.

That's right. To take over a system malware needs root, but in order to get onto a system it doesn't (but that's a different issue). Besides, some OS's don't even have a notion of privilege separation (pre-NT Windows for instance), which goes back to my point that the OS *does* matter (though maybe not as much nowadays since Windows, with the NT kernel, has copied many of the Unix design principles).

I agree that users on the system must be locked down/controlled. This is true for any system and any OS. If the user has the root password, he is God and can destroy the system (or fall for social engineering) accordingly. One of the big problems is most people don't have a competent system administrator living in their household.

 

I guess the "simple approach" means diferent things to different people. For me, the simple approach is specifying what is allowed. Depending on which OS I'm using, that could be from 30 to 100 processes and their parent-child permissions. IMO, that's much simpler than a security package that tries to identify hundreds of thousands of undesirables. In theory, I would use what's built in to Windows if it had the same abilities as 3rd party apps and if it also contolled system components, not just installed applications. If I had a lot more time, I'd explore Linux and BSD and try to be as familiar with them as well as I am with Windows. For me, free time is hard to find so I stay with the OS I know, even if I don't completely trust it or its vendor. If I had looked more closely at Linux and BSD years ago.....

 

I find the topic of security interesting but I don't want to make a career out of it. What I really want is a system that is secure and private and requires no maintenance (yes, ideal I know). I don't want to be called by a relative who wants to install something and doesn't remember how to login as an administrator, or who forgot the password, or doesn't know how to answer a firewall/HIPS/malware/AV prompt. I don't want to worry about privacy, and about websites collecting or tracking private information. I don't want to have to spend hours a week reading up on security techniques and products and sandboxing and virtualization and heuristics and behavior blocking. I don't want to spend hours setting up a new laptop for someone to protect it against the wild because who knows where they'll use it. I don't even want to spend a few hours a week "maintaining" clean systems by restoring images, cleaning up cookies, checking security updates. I had my fun with computers. Now I just want to use them.

I use my computer for work -- I can't afford the downtime of having to clean off malware. Yes, I do use imaging software, but I still believe in AV and maybe AM -- even if they do half a job, that's half a job I don't have to clean up for someone. I still believe in software firewalls -- they've done their job for me in the past where the AV failed. I'm new to HIPS (sounds like it may have passed me by?), I still use XP (and w98 too) and I still use XP with Administrator rights. Guess I have a lot to learn.

I think the "desire security" question has quite different answers for those "in the know with computers" and "those who just use computers". Then again, I guess the OP was asking "those in the know". I'm not quite there yet.

Thanks for an interesting topic!

 

Please remember that this thread is not about most people, or other people. Sully has used the pronoun, "you," meaning he wants us to speak to our own situation, not anyone else's!

I said the the OS doesn't matter, in my view. I kept an old laptop with Win95 until about a year ago. With a properly configured firewall, properly configured browser, and Default-Deny execution protection, nothing ever intruded onto the system, even when testing exploits in the wild.

Actually, from my point of view, it's not a different issue at all. I've always run as Administrator, so there is nothing to separate, which is of no concern to me, since malware cannot get onto the system.

Again, please remember that I am speaking only for myself, and in no way is to suggest that it apply to anyone else!

----
rich

 

Well, without wishing to veer off-topic I am primarily going to run Linux on my desktop computer because it doesn't have the RAM to run Windows 7. I have to get the WiFi sorted out first though.

It has occurred to me that Ubuntu would simplify my approach to security in some ways though. Even if I went with Win 7 on a new machine I would use the same approach I use now however. I may go for a lighter AV but I think prevention at the browser end (WOT/NoScript etc) is probably the simplest solution.

 

Interesting thread..

No, I do not "desire" security - following Rmus's analogy, I prefer myself to use my camera (rather than to look at new equipment) provided I am confident the shutter will release when I tell it to - although I am always interested in keeping up to date.

For the many less knowledgeable of us who come here looking for insights and wisdom from the regulars amongst you, and from whatever start point, one can see various paths being taken, from those who come to firm conclusions as to direction and "stick" with it (ie get on with their art / craft so to speak), to others who "find" but nonetheless continue to search, or others who simply enjoy - or whose business is - experimenting, testing and more...

My own route here, similar to a number of other responses, led me to understand that the whitelisting concept was the easy, simple and sure way to secure the box (and its contents), and around which everything else was shaped.

Hence, LUA, SRP (Mechbgon), DEP, configured browser (ie default deny again) and firewall, Sandboxie (especially for any research browsing), etc, is a very lightweight, overlapping and simple and yet relatively bullet proof day to day concept / set-up for someone doing normal things "with" their computer.

For me, this was about balance. As a day to day user (rather than a day to day admin), who wanted to ensure that a malware infection was extremely unlikely, a white list strategy means for example that I never need to be too interested in what it might mean to rely on % AV success rates or similar etc. My only real "increase in attention" comes when I occasionally install new programs.

Re HIPS, I installed Outpost firewall a while back, over the Windows F/W (Vista), simply to gain a much better understanding and logging of my network traffic (and which is great for that purpose) and, by default, I left the Outpost HIPS facility (ie Host protection) switched on. I then realised that the HIPS elements, given my particular set up / risk profile - and despite the ease of relatively few pop ups, interruptions or conflicts - was really not adding anything meaningful given the restrictions I already had in place.

For many non IT specialists, I think security is more crucially about need and understanding (and interest helps), rather than desire, and which may be different to the answer from some of the regulars amongst you for whom this may be career, a core hobby, or both and more...

 

I want a "set it and forget it" security setup, something that may require an advanced user to set up, but requires no additional input from a casual user. Therefore anything that requires a user to allow new programs/actions such as HIPS or FWs are out.

I also felt that using tons of security apps put me out of touch with casual users, and reduced my ability to give them meaningful advice.

 

That is such a good point, one I have given a lot of credence to over the years. I have always tried different schemes, some obscure some not, but I try hard to use a setup that I can put in place on others machines that is easy to manage. I found out years ago that if you support people, it is in your best interest for both you and them to use the same products so that you can help them without having to fire it up yourself to see what they mean.

I have tried HIPS in the past and usually it fails with them. They either call up constantly or answer prompts incorrectly and have no protecton, or they get locked out of something. Same thing happened with firewalls for a long time too.

So, do you have an approach that you use with these thoughts in mind? I tend to use LUA and Sandboxie a lot. Some who will not give up admin I use SRP/DropMyRights or something in that nature. It all depends on thier level of experience. As I noted in another thread though, the advent of UAC leaves many novice users with the impressions that it alone is protection enough, and they don't desire to have anything else in place, although they don't have the knowledge to understand really what to elevate and not to elevate, they just click away. I though SuRun was a better option for these people myself.

Sul.

 

I do the best I can with that goal in mind. We do use LUA, since Win7 made it a lot less painful to use. Windows updates are also set to automatic. This was actually my biggest challenge because I had to get rid of all of my wife's bootlegged software first.

I use Sandboxie while my wife does not. She's willing, but our agreement is that I make one change to her system when it gets infected, and it hasn't gotten infected yet. I'd probably change her browser from Firefox to Chrome first though.

We also use Avast for real-time protection and MBAM for a monthly scan. Neither of us notices a hit in performance from Avast, and I strongly prefer that any files my wife downloads are automatically scanned.

Last we both sit behind a router with a firewall and WPA2 encryption.

 

Hi Soujirou,

What types of files are you referring to?

thanks,

rich

 

I want that too. I also don't want anyone known to me doing that, except with my permission. And obviously, at least for those familiar with my rantings, I also don't want anyone on the net to know my identity, except with my permission.

 

Well, she downloads mp3s and torrents, but I guess I'm more concerned with all of the social media apps she downloads. I'm unfamiliar with how they work since I'm not into that. In general though, she's doesn't keep track of everything she installs very well.

 

Your careful,good for you....

Im proud of ya mate

 

I do not desire security, it is a lesser hobby of mine. I am something of a control freak and I do like to know to which extent I can control my virtual world, so I look at tools which will provide that control (which does not automatically mean that I will employ them). Hence the interest in classical HIPS and firewalls.
I have no interest in anti-malware apps whatsoever. They bore me to death.

 

Never used a limited/standard user account before so set one up in an XP VM.

Why do the rogues AV Security Suite, Virus Protector and Security Tool still take over that limited user account? Or at least they seem to?

 

Aww come on Frankilin, you're pulling our collective legs Seriously, can you pm me a link or two to these rogues? Heck, I'll test them on the real system, Applocker enabled and disabled and see what happens. My backup/restore image abilities are so good now it scares me

 

Done, applocker in XP?

Please report back.

 

Heh, no, Win7 x64. XP I'll have to try in the vm. I'll let you know how it goes, probably this weekend Oh yeah, thanks

 

Most likely because they were designed to do absolutely nothing that requires administrator privileges, if they detect they're running in a limited user account. In other words, they were designed to only infect user accounts, not an entire system. Nothing strange there - everything working as designed. Limited users can still run software - it's just that any software they run only gets limited user privileges instead of admin, and can only affect that user account instead of owning the entire system. Well, it's either that, or your filesystem is not NTFS or file permissions are otherwise messed up. Or the least likely option of there being some privilege escalation vulnerablity that they're exploiting to get admin privs.

In any case, for those folks who don't want limited user accounts running new software - such as Google Chrome or rogue AVs, for example - there are options like SRP/AppLocker.


As for the actual subject of the thread, I simply need systems that are a) reasonably secure and b) fast and stable in terms of performance. I don't have any desire for "maximum" security and I don't value security for the sake of security itself, IOW, I don't try to create configurations as secure as possible just for the sake of security. I only value security as long as it helps me achieve my actual tasks, without slowing them down too much for my liking. Therefore it's natural for me to use the security features built into the OS, and my own head. It makes for very fast, very stable and "secure-enough" systems that let me do everything I need without security software slowing every single program execution or file read down.

 

Been reading up on Applocker and still got a few pages to go but just a question after reading:

Can rules be created to block Security Tool.pif ?

 

I haven't tested it myself (don't have any malicious/poc pif files) but I'm absolutely sure it does block them with the standard executable or script rules.

The thing you posted from MS is misleading, Applocker doesn't block based on extensions but on what the file is actually trying to do (=what system calls it uses).

Also see this post

 

I am glad to report that over the course of the past year or so i have slowly given up on these security apps. I used to use a HIPS + Firewall + Av, soon i got rid of the HIPS, then the firewall (only using the built in fw now), and now i just use sandboxie registered and thats about it...its just been a breeze ever since!

 

Hi Franklin,

in the samples you provided for me they were all .exe, including the Security Tool malware. Applocker of course blocked them all. If you have a .pif file for me I'll be happy to test it

Windchild, you are absolutely right, at least with regards to a few samples I tested the past few days (thank you Franklin ) They infested only user accessible directories: C:\users\John Doe\AppData... or Application Data... and also ProgramData (which, thanks to MrBrian for pointing out, limited users have special permissions to write files to). Removal was very easy only after booting to safe mode and using MBAm to find and delete the files. Nothing infected the registry, according to the scan results at least. The one rogue scanner did, however, remove my wallpaper but it was easy enough to restore after the infection was removed. It is not the way I'd normally do things if I did manage to incur system infection. I would instead simply wipe the drive with Partition wizard, for example, then restore a recent image.

You got the right idea.