Give the Gift of Security!

A recent post by Herbalist reminded me that most discussions in these forums are about products, with not much said about security strategy. He often stresses the need for sound security policies.

Perhaps it's because most people who frequent these forums already have a sound security strategy in place, that they aren't interested in discussing the basics.

Yet, with all of the sophistication of malware these days, most people who suffer the consequences of getting infected do so because of the "click" on an attachment, being enticed to follow a malicious link, opening an unsolicted document which is infected, and so forth...

Pretty basic stuff and simple to avoid.

So, dusting off one of my favorite topics, "Adopt a User" I encourage everyone here to put to use your knowledge of computer security basics.

Instead of spending money on a gift for someone you know who is not very knowledgeable security-wise, why not volunteer your time to help her/him develop a good computer security strategy?

That will be one less statistic in the tally of infected computer users!

----
rich

 

Good challenge

 

An excelent idea Rmus. I always try to help other with security issues. I am by no means an expert but I feel if we all help one another I believe we can make things much more difficult for those who make and spread malware.

 

Personally I've always set-up other peoples systems when they ask or when I've seen serious security flaws. It's easier than try to explain and teach them. But I'll join your cause, i'll do the effort.
I'm glad I ran across with Wilders, I have learned a lot since I first came to this forum... back then, I thought I knew all about security, now I realize how little I really know and how much there's to learn...(didn't even knew that such things as HIPS or sandboxes existed...)

 

Really? We talk about security strategy all the time. I seem to remember seeing people yell about "security layers" all the time. That is security strategy right?

That's all you really need to know about security strategy. i.e that you need many security layers.

The rest involves knowing enough of the products to decide if adding X to Y, is really adding one more layer or if it's the same layer.

What else is there to discuss really?

 

Personally I decided not to. If everyone becomes more secure, the bad guys will have to come after the better protected people like myself when there is no more low hanging fruit. why shoot yourself in the foot?

So nowadays I see people with obvious mistakes and misconceptions, but I usually don't borther to point it out, let them think they know it all and have perfect defenses.....

 

As a gift of security : I emailed my brother to give him the advice to BACKUP his system, which he never did and he emailed me back "I have better things to do."

 

That's funny, and somewhat logical. My experience is that an average user will look at you like you are an alien when you start discussing security. The only people who ask for help are the ones that got owned by some malware. The response ErikAlbert received is probably the most common one.

 

I don't think it is discussed the way it should be, and they way Rich is thinking. I tried and actually started a draft to separate issues and my suggestions to counter them. I was supposed to start a thread, then anyone would criticize it, modify it and give their own sense of strategy. Some members in particular could fill perfectly some of the most important aspects.

Turns out, to make it like i wanted, it's complicated. It takes knowledge AND a good imagination to explain it to anyone (simple terms, without writing an encyclopedia). And without mentioning programs (or mentioning them without making it a "here's my setup" thread).

The document is sitting there waiting for inspiration to finish it. Probably will stay there, i don't think i know that much
Debian also took most of my computer time.

 

LMAO
The security layers mean nothing without a security policy. The security layers help to enforce the security strategy.

This is a question that always crosses my mind. We are at an arms race between blackhats and whitehats. If the good guys become way more smarter, this will create an evolution pressure on malware writers (only the betters will survive). Case in point: Linux, which is almost immune to today's malware. However, a good amount of command & control servers of botnets run on rooted Linux boxes (which run 24/7 with vast amounts of bandwidth and CPU power) managed by lazy admins running very old, unpatched, vulnerable software.

 

If your concept of strategy is limited to "security layers" then yes.

Often, a particular vulnerability that suggests creating another layer for protection can be dealt with by reviewing basic preventative measures taken on the part of the user. To wit, Policies in place:

1) regarding email attachments (still one of the biggest suppliers of malware)

2) regarding clicking on links in emails (beginning to rival attachments as an attack vector)

3) regarding downloading of "freebies" from the internet (especially in families with children)

User policies should be the first step in creating a security strategy. Sans.org frequently addresses this topic, most recently in diaries by ISC Handlers Deborah Hale and Mari Kirby Nichols. They focus on the workplace, but the concepts can be equally applied to the home. Setting up and controlling passwords, for example. Or, learning how your financial institutions correspond with their patrons. Most institutions do not discuss security matters by email.

Once sound user policies are in place, security products can be added, tailored to the particular setup|situation of the user. Does she/he intend to do online banking? Set up a LAN? ... and so forth

I don't know how your initial contact about this occurred, but my experience has been that people don't like unwanted, unsolicited advice. In "Adopting a user" it's always been after someone has mentioned a problem to me, or specifically asked for some help. Approaching a person is a delicate issue. Some want help but don't know how to ask the right question, or are embarrassed to ask a question at all. Some don't want anyone to meddle in their affairs.

Maybe it doesn't have to be complicated. Put yourself in the position of being asked to help set up a person's first computer. They have never used email or surfed the internet.

The challenge is to keep it simple.

I hope you will finish it. You probably know more than you think. Many of today's security products are complicated to use and lead to frustration, resulting in our thinking that we don't know much. On the other hand, Basic security strategy can be simple, easy to understand and develop. With a good plan in place, lots of security products aren't necessary.


----
rich

 

Layered security apps is a means of enforcing a security strategy or policy, not the policy itself. Without an underlying strategy as a guide, it's a collection of security software.

A security policy or strategy can be simple or very detailed. Using Firefox or Opera instead of IE6 to open web pages is a part of a security policy that helps prevent drive-by infections. Blocking e-mail attachments is part of a policy to reduce infected material reaching the user. Allowing only plain text e-mail is a policy component to prevent html exploits being used against your e-mail app. Whether ads are displayed or blocked with a hosts file is part of the policy. Whether you shut down the firewall, HIPS, AV, etc when installing or updating software is part of your security policy.

A security policy is an outline of how your system is used, how different situations and events are handled, what apps are used to open which files, media, etc. It covers what users are and are not allowed to do. Users that understand the interaction of the different processes on their PC can expand this to include what each executable can and can't do, which ones can launch what other processes, which are allowed internet access and to where? The decision whether to allow automatic updates or to update everything manually is part of the security policy. It may sound overly simple, but choices like this affect how other things are configured. If your AV is allowed to update automatically, then your firewall rules must allow that updater to connect out. If you use HIPS, it must be configured to allow that AV updater to do everything it needs to. If it's updated manually, the user can use "allow once" replies to the alerts.

Using the browser for an example, your policy decides your configuration. If Firefox is your default browser, is Internet Explorer going to be used at all? If not, a rule blocking its internet access enforces the policy by preventing its connecting. A HIPS rule that prevents it from running goes further and defeats potential exploits that would launch it from another app. Lets go a bit further. Opening links to PDFs, in your browser or download first? Are links in a PDF alowed to launch your browser? These are policy decisions that affect the configuration of both apps, the firewall, and if you use one, a HIPS.

A security policy is the establishing of set procedures that covers day to day usage. It specifies how the known and unknown are handled. Building a working security policy starts with establishing the basics of how your system is to be used, then thinking thru the details and configuring your security apps to enforce the decisions or policy you've set.
Rick

 

Herb makes these "security policies" sound really boring..

No wonder, nobody talks about them. heh.

Still, like many in these forums, I am a believer in having a multi-layered defense that also includes elements of HIPS and process control. There's simply no subtitute for a classic layered security setup drawn from the finest HIPS, virtualization, and sandboxing technologies that the security industry can offer.

I have thrown the toughest most irresistable rootkits at my setups, delved into the deepest darkest parts of the www and have emerged unscathed. All without security policies.

Looks like Lusher 1, Security policy 0.

 

Hey, if you think so, i won't argue..

 

Devising a security policy or strategy is definitely not exciting. Neither is writing rules for a firewall or HIPS, or filters for Proxomitron. With many projects, the planning stage is the boring part. It's no different with a security policy, especially if you go into detail. On my PCs (all but some test units) I use a policy that has default-deny at its core, which many find even more boring and restrictive. Many of them don't understand what a default-deny policy really is. It's definitely not as exciting or glamorous as allowing a piece of malware to run just to see if your security package will contain all the malicious activities. I prefer a more straight-forward approach: If it can't run, it can't hurt you. Exciting? No. Effective? Very. Classic HIPS like SSM are the ideal tool for enforcing such a policy. In addition to specifiying which apps and processes can run, I took that further and the applied the default-deny concept to each process and executable. I limit each one to what it needs to function properly and what other processes each can start and be started by. The same applies to internet access. Each gets only what it needs. Web content also gets the default-deny policy applied to it. Whenever possible, all unwanted and undesirable content is filtered out. These types of restrictions reduce your attack surface, the number of potential entry points, and if an exploitable vulnerability is found, it severely limits what can be done with it.

Setting up such a policy is very tedious and time consuming. There's a lot of planning, experimenting, and investigating involved. When it's done properly, the end result is a system that's fast, reliable, and almost bulletproof, a system that doesn't depend on the next set of patches, signature files, or the newest version of each app to remain comparatively secure, one I can deliberately visit malicious sites with and come out clean. I don't need to be concerned about a new malware breaking out of a sandbox or virtual environment. I'm not using one, save for one test box. I don't have to rely on a frozen snapshot, restore point, image, etc to put my system back the way it was (and hope nothing got stolen in the meantime, like a password for an account) because the malicious code does not run, so nothing gets changed. My registry is exactly the same as it was yesterday, last week, or last summer. Nothing added, nothing removed. I don't worry about what might happen when someone else uses my PC. They can't install or remove anything or change any important settings. IMO, the results are worth the time, effort, and boredom endured in setting up such a policy. It might take the excitement out of it when you visit a malicious site and nothing happens, but the satisfaction is just as good.
Rick

 

Some other thoughts about strategy, or policies:

Approaches to Default-Deny can also include,

==> setting Software Restriction Policies, based on the White-List Principle.

==> setting up Limited User accounts where in a family, several use one computer.

Working with families is rewarding. One solution I use, which I refer to as Set-and-Forget (found this phrase in an old article) is to install Anti-Executable (Default-Deny) on family computers, where the parent's policy is to approve everything that gets installed.

While these policies might seem restrictive, if presented in the right way to children at an early age, they accept that "this is the way it is in our family." Like establishing a curfew, as they get older. During these formative years the parents are instilling in their children, safe user habits regarding email and surfing the internet, for example.

One friend is now teaching his two children (ages 11, 12) how to configure the browser, how a firewall works, and how to back up their school files themselves. What I find significant in the cases I'm familiar with is that these young people are learning that "driving" a computer safely is similar to driving a car safely: you first learn safety procedures (policies, if you want). You don't need a lot of security products to have a safe computing experience.

By the time the parents give their children their first computer, basic user policies -- the begining of a sound security strategy -- are well established.


----
rich

 

Whitelisting is definitely at the heart of default-deny. I don't have the limited user account option, Win98. SSM can effectively do the same thing anyway, and in more detail.

A lot of people reject default-deny outright, with "too restrictive" being the most common reason given. The sad part is that in normal usage, the user wouldn't notice that there is a default-deny (or any other) policy in place. It wouldn't reveal itself until they started trying to change configurations or install something. During normal operation, everything works the way it's supposed to. The security apps sit quiet. Default-deny does not equate to a steady stream of alerts and access denied messages, unless you're tampering with it, trying to defeat it. Just because a PC is protected by a default-deny policy doesn't mean that you can't install something. It means that updating and installing is now a system administrators task, not the users. If you're one who is always installing and removing new apps, default-deny isn't for you. It's a policy for finished systems that are equipped and configured to your satisfaction. A PC on which apps are added and removed on a regular basis has a default-permit policy, aka almost anything goes. Somewhere down the line, there's a price to be paid for doing that. It might be an infection, a software conflict, or just a general degrading of performance, but eventually it will catch up to you.

You describe an excellent way to approach this in a home environment. Restrictive? Maybe in the kids eyes. I've serviced too many PCs where the kids have installed stuff the parents didn't want and tried to hide its existence. On one home PC, I ripped Kazaa and all it's bundled malware out 3 separate times. I'd much rather be bored writing rules for a firewall or HIPS than doing that.

I would assume that most of those who visit here are the administrators of the own PCs. I would like someone to explain to me how a default-deny policy that you set up on your own PC is too restrictive. It's enforcing your rules. It's limiting the system to what you want used and blocking what you don't want touched. How is restricting the PC to running what you want used qualify as too restrictive?
Rick

 

You don't get it. You really don't. You can (and probably will) write a million words on the subject and you still don't understand where most of the people here are coming from.

I don't forsee getting through to you any time this side of eternity, so I'll just say it's a matter of different objectives and focus and leave it at that.

 

I'm not sure if I think so. But I'm sure a lot of people do, but are too bored to read this thread.... I'm posting on their behalf.

 

Rich, Rick .... entertaining and enlightening perspective's for 'most' of the folk's visiting. Alway's a pleasure.

Steve

 

Well I'm not bored & I'm anything but an expert.

I'm always prepared to wait, read up on anything new or anything I don't understand and when in doubt - don't.

However the co-owner & co-user of this PC is of an opposing ideology - double-clicks a single click mouse if it's not loading fast enough to suit them. Can't be bothered temporarily allowing a site but allows it on NoScript - can't see the point of NoScript & can't be bothered noticing what it has blocked, allowing the necessary ones to complete a purchase before loading the page etc etc etc ad nauseum

To make it worse, same user will boot up IE because it's "easier" than dealing with all the "security c***" that I've added to Fx (AdBlock+ & NoScript is it so far as we/I am re-setting up the PC after it got too slow, stuck with an OEM re-boot disk rather than outright ownership of XP Home unfortunately )

So I'm the De Facto Admin of a 2 user Standalone where one is security concious and the other is of the opinion that as we've been lucky so far - this luck will continue *sigh*

Other user wants to switch to Linux SUSE10 & assures me it will be easy "cos their dad runs it" ( same parent that has been through several rebuilds or repurchase of pc's in a year due to fatal crashes in the learning curves and changes OS frequently ) I have no issue with switching to Linux but want to run it separately in a virtual partition while we learn it so we have a functioning PC ( my lifeline to outside world ) and can be sure of what Software we need to get before making the switchover etc - apparently this is a "defeatist attitude" as we can be talked through by the parent and just need to do a little reading Fact that other user is rarely here, has no spare time and no inclination to read "boring stuff" seems not to hold any weight no matter what - apparently it's "cool" - and yes both are well over 30yrs old for goodness sake!

Currently running NIS 2007 & SWS Basic 2006 as they've been paid for but will not be renewing them. Also have SS&D as a secondary layer and did have Spy Sweeper which I personally found to be lacking in the information it gave apart from "you appear to have been infected with X or Y. Quarantine, Delete or Ignore?" - both times they were FP's. (I found the lack of info as to where the "spy" was, when it had been installed etc to be less than helpful to say the least.)

Insists on going online with Word - even though has been informed many times that we need to install Office SP3 First - I'm still working my way through the instructions as Word is the only part of the program we use. I am slow I admit freely. I do like to spend a little time on the PC not focused on security but as I'm disabled never know when I can use it and when not & often when I can I'm in no state to follow a detailed instruction - half the time can't read it due to the meds etc etc blah blah blah ( anyone fallen asleep yet? )

So upshot is - anyone want to adopt me? Or help me setup a security policy that works no matter what fellow user clicks?

If not, thanks for the opportunity to vent at least

peace,

~ CL

 

Apparently not. You did an excellent job of not spelling it out as well.

As for where most here are "coming from", their "objectives and focus", there's several different groups here. Some want software that does all the work for them. Some treat security apps like toys, installing as many as possible without ever understanding how or why they work, or what the consequences of all the overlapping "protection" can be. There's a whole lot of "install the latest and greatest" here, a lot of comparing products based on how many features it has, rating it based on how it does with "leaktests" and so-called product comparison sites.

There's also a group here that's come to the same conclusion I have, that to properly secure a system, you have to understand it and how it works. This group understands that how an app is configured is more important than how many features it has, that passing a leaktest is meaningless without understanding what that leaktest actually does, how it works, and how it applies to real life usage, that newer doesn't always mean better, and that layered security is much more than a collection of security apps. When I don't see any of this group here, I'll stop posting since nothing I post would be of any use to any of the other groups.
Rick

 

That's a No-win situation, IMO.

If possible, save money to purchase your own computer and leave co-user to untangle his own mess.


----
rich

 

Well, if it's simply about clicking away on things, and program installations are not an issue (i.e. all this is unwanted dynamic stuff and not some precious screensaver purposely downloaded), just implement a password protected virtualization solution (ShadowDefender, Returnil, ShadowSurfer Pro, Deep Freeze: cost varies from $70 down to free in that list), exclude personal folders under My Documents for each user by the most appropriate mechanism (depends on solution selected - could be an explicit exclusion or a move of the folders to a non-virtualized partition), and be done with it.

Blue

 

I considered that, but if they are co-owners/co-users, the other might balk at the restrictions, leading to unpleasant situations...


----
rich