How to achieve a simple but satisfactory security strategy

I´m a firm believer of using a basic, pragmatic approach to secure my local system and the interaction it has with the network. It hasn´t always been so for my part. When I began using computers in the early eighties, I was mainly focused on games and applications I used for school and work. I didn´t concern about security at all which wasn´t a requisite back then. With the exception of using an AV, it wasn´t until I started to use Win2K that I began to learn and utilize (thanks to a security-knowledgeable friend of mine) the internal security policies that the NT-systems contained of and also applying the latest updates for both the OS and the third-part applications. I´ve continued with this approach for my present client OS (XP), and it still serves me well.

Briefly regarding the subject in applying a good, overall security strategi one have to consider the following three links in the security chain:

1. The local system/host.

2. The user.

3. The network actors (clients/servers) your system interacts with.

If any or several of these links are weak then you have a gap which could compromise your security strategi.

Regarding your local system there are several options and applications to use where some are better than others. One way is to apply the layered approach where several applications and/or policies in conjunction are used to secure your system. Example on this is using a combination of HIPS, AV, firewall, backup, updates and user-policies. Using for example an "AV + AT + AS + n...", are not IMO a layered approach since they represent the same type of applications within a class (scanners).

Regarding the user the key here is knowledge about how to secure a system and its interactions. If you are interested or at least concerned about IT-security, then in one way or another you take the necessary steps to accomplish this (for example participating in different security-forums). If you are an unknowledgeable user by some reason, or just uninterested in regard how to secure your system, then we all have a problem since we indirectly are in symbiosis with each other, as users of the "Big Network". The main responsibility for solving this lack of knowledge problem, lies mainly at the producers of the different OS platforms and also at some extension among the third-part application developers. Example on this is the difference by default in level of access a user have to the kernel between different OS's after installation. The latest Vista version is an example of this evolution (at least for MS), in comparison to XP where you need a certain degree of knowledge in how to secure the system in a proper way.

Finally regarding the interaction between your local system and other actors on the network, you can´t really affect that much more than to choose which actors (clients/servers) you want to interact with. For example regarding security for different financial transactions, one have to look for actors that applies a well-thought security strategy and its maintenance. Different forums, news-sites and reviews from other trusted sources are important in this regard. Statistical examples on the effects these interactions have, are the security impacts that for example browsers have to deal with today (Secunia):











A short analysis based on the above graphs shows that by securing your local system in a proper way, we can really improve the browser security regarding system access and exposure of sensitive information which makes a large part of the security impact. However, it also shows that an other large security impact constitutes of spoofing and cross-site scripting, and these are problem areas directly related to level of knowledge among the users and the security strategy and its maintenance by the server-side of the network. Unfortunately enough in this last respect many web-sites lags in its security strategy and its maintenance by reasons such as lack of knowledge or resources, plain ignorance etc. It´s more or less up to the user/customer to make a demand for improvements in this area.

Much more could of course be said about this, but I didn´t want to make it to long-winded, since the purpose of this thread at first hand is to raise some thoughts about pragmatical security strategies, and hopefully lead to some inductive discussion about the topic.

/C.

 

Hello,

Incredible, you almost took the words out of my mouth regarding the scanners... I guess great minds think alike ... hihihihihi .... Here's what I wrote on OA forums a few days ago regarding layered approach:

It really depends how you define layers. If several programs are responsible for execution, one way or another, then it's still one layer. AV, AS, AT are all one layer. Plus there are layers that do not stack.

Damn, this sounds like a nightmare lesson in pam / ldap ....

Anyhow, firewall and AV belong to different layers but they do not stack, because anything that AV can touch has already passed the firewall, with permission or not.

The same applies to all user-interactive software, they belong to separate layers.

I'd go for these layers:

- passive prevention - alternative programs / approaches, allowed/denied protocols
- permissions - sandboxing, parent/child inheritance, account type
- file scanning - white/black list scanners
- execution control - combines all of the above
- system auditing

Mrk

 

I like the idea of simplicity because the home users I'm in contact with don't have a lot of technical expertise.

There are two ways in which malware installs:

1) Without users' permission: Remote Code Execution -- that is, something triggers the downloading/installing of the executable, ie, iFrame, AutoRun.inf file.

2) With users' permission: user chooses to install a program and it is infected.

The first is the easiest to protect against: White Listing either by Polices or a separate application -- no executable not White Listed can install: Deny by Default

The second is trickier. For those who use only trusted download sites and vendors, this is not a problem. Otherwise, users can take precautions such as scanning, monitoring the installation process, etc.

That's all there is to it.

Regarding internet security and privacy: I nor anyone I've ever helped has been compromised in any way. With sensible precautions and understanding how one's secure websites communitate with users, not clicking on links to login pages, rather, using one's bookmarks, etc, -- this is not a problem.

XSS certainly invokes a lot of fear, but since the majority of exploits are the non-persistent or reflective type, sensible precautions take care of this.

IMO user security is made much more complicated than it needs to be. Graphs and categorization of exploit types makes interesting reading but tend to complicate the issue for most people.


----
rich

 

Interesting that there is only minor variation among the specific browsers listed. Some useful information here in and of itself.

The top impact for all the browsers was system access, followed in no particular order by exposure sensitive information, XSS, spoofing and security bypass.

What I recommend for relatives:

o Use a software firewall (one-way), even if they are behind a hardware firewall. Use the Windows Firewall for Windows (and iptables, via Lokkit, for Ubuntu Linux).
o Create limited user accounts for each user on Windows (and non-root accounts for each user on Ubuntu Linux) and work, play, communicate, etc. in these accounts. Use the admin account for admin tasks only. (In Ubuntu Linux, the initial account which runs as root via sudo serves as the 'admin' account.)
o Set the system to notify you of updates to the OS and applications. Update when notified or shortly afterwards. (The 'admin' account in Ubuntu Linux is checked weekly for updates.)
o Install 3rd party software from trusted sites only.
o Install a "free" anti-virus (from the ISP or from Avast, Grisoft, Avira) on Windows. Set signature/program updates to automatic, if not the default. Scan the file system weekly. Scan all downloads, including email attachments. (I do not recommend that they use an anti-virus for Ubuntu Linux.)
o Install a free anti-spyware scanner or use a web-based anti-spyware scanner and scan the filesystem weekly on Windows. (Not applicable to Linux.)
o Update 3rd party software outside of the Windows update tool (or outside of Synaptic) when updates are available.
o I recommend that sensitive information not be stored on their PC. This frees them from having to "bother" with extra software such as a sandbox, file/folder encryption, etc.
o For web browsers, I recommend that they use Internet Explorer in Windows as updating via Windows Update is the easiest path for maintenance or Firefox in Ubuntu since it is the default web browser for the Gnome Desktop and is automatically updated via the update tool. I have not recommended that they install NoScript on Firefox as this seems to give many users angst.
o For email, they use web mail via their browser; thus, no email client. Don't open email from senders you don't know. Scan all attachments on Windows with the anti-virus tool.

 

I have recently added Secunia PSI to the toolbox, since more and more it's vulnerabilities in 3rd party products which are providing the "way in" and trying to keep track of patching each and every application is a real pain.

The above provides a practical methods for doing so, and manages to do it in a way simple enough for even an every-day user to be trained on i.e. "Click the green link".