Layers of Security: How Many Do You Need?

Discussion in 'other security issues & news' started by Rmus, Apr 3, 2005.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I’ve been computing for only about 12 years, so I’m not an "old timer" by any means. I feel I was fortunate to have learned how to use a computer from a friend who had worked as a programmer and security consultant for NASA. He stressed the need for the user to set up "lines of defense." Although it is more common today to see the term "layers of security," I like the former description, for it calls to mind the image of "lines of protection" in front of the user. I’ve adapted this idea for my own use in working with my own system, and in helping others set up a system.

    LINES OF DEFENSE (brief descriptions)

    1. User Awareness and Common Sense. This is the first and most important line of defense. This can be taught to anyone. I often see on the forums and various newsgroups references to "my mom who is computer-illiterate." Well, I would prefer to work with computer-illiterate people, so-called, anytime, because they have no bad habits to unlearn. Many people starting with their first computer have a terrible fear of the unknown. This can be alleviated by showing them the insides of the computer. Not that they necessarily are going to work on the computer themselves, but that they understand that a computer is really nothing mysterious: just a combination of boards, and hardware. Handling fear is the most important aspect of computer security. You want to instill confidence in the user right from the start.

    Next, we set up a filing system on paper. Most people have some type of filing cabinet with drawers in their home, so this provides a useful teaching tool in understanding how "My Computer" is organized into drives. Then we create directories according to the person’s needs/wants, and practice saving files. Important here is to show how a file extension works (and to make Windows display extensions). I’ve never had a person not be able to understand the idea of an executable. The user learns which file extensions to be wary of (we create a list). Later, we take this concept into email, and establish firm rules about attachments, etc.

    There is much more in this first line of defense of course, such as establishing common sense browsing habits; setting up a daily backup system; but this will give an idea of how to start. I'm convinced that the majority of home computer security problems are due to a weakness in this first line of defense.

    2. Alternatives to IE and OE. I don’t understand why anyone still uses these leaky vessels which need constant patching. With an alternative browser and email/newsreader program, one eliminates a huge number of exploits. Now, I’ve never been a Microsoft basher; if I don’t like certain products of a company, I can find alternatives. It’s one thing to not like a product, send in complaints, add to wish-lists for next versions, etc, but name-calling never contributes anything constructive. Like the bully on the playground, name-callers operate from a standpoint of weakness, not strength. And I don’t imagine Bill G. is very much bothered, anyway. I rather think of him as was Napoleon, who, upon being told that people were trashing his statue in the public square, remarked, "Why, I don’t feel a thing."

    3. Microsoft WordViewer. While designed initially to enable those without MSWord to view Word documents, it’s become a useful line of defense because it will not execute code. Newer versions also have converters which allow MSWorks documents to be viewed. Prior to Word 97, macro viruses had to be written to a template (*.dot). Beginning with Word 97 (and Visual Basic) these could be embedded in a document (*.doc). In my own work, I receive Word documents by email on a daily basis. With the email program’s MIME types configured to open them in WordViewer, there is no chance of the document running code. A must on everyone’s system for viewing other’s documents.

    It’s interesting how medical terms began to be used: virus; infection; injection. These terms, of course, instill fear in the user. Computer miscreants, like terrorists, play upon fear in the intended victim. This technique has also been cleverly marketed by the anti-virus, anti-spyware industries: the greater the level of fear and paranoia, the more products are sold. Now that Microsoft is in the fray, it's evident that it is in the best interests of these industries to keep the level of fear and paranoia high because of the big money involved.

    For a number of years, the above three were my successful lines of defense. As miscreants began to exploit weaknesses in the Windows operating systems, it became necessary to add another line of defense:

    4. A robust firewall - one with password protection, and where you can configure the rules. Blocking all port traffic both in and out, except for established permissions, is a must.

    In the college district where I work, I’ve seen how the operating system can be bullet-proofed so that any changes made will be removed on reboot. So, I added a final line of defense:

    5. Lock-down Program. I use Deep Freeze, but there are others. A reboot will restore the system to the state on last reboot.

    In all of my years of computing, these lines of defense have been my secure protection. In the many home systems I’ve helped friends set up, using the above lines of defense, there has never been a problem. If your lines of defense are carefully thought out, there is no need to waste huge amounts of time worrying about the next infection, injection, or whatever.

    I’m amazed, in perusing the various forums and newsgroups, how much time, effort, and money is spent on security products. Some users run as many as 8 or 10. Many people are so fearful, and have to work so hard to clean the infected system, that it takes all of the fun out of computing. This doesn’t have to be.

    -Rmus
     
  2. cluessnewbie

    cluessnewbie Guest

    Computer-illiterate have one very bad habit to unlearn, after years of using computers, they still don't want to learn the slighest thing. That is a very bad habit.



    The mindset of most members here I suspect is that computing without tweaking all "kernel level security software" is what REALLY takes all of the fun out of computing.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Very good point. I was referring to working with the beginner who will listen to what you want to teach. In my small circle of friends who help people with their computers, if we sense that a user doesn't "want to learn the slighest thing", we decline to help.

    Interesting observation... I hadn't thought about that...

    -Rmus
     
  4. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Also notable:
    In most casus we tend to describe line of defense by following the information flow: some process comming to the user. That we we regularly find:
    a firewall, blacklists, intrusion detection, content inspection (spam, virusses), anti all malware, restricting access rights, intrusion prevention, hardening OS's, preventing vulnerabilities, educating users, logging, monitoring and auditing (I probably forgot a few security measures).

    Applying all or a number of these measures is a matter of personal intention, but also a requirement in larger organisations. In our company most are in place, and I am responsible for keeping our organisation secured.
    At home I have only a few security measures in place: a firewall with anti spam and anti virus (it's a linux box) and I prevent lots of vulnerabilities by my move to a linux desktop. And of course, I keep educating myself.

    The first post is very interesting because of the point of view, but is quite specific to your environment too. It's not a one size fits all solution.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    True, which is why I made the point of referring to the home environment. At our college district, for example, there are other necessary network safeguards in place. This environment is beyond the scope of my interest and would require discussion in another thread.

    -Rmus
     
Loading...
Thread Status:
Not open for further replies.