Reviewing Your Security Strategy: How Often Do You Do That?

The question of reviewing one's security came up today in both the 'SpyEye/ZeuS merger' thread and one of the 'Circumventing SRP and AppLocker' threads. Coincidentally, I had a brief discussion about this with a friend, who wondered how often security-minded people review their security. So, I thought I would ask. What triggers a re-thinking, a review, for you?

I review my security strategy every time a new exploit in the wild appears. I look at the triggering mechanism -- how does the exploit get onto the computer. Then, I assess the risk involved, to see if I need to make any changes.

I remember back in 2005, the dreaded WMF exploit. When I saw the ISC.org Diary with the URL for unionseek.com (the first recorded URL with the exploit) I went to the page and nothing happened. I re-read the Diary, and by all accounts, something should have triggered. I looked at the page source code:

Code:

i frame src="wmf_exp.wmf" i frame

I didn't have i-frames disabled, so it should have run. It turns out that my Win2K system didn't have the .wmf file type, nor the fax and picture viewer. End of Exploit. Nothing to change.

In 2008 some of the first PDF exploits began to surface. I found a redirect exploit to a chinese web site with a malicious PDF file; I went to the site, and nothing happened. At that time, I didn't know exactly how the exploit worked. Soon, a Websense analysis revealed that the browser PDF plugin was required, which loads the PDF file into the browser window so that the malicious shell code can run. I don't have it enabled, so the PDF file could not load. End of Exploit. Nothing to change.

(for some time, many were incorrectly describing this as a browser exploit, which, of course, it is not.)

Then came the notorious Conficker worm. I see in a thread today that the 6million member Conficker botnet is now deemed uncrackable.

First was Conficker.A, which exploited open ports 445, 139. Those ports are closed by my firewall. End of Exploit. Nothing to change.

Then came Conficker.B and later variants, exploiting Autorun.inf. That is disabled on my system. End of Exploit. Nothing to change.

Those are some of the remote code execution exploits that set in motion a review of my security strategy. The alert reader will notice that no security product (other than the firewall) was necessary to neutralize the above exploits.

I've found that this is also the case with social engineering exploits. Several come to mind:

The Storm greeting cards by email -- EXE files in disguise:



The popup messages to update an application - Koobface was very successful:



Infected documents by email. This one purporting to give details about a recent financial transaction.
It had an embedded executable (SCR) file:



Microsoft XLS spreadsheets are common triggers of malware. Since I don't have EXCEL on my computer,
I've not had to be concerned about this. Anyway, they normally come in a suspicious manner,
meaning Delete on arrival!



When I review these scenarios, I realize that my own policies/procedures are sound,
and provide my front line defense against being exploited.

Well, that is the way I review my security strategy. What about you?

regards,

-rich

 

I review it all the time, at least portions of it. As new info is shared, I personally mull over how that might impact what I do.

When I was looking for a program to provide security in the early days, I turned to firewalls and scanners and HIPS type approaches. As more individual tools evolved into suites, with ever more prompts showing, I began to earnestly delve into other methods, which meant understanding both where my threats would likely come from and what the OS could offer first before seeking 3rd party help.

Now, as you mention, it comes to light that SRP and kin are not as secure as one would have thought. This leaves me with no choise but to examine, again, just what I do, just where my personal risks are going to come from, and how I currently have developed my security to handle it. Since I am not likely to go back to many 3rd party tools, I will most likely modify my habits and possibly include some on-demand tool for instances where I cannot implicitly trust.

However, even if this type of news had not been shared, forcing a review, I still find myself mentally checking the perimeter, attempting to imagine different avenues of attack that I have not focused on. I don't know about the majority, but for me, by developing strict habits of not doing certain things, or always doing certain things, unless I deviate many problematic issues are solved.

Sul.

 

I too employ an ongoing analysis as new exploits and news arise. Generally, I try to lock down environments as much as possible, such as management, LUA, SRP and others, using signature based technology to fill the gap until I am aware of an issue (hopefully). Still sometimes, I question the level of functionality allowed to user versus future issues. It seems it is an evolving art/science, for sure, an interesting one though.

 

It took me a while to get to this point. By the time of Conficker, I had pretty much concluded as such. With the firewall, a properly configured browser, and autorun protected, I realized that remote code execution exploits were taken care of: they just don't even get out of the gate.

The "strict habits" you refer to, do indeed solve problematic issues. For me, so far, everything has fallen into these two categories, and so far, security reviews have not mandated any changes in strategy. Although, I still go through a "review" whenever something new pops up in the wild!

By the way, the SRP stuff you refer to hasn't yet been taken into exploit kits and used in the wild by cybercriminals, so if I used SRP, I wouldn't undertake a review at this point. I would need to see the attack vectors -- how the exploit is delivered to the user -- before considering any changes in strategy.

regards,

-rich

 

I tend to review my security strategy if i find myself changing wat i do on my computers. For example, just recently i've been getting into social networking a lot more frequently so i researched the potential threats i could encounter and then reviewed my security strategy to see if i had them covered.

I also review my strategy based on the resources i have. Not too long ago i was fortunate enough to acquire a 2nd computer to play with. I changed my security strategy to make use of this new resource. I now have one system setup specifically for media and games which only has a light security setup and the other system for my online activities which has a much heavier much more robust security setup.

 

Quite often, and if there's something I can do to bolster it further without adding 3rd party software, I'll do so. Recently was adding MS' EMET, using it to harden several applications such as browsers, pdf reader, java, email client and MS Office apps. My latest project involves restricting my common browser in win7 fw to only the sites listed in my favorites folders, and a few others, using ip addresses w/CIDR masks.

 

I just had to quote you. I started looking at security the same as you: antimalware tools and HIPS.

Overtime, I got fed up with security vendors starting to bundle everything; killing some of their stand-alone application, which was, in part, what made me want to understand how certain attacks actually worked, and how I could protect my self. That's when I started to disable things like autorun, javascript, java, plugins, etc, and tighter firewall rules.

I'm glad that the security vendors did bundle their standalone applications in one package, otherwise, most likely, I wouldn't be where I am today.

Obviously, I also came to realize I couldn't just blindly trust some file I'd get from a trustworthy source, so I needed to add something more, and that's when I faced myself with the amazing (it is, for me) Sandboxie.

Regarding SRP and AppLocker, I'm aware that there may be no exploit kits in the wild to take advantage of such holes, but as one other user mentioned in one of the threads regarding those two, why do people only take something seriously when they see some POC or when then see it is starting to be widely used? Why not try to do something before it becomes a reality[/b]? You know what they say, better safe than sorry.

This is not to say that we should drop this; no. I have it, and will keep; is one layer provided by the O.S, and I'll keep it. Heck, it's part of the O.S that I paid for.

But, it does make one consider the possibility of something else, doesn't it?

 

I think you could call metasploit an exploit kit.

I have two separate strategies. One is for my personal systems the other for systems I admin.
With the latter I take a reactive approach. I wait for what new ideas the bad guys come up with and respond to that taking into account risk vs tradeoff. I'll introduce new layers if the cost is low (like EMET recently) and keep tried and old approaches even if they are far from perfect (like Applocker now).

For my personal usage I strive to get as close as possible to 100% security:
My strategy doesn't involve much software or layers and it's actually amazingly simple: physical privilege isolation
I have different zones, general "anonymous" internet browsing, personal email and online banking, sensitive files, and temporarily more if the need arises.
For the first I use vanilla Windows and Linux, don't add any security except browser addons (for privacy and ad control more than security).
The second I do in a live CD and the third on an offline computer.

There are only two weaknesses:
Hardware/firmware backdoors and rootkits (if I dualboot or reinstall another zone) and a the risk when I transfer files between the different zones. The first one is more theoretical and the second I take care of by using usb instead of network filesharing and not using risky software to handle data files (Adobe reader, MS Office, Windows Explorer...).
What this also means is that I stopped worrying and thinking about security on these systems and never had to review my strategy.

 

The full quote was,

I could have been more explicit in referring to the commerically available exploit kits (such as Fragus, Eleanore) with code-attacking vulnerabilities, such as browser, PDF, other 3rd party applications. The cybercriminals then insert their own payload/code to run, whether a infostealer trojan, shell code, etc.

As I understand it, Metasplolit (and Meterpreter) provide scripts, not the attacking mechanism, thus, not really a functioning exploit kit as described above:

Meterpreter Scripts
http://www.darkoperator.com/meterpreter/
(list of available scripts)


Meterpreter: Be Afraid
https://www.hbgary.com/phils-blog/meterpreter-be-afraid/

If I understand correctly, it's up to the attacker to get the payload/script onto the victim's computer.

This is why, in my own reviewing, I want to see the attacking mechanism, the attack vector.

If it is a PDF file sitting on a booby-trapped web site, that is no threat to me, with my PDF plugin disabled.

If the attacking mechanism is a XLS file with embedded macro, that is no threat to me, since I don't use Microsoft's EXCEL application.

And so on.

Malicious scripts, executable trojans, worms, and the like, are certainly dangerous. But they have to get onto my computer somehow before they can do any damage.

In my reviewing, if I find something porous in my defence setup, I'll make a change.

regards,

-rich

 

Very interesting!

Risk assessment isn't talked about too much.

regards,

-rich

 

Anytime i hear of a new potential and/or actual vector/method etc that i might be vulnerable to.

But being as cautious as i knew how from day one of surfing, due to having researched the usual known pitfalls at the time, eg disabling ActiveX/Scripting/Java etc, i felt very safe, and was, despite visiting malware etc www's often. I then discovered the wonder of Antiexes and hips etc which further helped.

In recent years we've seen malware get more serious with the rootkit etc explosion. But even so i still felt safe with what i had and how i used my comp. These days the coders arn't playing games anymore and employ some extremely talented people. So even though i don't expect to get hit any time soon, who knows what's in store from now on ? So now i'm even more cautious than before.

 

I'm sure we could find some vectors that work against you for a targeted attack...

Take this one:
http://www.metasploit.com/modules/exploit/windows/browser/ms11_xxx_ie_css_import
If you:
- use IE
- don't use EMET and such (not sure if it's actually effective against this one?)
- haven't applied a workaround
- and I can trick you into opening a link with IE
you are with absolute certainty vulnerable against an attack (I'm not sure if it's possible/simple to do with metasploit though, I'm really no expert on it)

Of course, we'd just break into your malware test system so yeah, maybe review but I don't see a reason to change your strategy either.

 

update here:https://www.wilderssecurity.com/showthread.php?t=291814