Sector-by-Sector security

In order to build a comprehensive security setup, I want to add a security layer from each protection category. Add any to the list and I will update this first post.

Firewall
Host-based intrusion prevention (classic)
Full Virtulization
Imaging
Anti-virus/Anti-spyware
Anti-keylogging
Sandbox
System Hardening
Memory guarding
Behavior Blocker
System integrity checking

 

behabiour blocker

 

There is a lot of overlap. HIPS/IPS covers virtualization, system hardening, memory guarding and sandboxing. The rest would fall under disaster recovery and HIDS/IDS.

In terms of specifics you can break AVs down into file-analysis heuristics, behavioral emulation heuristics, blacklisting, cloud-based heuristics, reputation based heuristics, cloud based blacklists.

Sandbox can be broken down a lot, you have your Sandboxie virtualized environment sandbox and your windows MIAC sandbox, you have virtual machines, jails, applets, etc.

 

Your collection has way too much overlap and duplication. The sandboxing and full virtualization are each good security concepts, but there's no need to use both. Firewalls often include Host-based intrusion prevention. Using an additional HIPS with such a firewall can cause all kinds of problems.

You'll do better if you start with choosing a base security policy that best fits your skill and usage needs, such as:
Conventional detection based.
Virtual system.
Sandboxed attack surface.
Default-deny.
Minimum permission.

Each has it's own strengths, weaknesses, and requirements on the user and system. After you choose what best fits your needs, then choose the app(s) that are best suited for enforcing that policy.

 

Quote. FW/HIPS + AV + Sandbox are all you need without redundancies that could create conflict or reduce the effectiveness of the security. An imaging program is anyway a must, for every kind of eventuality, not only security problems.

Pay the best attention to the settings.

 

Firewall -> Firewall
Host-based intrusion prevention -> HIPS
Full Virtulization -> Sandbox (Some HIPS have partial virtualization or limited rights features)
Imaging -> Imaging
Anti-virus/Anti-spyware -> AV
Anti-keylogging -> HIPS
Sandbox -> Sandbox (Some HIPS have partial virtualization or limited rights features)
System Hardening -> HIPS
Memory guarding -> HIPS

In summary it is like this.
-Firewall
-AV
-HIPS
-Sandbox
-Imaging

Then to make the setup even simpler i would take a HIPS that has a Firewall built in to reduce the amount of software running in real time.
-AV
-HIPS
-Sandbox
-Imaging

 

Depending on your Operating System version, you could actually go lighter, without reducing any security, while kind of retaining most of what you mentioned.

 

Instead of trying to cover every security layer you should try to cover every attack vector. Ask where you're vulnerable - USB, DVD, running services, etc. Ask how you can mitigate those risks.

 

Encryption
Update checking
System integrity checking

For internet - Proxy, encryption, script control, cookies control, active content control, IP and domain blacklisting...

Do tell us if your system is still running if you install one of each

 

Actually most security products today tend to overlap regarding the protection themes I listed. I am well aware of this fact but this thread is also for those that are considering which software to use. To them, this list would be more of a checklist. Obviously, no one expects them to have EVERY protection. Pick and choose the ones that are useful.

Regarding sandbox and virtualization, I find these are two distinct products if you compare Defensewall and Returnil. One restricts usage of executables while other provides a full copy of the disk drive.

I've added several suggestions. Thanks!

 

Bear in mind that when you start adding this, plus that, plus that one, plus that other one security application, then you're also increasing your very same attack vectors.

When choosing one security application, we're always weighing the pros and cons between the offered security and the fact it's third-party code being added to the operating system, which on its own, regarless of being a security software, it will also introduce its own fair share of security vulnerabilities.

So, if you really think that having more = more security, 99% of the time it's actually the other way around. The more you add, the more vulnerabilities you add as well.

My honest opinion, as I have previously mentioned, is to have under consideration the operating system version you're using, and use a lot of what it has to offer security wise, and use that. Then, if you must, couple it with a third-part security application, that would protect against something you need, and that Windows won't offer on its own.

As I mentioned above, more security software doesn't equal more security, at all.

 

m00nbl00d well said my son

 

If you look at the "what's your security?" thread on this forum, you will realize people do tend to run multiple security programs on this same system. While it could lead to more vulnerabilities, the benefit they provide far outweighs the potential bug fixes that are inherent in every program ever coded. You're picking at the details and missing the whole picture.

This thread is to close as much attack vectors as possible while eliminating the need to redundant security software.

 

Yes... that thread... A very special one on Wilders Security Forum. You'll see that over time practically it's just the same users all over again, but simply to show what they're using "now", what they're testing just for the "fun" of it.

They're security software addicts, who need their daily fix. @ All, no bad mouthing intended here.

But, if you actually paid enough attention, you'll see there's a handful of users mentioning their security setup there, and practically using no security software, except this or that on-demand scanner or Sandboxie/DefenseWall/etc.

They're included in the bunch of those who use native Windows security functionality + some third-party security application to couple with what Windows has to offer.

Now... I'm not saying which ones are right and which ones are wrong. That's up to you... Each person needs to weigh the cons and pros.

If you were selling me a painting, I'd look at the details, actually. Who cares about the whole picture, if part of it is damaged? I'd never buy the painting.

Isn't that a paradox? Closing as much attack vectors as possible, by introducing a lot more?

Also, don't forget that many security software will be messing with the kernel, unlike some other software.

If I had to pick: Windows built-in security + restrict the web browser/other dangerous applications (maybe by using something like Sandboxie/DefenseWall/similar) + system image.

But, that's me... I like the little details.

 

I think the "What's your security setup?" topic is often users just testing out software and giving input on the latest versions etc in a more informal way - it also lets other users see possible configurations and give/ get input.

You can try to cover as many holes as you like, every time you add code you add vulnerabilities. m00n said it, you're weighing the risks every time (or you should be.)

When you start protecting a server (the things that actually get attacked, where security is really important) the most important thing is closing ports, turning off services, and essentially decreasing your attack surface as much as possible. They don't say "****, we have an open port, install a 3rd party firewall" because that's just one (large) piece of code that the attacker can exploit.