Discussion in 'polls' started by Tyrizian, Jun 24, 2014.
What do you think is most important when it comes to security setups and why?
Sandboxing + Web filtering, because the browser is the most vulnerable part, pretty much all malware get inside through it.
AV - not really, it comes after the infection is already spread, good for cleaning though.
Firewall - if there are applications already allowed, obviously, how can it stop anything?
Anti-Executable/Policy Based - similar like AV, it is meant to deal with an already infected PC.
HIPS/Behavioral Blocking - even with learning mode, it is still requires some skill to be effective.
Anti-Exploit - it is pretty unclear, what it does, it protects browser, but how, it does not specify.
-Other: System Recovery (e.g. Imaging, Boot-to-Restore etc.)
I voted two:
- other: backup, backup, backup
- Antivirus: to let you know when you have to restore backup.
The most important aspect of computer security is the users overall security policy, not the system or software policy components of the operating system but the users overall security strategy. This strategy or policy should be based on the users needs, their ability to implement and adhere to that policy, and their attention to detail. The operating system, user applications, and security software are selected based on their ability to adhere to and enforce that policy.
The users security policy has a basic core policy. Some of the core security policies are:
Default-permit, roughly defined as anything not malicious is allowed.
Default-deny, only what the user specifies is allowed.
Containment, changes are confined to a sandbox or virtual environment. The host system remains unaffected.
Reboot to restore, The system is returned to a predefined clean state after each restart.
Each of these has advantages and disadvantages. Each favors a different kind of user, pattern of use of the PC, user skill level, etc. The different core policies can be combined. The user should choose the core policy that best matches their abilities and needs, then choose the components, applications, and/or security software that can best enforce that policy. Sandboxing software is a poor choice for enforcing default-deny. AVs aren't suited for sandboxing. Classic HIPS doesn't detect specific malware.
Ultimately, it is the users security policy that protects them. Some policies like default-deny require a lot of attention to the details. Others like default-permit need very little. This is largely determined by how the system is used and by how many. For users that try out a lot of software or regularly alter their systems, default-deny is a bad choice. For those whose systems change little and those that want the system to be the same day after day, default-deny is a good option. Users that want to be able to do as they please with a system and are willing to invest some time in the initial setup, for them sandboxing and virtual systems are good choices. Those who just want to use a system and can't or don't want to invest time and effort in its setup should stick with default-permit and AVs. The user has to be honest with themselves regarding what they want to do and what they can do when making their choice.
I voted 'other' .
The single most important thing is : Don't be an idiot !
DON'T click on that link in the Nigerian scam-mail, DON'T click on that link to 'something funny' some jerk sends you on Idiotbook
and DON'T believe you get 'Free Pr0n' when clicking that flashing thing ..
Policy restriction + inbound FW + web filtering + imaging. Yep, I have converted from classical HIPS to policy restriction HIPS. Blame GIMP for that.
I do have objections with those statements.
Why's that? Because of plugins subdir with all exes? I used to whitelist whole folder, when I was using Malware Defender.
Yes. GIMP is like a Lego software. Even each effect has its own EXE. I've never seen a third party software triggers that many (much?) requests from the HIPS.
Well, I wanted to do that as well, but scared that the CHIPS admirals will chop my head as the consequence. =V
I don't think inbound FW and policy restriction are not meant for prevention. Even Chromium-based browsers use some sort of policy restriction. I agree with the outbound FW part though.
Firewall, I'd like to see someone without one LOL. The rest a user can survive without IMO. Then again, backups are very important TBH.
If the user closes all of the open ports, they don't really need an inbound firewall. There's nothing for inbound traffic to connect to. Sadly, Windows from Vista onwards don't make that possible.
Could not make up my mind so i voted for all of the above. Hahaha
I voted other.
the most important security itself is the user.
for example: phishing scam emails.
also, the OS itself.
computer security is not complicated: don't install suspicious software, don't click on dubious email attachments and don't fall for phishing scams.
-OTHER: Firewall Router
Firewall Routers positioned at the Networks Edge secure the entire Network that they serve.
Firewall Routers act as the Gateway between the Internet and the Local Area Network.
Firewall Routers Policy Rules dictate what communications pass through the Router from the Local Area Network out
into the Internet, and what communications pass through the Router from the Internet into the Local Area Network.
Firewall Routers are the first line of defense for any Local Area Network, even if there is only one computer
being served by the Firewall Router.
Good advice but no longer sufficient. With legitimate servers getting hacked, no software is completely trustworthy. With routers being exploited by malware and the DNS system itself found vulnerable, there are no guarantees that where you want to go is where you'll end up. Even on good sites, malware can come through the ads.
I really like this observation. The usual answer assume every user is the same. But in reality, it is not true. Different users have different needs of their systems and encounter different kinds of security threats. So what will help them most will be different.
HIPS/Behavioral blocking and
Other that means backup and system virtualisation.
Why not Firewall?...because HIPS/BB have some features to control outbound internet connections and port listening what sometimes is quite enough.
The Poll is " most important ", so I voted av - fw - HIPS. But a multi layered defense naturally needs something more... And, yes, Firewall Router obviously.
I thought we were talking about the most important pieces of our own setup?
How about the user(s) knowledge level of the platform their using & knowing how to best implement the
security of the OS and any additional security harware/software & policies.
e.g.) If a user installs a firewall/hips program, but doesn't quite understand the alert
prompts, they could do more harm than good.
Note: In this example it might be good to also have a boot-to-restore program installed if one
makes a mistake.
I would also recommend...BACKUP!
e.g.) If a user sets up a hardware router, but doesn't check & change the default settings, they could
leave themselves open to an attack.
While you need a layered strategy that might include some combination of the choices presented, those same choices are reactionary. What you need is a way to enforce and reestablish a clean state when necessary. That is why (note: I am biased towards ISR/BTR) I would select to have the following basics and then add other measures depending on my expected risk:
1. Complete, bare metal restore image
2. Redundant data backup in multiple locations separated by geography to minimize risk from disaster/emergency
3. Disk level Instant System Recovery at the client level to enforce clean states and maximize system availability/productivity
Other: Imaging system and backing up data with USB external hard drives.
I disagree. Restoring to a clean state is reactionary, not proactive. Restoring to a clean state doesn't prevent infection or compromise. It cleans up after them. Restoring to a known clean state is something one should do when their primary defenses fail.
Yes, the backups are reactionary, but the ISR isn't as it has nothing to react to or any reason to do anything other than enforce the clean state of the machine established at the moment the virtualization (whole disk sandboxing) was activated. This is the proactive approach of rejecting any changes to the real disk whether good or bad by default.
Could you define ISR/BTR. I'm not familiar with that acronym.
I would consider default-deny as proactive. Default-deny blocks changes unless they're specifically allowed by the user.
Separate names with a comma.