Instrusion prevention

Security Baseline for Small Businesses

Many small business owners treat their business computers like their home computers; they run minimal security and engage in unsafe computing practices. This isn’t my opinion, mind you, it is based on my years of field experience servicing small business clients. My most recent call to one such client was to restore a PC that had become infected by malware. It was my first visit to their office and during the course of that visit, I got familiar with how lax they were in setting things up.

The office runs on a Windows 2003 domain controller. Four PCs running Windows XP Service Pack 2 are domain members and all business data is stored on the server. They’re backing up daily to tape. That’s about as far as it goes before getting ugly. Suffice it to say that even a mediocre attempt to compromise their network would probably be successful. This got me to thinking about what level of security comprises a baseline for small business networks. Here’s what I came up with, see if you agree:

• Physical access to servers, backup, and network equipment is restricted and controlled.
• Backup power sufficient to allow for graceful shutdown of servers is in place.
• The local network is isolated from the Internet by a hardware UTM device, firewall, or NAT router.
• If wireless access is in use, security is applied, preferably WPA or WPA2 with AES encryption.
• File servers are protected by appropriate anti-malware applications.
• Mail servers are protected by anti-spam software or this is implemented at the gateway.
• Password policy requires strong passwords, frequent changes, and is enforced.
• Desktops use screen savers and they are password protected.
• Unless they are required to be left on for security scanning or backup purposes, desktops are powered down at night.
• Desktops have appropriate anti-malware applications installed.
• Company policy regarding appropriate use of the Internet is in place and enforced.
• Data is backed up and media is stored securely off-site.
• Encryption is implemented and in use for the storage of sensitive information.
• Procedure is in place for denying access to personnel upon termination of employment.

What do you think? Too much? Something left out?

Discussion welcome.

The Four D’s of Cyber Security: Deny, Discriminate, Detect, & Destroy

This is an interesting and sensible approach to security.  I would call these the “Logics of Cyber Security” because they’re so basic they could well be the principles upon which all cyber security can be based. The paper’s authors call them “first principles,” defining such as “…a basic foundational proposition or assumption that cannot be deduced from any other proposition or assumption”–in other words, logics. (You can read the orginal article, “A Thematic Approach to Cyber Security Using First Principles” and the link to its latest revision at https://wiki.cac.washington.edu/pages/viewpage.action?pageId=7481170&navigatingVersions=true. Note: The article hasn’t been updated since February, 2008.)

Here’s a simple overview of these principles.

DENY — default deny is an absolute must when making shared resources available via servers, network storage, and the Internet. You block everything until you are able to determine whether the entity attempting access is authorized. Another method of denial is encryption. This could be used to provide more granular application by, for instance, denying access to certain resources if the otherwise authorized user has no security clearance for the resource.

DISCRIMINATE –there are several ways one can discriminate between authorized and unauthorized access attempts, the simplest being a password; smart cards, biometrics, and security tokens are other examples, all of which should result in the access attempt being classified as either authorized or unauthorized.

DETECT — some means to detect unauthorized access attempts must be in place. In a Windows environment, one could activate auditing at both account level and resource level. Intrusion detection systems, both network and host based are designed for this purpose.

DESTROY — when unauthorized access attempts are detected, rules must be activated that effectively disrupt the attempt before the resources are compromised. This could be accomplished by dropping the connection, blacklisting the IP, etc.

CERT Says Linux is Under Attack

It had to happen sooner or later; as Linux gains an ever-increasing foothold (Linux market share to reach 7% in 2008 ) in the market, it will become a viable target for criminal hackers. According to the U.S. Computer Emergency Readiness Team (CERT) in US-CERT Current Activity, attacks are already underway:

US-CERT is aware of active attacks against linux-based computing infrastructures using compromised SSH keys. The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as “phalanx2″ is installed.

Phalanx2 appears to be a derivative of an older rootkit named “phalanx”. Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.

For now, the attack is easily detected (though variants of the rootkit will likely change its behavior): The attack creates a directory “/etc/khubd.p2/” that is hidden from “ls,” but it can be entered with “cd /etc/khubd.p2″. Any directory named “khubd.p2,” regardless of its location, is hidden from “ls” but can be entered using “cd.” Additionally, “/dev/shm/” may contain files from the attack, so anything unusual in there is suspect. You can also try searching for hidden processes and checking the reference count in “/etc” against the number of directories shown by “ls”.

Check out the full article, “SSH Key-based Attacks” for complete details on risk mitigation and compromise response.

Top Five Personal Firewalls

How well does your personal firewall protect you? GRC’s Leak Test, PCFlank, and Bob Sundling’s TooLeaky all provide a quick way to check your personal firewall to see if it effectively blocks outbound connections. But if you really want to know how well your firewall protects you against a whole host of known attacks, check out Matousec’s Firewall Challenge website. Here are the top five based on Matousec’s extensive testing:

1. Comodo Firewall Pro 3.0.21.329 (Free)
2. Online Armor Personal Firewall 2.1.0.119 ($40, Free version available)
3. ProSecurity 1.43 ($30 single PC home user, $40 household)
4. Outpost Firewall Pro 2008 6.0.2302.264.0490 ($40/year for 3 home PCs)
5. Kaspersky Internet Security 7.0.1.325 ($80/year for 3 PCs)

The top two, Comodo and Online Armor, scored 100% on the tests. I’m using Comodo from now on.