Practical IT Security – part 1
In my previous CIO articles I tried to focus on several problems simultaneously – clearly there has been a better approach. So I am beginning a series of articles devoted to the consistent, practical side of IT security – or more precisely the things that can be used immediately, or can be included in an Action Plan.
Contrary to popular belief, ITSEC does not begin by protecting the perimeter. Firewalls, security systems – this should be the last concern when building any protection. Our goal is to protect the information, not make the providers of different “solutions” rich, right?
FIRST STEP – Protection of the last link in the chain
There are several “last links in the chain” – a workstation, a database, protected commercial information, protected business practices, even the user may be considered as the last (final) unit to protect… Let’s start with workstations – I will ask a series of questions and then offer appropriate solutions – in most cases, they are generally valid, as well as the problems they solve.
1. Are your workstations protected from physical theft?
If not, consider ways to protect them. For example, many business laptops have an option to lock them with a steel cable to the desk – if you have such an opportunity, use it. Guards and security officers need to stop and authenticate anyone extracting computers from the building. Video surveillance in this case is of little benefit and may not be a preventive measure – several infrared diodes around the face of a man or on a hat can make their existence meaninglessl. Keep it in mind.
Ask yourself: Do you know how to enter your office building, without anyone asking you a badge or permission? If there is any way, eliminate it. Until now, wherever I worked I have not seen a fully secure building – perhaps because no one is asking that question or not asking it correctly (are doors the only way one can enter a building?). Movement sensors must be placed at an angle towards each other, always in pairs and in such a way that slow movement or an IR beamer towards the sensor is not sufficient to eliminate the entire security system.
2. Does each workstation have a password for it’s BIOS, preventing booting off a Live CD or a Bootable USB?
If not, it’s time to draw up a strategy for using different BIOS passwords for each computer and server. You can develop an algorithm for the variation of the password as the serial number or location of your computer – so administrators will not need to remember passwords, and users (or “attackers”) will not know the logic and can not guess them. If you do not deem it a necessary step, take a look at http://www.piotrbania.com/all/kon-boot/ – got goosebumps? Okay, now think about how to prevent this happening in your organization …
3. Ports: USB, FireWire, optical devices …
If you have FireWire ports, that is a huge hole in security – this port allows direct memory access, without taking into account the operating system controls (meaning anyone who can access the port physically has also full access to the drive, and it doesn’t matter what OS you’re using and how secure it is). Disable the FireWire ports in BIOS, unless it is absolutely essential for your business. The same goes for USB devices – controlling at least their use if you can not disable them. On my site – http://www.securityguy.org/disable-usb-storage-devices/ – there are instructions on how to take control of USB devices. Optical devices should be present only where necessary for the operation of the business or daily work of your employees.
If you still have to use USB memory sticks for business purposes, your best choice would be Ironkey (https://www.ironkey.com/enterprise) – the Enterprise version can offer all the security you would need (FIPS 140-2), and more.
4. The user – does he have administrative rights on the computer he works on?
If yes, this is bad. The best you can do is to join any user, including network and system administrators to the Guests group (I imply the use of Microsoft Windows operating systems in most companies) and create accounts that can be used to carrie out administrative actions but which cannot be used for Interactive Login. If someone needs to carry out administrative action on their computer, they can always use the option Run As (one click away and just needs entering your credeintials once when you need to install a program – and that should not happen that often, really).
Build better system security policies. For Windows XP and Windows 2003, you can apply boldly (with minor edits) the following link – http://www.nsa.gov/ia/_files/os/winxp/Windows_XP_Security_Guide_v2.2.zip – + there is a document containing some examples of securty policies. Do not forget to test everything in a test environment. On the same site you can find relevant policies recommended for other operating systems. Reading and applying them will take some time and effort, but it’s worth it. With a little scripting and implementation of policies in Active Directory, once you decide which settings are needed, applying them on all servers and computers in the company is a matter of minutes (don’t forget to test!).
5. Antivirus systems…
There may be a lot to discuss on that topic. Personally, I am an “enemy” of the most widely used systems, because the most effective viruses are written with the idea to disable these particular products, but this does not mean that you don’t need an antivirus program. Look for one that can intercept browser sessions and to block access to dangerous sites before loading malicious code. I think one of the best blogs on IT security is the blog of F-Secure – http://www.f-secure.com/weblog/, their dedication and the way you communicate with the Internet community means more then the beautiful brochures and giant marketing departments. Take time to look at their blog – they have many products in beta stage of development, free and at the same time very effective – try them in a test environment, you can find something to improve the security in your company, even at this stage, even when products not which have not yet hit the market.
6. Stolen data carriers
According http://datalossdb.org/statistics, 35% of data loss (exfiltration) is due to stolen or lost storage media – disks, computers, flash drives, laptops, mobile phones. This means that a simple strategy for the encryption of all data media will prevent 35% of incidents involving loss or theft of information at your company!
Firstly, start with full encryption of the operating system – I recommend the free TrueCrypt program for small environments, for bigger ones you can use the built-in BitLocker in Vista or Windows Server 2008 and Windows 7, the same applies to other media. In addition to preventing leakage and loss of information on lost and stolen carriers, imagine that someone broke into the network in some way and can see only ubiquitous encrypted data, always with different passwords… not good for them. Try a simple, restrictive (preventing “workarounds”) policies IT security, not with huge documents describing the obligations of employees – just install the encryption program, and make a plan to phase out encryption, no need for long explanations or policies.
It is possible to task your IT department to produce a script that encrypts the workstations outside working hours – so you will avoid the loss of working hours. It is also simple to devise a strategy for passwords … see item 7.
7. Passwords …
Take the time for training – this is something that is more in the psychology and HR field than in IT. Help people understand how easy it is to create and remember passwords that are hard to guess. Teach your people the l337 alphabet – 1 =!, 3 = e, 4 = A, @ = a, 7 = t, 0 – O, 9 = g, and so on. For example … 4l!G@70r, would mean Aligator, the second being present in most bruteforce dictionaries, and the first – not. It is fun and it is secure!
Corporate systems should not accept passwords shorter than 8 (better 12) characters. Or give them the following idea – a favorite music group and favorite song form one long phrase which is at the same time a the perfect password – impossible to guess, easy to remember. Even better is to use phrases in their native language (if they’re not native English speakers) with Latin letters … just imagine how difficult it is for someone from another country to guess this password …
Make the learning process fun – use striking, pungent, funny phrases – let people perceive security as something positive rather than just another workout containing only a dry “food”.
8. The human factor
The last, most internal level of protection besides the workstation is the human working on it. The battle is often fought on an intellectual level before it goes to the physical. As it is in war and in business – someone might want to steal information using simple human relationships, but without external force – information may leak through e-mail, chat, facebook, etc. Most often this happens accidentally, in a small percentage of cases – on purpose.
In order prevent this from happening, again we need to rely on behavioral psychology – there is a need for training, changing attitudes towards knowing the value of information. Some people post online anything new and interesting, whether confidential or not. Someone sends an e-mail “help the child, send to all”, 20 minutes later the letter has been seen by all company employees and goes out, exporting with it a list of all their e-mail addresses … two years of work on a new product, and someone shares it in Facebook – give colorful, vivid and emotional examples to people so they can remember them on an emotional level – people are emotional, use it. If you’re not using it first, someone else will do it for sure.
As a last resort, you can use the principle of “rod and donut – penalties and incentives, as appropriate. Note that incentives must meet the value of penalties – the penalty can not be a percentage of salary, and the incentive – a company pen or tapping on the shoulder.
One question that you should ask yourself: if your employee finds a flash memory stick on the street right outside the office building, will he (or she) immediately plug it in their computer to see what’s inside? Have you trained your employees to recognize such risks?
9. 0-day attacks and protection
Having said all of the above, that risk remains unnoticed and at the same time extremely dangerous – 0-day vulnerabilities in popular software such as Adobe Acrobat Reader, Microsoft Word, Microsoft Excel, etc. – The software vendors regularly provide patches but the IT department sometimes overlooks them or does not update on time. If someone sends an “infected” file to someone’s mail and succeeds to execute code, even with all those steps above your information will be exfiltrated unless you take steps to prevent Internet access from inside out.
Since this article deals with internal protection systems located in the terminal – in this case a workstation, laptop – I recommend using a firewall which is blocking access of certain programs or processes to the Internet unless the user (or administrator) explicitly authorizes it. Just as an example I am giving the free version of http://personalfirewall.comodo.com/ – naturally, for business purposes you will have to select or the paid version or a similar product – here I am just mentioning this software only because of my personal preferences and opinion, which is subject to critics.
Leaving aside the commercial or noncommercial products for protection, are your employees aware of the risks when opening pdf, doc, xls files from unknown sources? If not, it is just the right time to teach them. A single pdf attachment sent to the assistant of the CEO may commemorate the end of one company – the day on which all the confidential data from his/her computer leaked out (not necessarily publicly) …
Are you protected from this risk? In fact, there are very few people who know how to deal with such risks. In practice, there is no commercial solution and no product which you could just buy and solve the problem … But there are logical decisions, or rather a sequence of actions that can prevent leaks in this manner.
Any code, any program is executed in the context of the user. You can change somewhat the standard environment in which the user performs each command or a program with the same privileges, adding at least one more level of complexity – some programs, such as browsers, mail clients can be executed as Guest (in MS Windows), while all others which are unable to work as Guest – as User, and only in exceptional cases – executed as Administrator. There are solutions for virtualization – virtualization of browsers, programs, or operating sysetms – also you can look into segregated networks. You can use VPN connection for Internet access and a normal connection for a corporate network (or the opposite). You can also use VPN to access both internal and external networks – do not think that is too paranoid, and it’s not as complicated to implement.
But returning again to the previous risk – execution of malicious code sent by a document received in the mail of an employee on a computer which has extremely confidential information on it. To protect the data, we can execute programs such as Outlook in Citrix, or better yet – in Windows Server 2008 – virtualization applications or hosting of applications. Thus, the program does not run on the potentially infected client computer, the data is not kept on it.
I want to remind you once again – any application used by the user, unless this is expressly required must not run with administrative rights. But we have a problem. If you execute code on a workstation, the “attacker” can “listen” and “hear” the password used even for hosted or virtualized applications, and gain access to the data in them. What is the method of protection? Somehow you have to protect yourself from the already leaked (or not public) 0-day scripts, whether they have patches or not. One solution is a free program that is still in beta, F-Secure Exploit Shield. The program is regularly updated against the latest exploits and it works very well – it monitors executable binary code in memory – not for executable files, but executable code – compares with its database, and if something does not loog good – block its execution. Personally I tested it with an exploit for which Microsoft had not yet released a patch – and the shield worked, and did not allow the code to execute.
To reduce the chance of “hacking” you can upgrade to Windows Vista or Windows 7 (recommended) this is a good solution because they feature ASLR, significantly hindering the possibility of running exploits and compromise of vulnerable programs or the operating system. Some applications may also be implemented in Web 2.0 – an example of this is a new project called EyeOS, a working version of which will be released in 2010, product featuring an open source operating system in the browser … but until this method of work is ready for business, there is still much to work to defend the current system in which data is available and vulnerable on the workstation.
So … we have protected the BIOS, we have protected the passwords amd encrypted the data, we introduced a security policy for the operating system recommended by the NSA, have a good antivirus program, a good firewall preventing unknown and unapproved by the user or administrator processes to access the external network, most ideally, we’ve included in the scheme virtualization applications or operating systems, separating the company from outside network with VPN, and have installed F-Secure Exploit Shield – in terms of security, workstations are already looking like a fortresses. There still remain some things for a sweet finish.
10. HIDS
How many companies are using Host Intrusion Detection Systems? At least in Bulgaria … quite a few. Bear in mind – from what I know from experience and from friends and acquaintances, the multitude of security breaches should trigger an active response… well, perhaps the reason is that these breaches remain unknown to the companies themselves? This is my opinion at least.
OSSEC http://www.ossec.net/) has a free version of HIDS, working with both Linux clients and servers and a Windows-based ones. Without going into details – HIDS monitors for unauthorized changes to the file system on a workstation or a server – new files, new programs, new entries in the configuration or new users, etc. – and if it finds something suspicious, sends a REPORT where needed.
It’s not so hard to implement – you would rather worry of making sure you have the human resources to review the logs regularly. What’s the point if you have HIDS and nobody to monitor the logs? It may sound strange, but some companies pay thousands of dollars for such commercial systems, only to own them, but not reviewing the logs – this is not a good idea.
11. Protection of databases
They are also one of the “last links” in the chain – if someone gains access to them, the game is over. Much can be said on the topic. But instead of suggesting you following instructions for protection, go seek instructions for bypassing database security. This is the best approach for detecting vulnerabilities in your own database, and the shortest way to success. Key words that I would use when searching are: “pentesting oracle”, “pentesting ms sql”, “database penetration testing”, etc. You can replace “pentesting” by “attacking”.
And don’t limit yourself just by the database – I’ve seen cases where the applications accessing the database are written so poorly, that the passwords for accessing the database are coded right into the app (obscured, but easy to deobfuscate), and can be seen just by looking at the strings of the app in a special editor or decompiler. Have you protected your database from such risks? Look for these vulnerabilities, request full source code review from your software vendor if possible! They may have not build the weakness in there on purpose – but if you find it, you will help yourlef and them fixing it before it’s too late. Trust, but verify!
CONCLUSION
This article could serve as a plan for “war preparation” of workstations and even servers – for small to medium organizations the planning and execution of every step in it could take somewhere between few weeks to a month in the worst case, including testing in a test environment. As a result, just in a few months you can take care of the IT Security in a medium company with little to no expenses – which is not that bad in a time of global financial crisis!