SANS Top-20 Internet Security Attack Targets (2006 Annual Update)

http://www.sans.org/top20/





Technorati Tags: SANS

USB Drive Access Control Part 2

So I'm still looking at options for controlling access to USB devices and other forms of removable media.  As you can see in this article, I have a list of potential applications to help me with that.  In the mean time, I discovered a way to help me mitigate the problem.

Some users in my company will require the use of USB flash drives or hard drives, and for that, we need to purchase some software tools to be able to restrict access by user and by device model.  Other users, however, have no use for USB storage devices at all.

The "old school" method of restricting access to USB was to disable the USB ports in the BIOS.  This was highly effective, and if the BIOS was password protected, the user couldn't find a workaround to give them access. 

There were only 3 problems with this method.  First, in theory, a knowledgeable individual could just install a USB card in an available PCI slot.  While this is unlikely considering my user base, it is still a potential risk.  Second, many newer systems, such as Dell's Optiplex GX280, have done away with PS/2 ports for the mouse and keyboard, relying instead on USB.  If you disable all the USB ports, there go your input devices.  Third, it requires a visit to each PC, since I haven't found a way to script BIOS changes yet.

So here's the new and improved method, courtesy of Windows XP SP2:
1. Start the registry editor (regedit.exe).
2. Go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control.
3. From the Edit
menu, select New, Key, and type
StorageDevicePolicies. If this key already
exists, then skip to
the next step.
4. Highlight the newly created key
"StorageDevicePolicies" and
from the Edit menu select New, DWORD Value, type
WriteProtect and
press Enter.
5. Double-click WriteProtect and enter 1 for
Value data. The value
1 makes all the USB drives read-only; a value of 0 will
make them
writable.
6. Close the registry editor and restart the
computer.

I also found way to do this via GPO, here.



Technorati Tags: usb, security, registry

Zero-day flaw in Firefox

I've been recommending the use of Firefox for at least a year now, because of the reduced likelihood of encountering a security vulnerability, as well as the better interface and the ability to use add-ons. Now it looks like Firefox's advantage may have been "security through obscurity." As it gains market share on IE, it becomes more of a target for hackers and vulnerability researchers.

While that's not a bad thing, because I firmly believe that the open model of Firefox will ultimately lead to a more secure product, it serves to illustrate that flaws exist in every application.

Here's the link to the story: Hackers claim zero-day flaw in Firefox.

On another note, since this is a javascript-related flaw, there's a great extension for Firefox that is very effective at blocking malicious javascript. It's called NoScript, and it allows you to whitelist any sites you want to run javascript, while blocking any others. It's one of the extensions I always load in a new installation of Firefox.

20 Reasons the World Despises Norton AV?

I found this article, and I'm not sure if I agree with the author completely. It's basically bashing Norton Antivirus as causing more problems than it solves. Here is the article:

http://www.dtgeeks.com/

I personally haven't used Norton Antivirus (the home version) in a number of years, but I have heard some complaints that it is bloatware, and it slows down older PCs to a crawl. Not sure about the other allegations in the article, though.

I am currently running Symantec Antivirus Corporate Edition 10 on my company's network, and I have few problems with it, and the problems I have are not enough to switch, at least not yet. Here are my list of negatives about Symantec AV:

1. Infrequent updates. I'm not talking about virus definitions. I'm talking about actual updates to the application. They seem to come out every six months or so. I'm not even sure about that, which leads to my next point;
2. No update notifications. How can I tell if there's a new version out? I either have to check their website frequently, or hope that a tech news site might mention it.
3. Updates require full install. Why can't Symantec do an upgrade installation? Seems like every update requires uninstalling and reinstalling the server application and the System Center Console.

Not to gang up on Symantec too much, here are my list of positives, which is why I'm actually sticking with them:

1. VERY quick turnaround on zero-day definitions. Symantec's RapidRelease virus definitions have been very good for me. On the rare occasion that I encountered a virus that Symantec didn't detect (3 times in 6 years), I received an updated definition in under 4 hours each time.
2. Centralized management. While it's not perfect, the Symantec System Center shows me everything I need to know about the protected computers on my network. The fact that you can centralize your quarantine of suspicious files, and your alerts make it even better.

UPDATE: I found this great site which appears to test how well the leading antivirus products stack up against a database of 315,000 virus samples. Check it out here. While it doesn't list Symantec Corporate on the recent tests, it does list Norton Antivirus, and it appears to have dropped from Number 6 best ranked in April 2005 to Number 22 in August 2006. Seems to be heading in the wrong direction. Note: I can't vouch for the reliability of this site, as I only just stumbled across it. I will update with further details when they become available.

Return from the void

Hello everyone, sorry for the long delay since my last post! I have had a number of personal crises to deal with, along with a few professional ones, that have preventing me from posting any updates to this blog for the past 2 months or so. I apologize for that, and I will endeavor to post more frequently to this blog, both for my own benefit and yours.

Stay tuned for a few new items today, and more to come!

Microsoft Acquires Winternals Software

Wow, big news! Microsoft has acquired one of the most useful and innovative software companies ever to attempt to improve on Microsoft's products. Mark Russinovich is one of the most intelligent and creative people I have ever met. Some of the products he releases for free on the Sysinternals site are worth more than some paid products. And the Winternals products are equally impressive. Mark, if you don't know him, was the person who broke the news 10 years ago that you could turn NT Workstation into NT Server by making a simple registry change.

So this is undoubtably a good move for Microsoft, but is it a good move for Mark? The answer depends on what Microsoft lets him work on. His title is Technical Fellow, which has traditionally been a position that gets a lot of leeway in the creative process. If Mark can use his new insider influence in the same manner he has done things with Winternals, look for some very positive changes in Microsoft products, at least from the perspective of IT tools and ease of management.

Microsoft Acquires Winternals Software

Company appoints operating systems kernel expert Mark Russinovich as Technical Fellow.

Microsoft Corp. today announced the acquisition of Winternals Software LP, a privately held company based in Austin, Texas, that provides Windows®-based enterprises with systems recovery and data protection solutions in addition to offering a freeware tools Web site called Sysinternals. The addition of Winternals is a significant advance in Microsoft's promise to lower customers' total cost of ownership of the Microsoft® Windows platform. Customers will be able to continue building on Sysinternals' advanced utilities, technical information and source code for utilities related to Windows. Financial terms of the acquisition were not disclosed.Winternals was established in 1996 by Mark Russinovich and Bryce Cogswell, who are recognized industry leaders in the areas of operating system design and architecture. Russinovich will join the Microsoft Platforms & Services Division as a technical fellow, working with numerous technology teams across Microsoft, and Cogswell will join the Windows Component Platform Team in the role of software architect.

Winternals Software - Products

Want to know Mark's perspective? Here's his blog entry on the subject:

On My Way to Microsoft!

I’m very pleased to announce that Microsoft has acquired Winternals Softwareand Sysinternals. Bryce Cogswell and I founded both Winternals andSysinternals (originally NTInternals) back in 1996 with the goal ofdeveloping advanced technologies for Windows. We’ve had anincredible amount of fun over the last ten years working on a widerange of diverse products such as Winternals Administrator’s Pak,Protection Manager, Defrag Manager, and Recovery Manager, and thedozens of Sysinternals tools, including Filemon, Regmon and ProcessExplorer, that millions of people use every day for systemstroubleshooting and management. There’s nothing more satisfyingfor me than to see our ideas and their implementation have a positiveimpact.

Mark's Sysinternals Blog: On My Way to Microsoft!

technorati tags:sysinternals, winternals, mark, russinovich, Microsoft

Stop Being Stupid; It's Free: Hard Disk Encryption

I have to call your attention to this great article by Marcus Ranum. If you don't know who Marcus is, he's the Chief of Security for Tenable Network Security, the company that makes Nessus and NeWT. He is the author of a number of thought-provoking articles on computer security. He also has some entertaining items on his site, including a Computer Security Calendar.

Now that I have filled you in on the author, let me tell you about the article. It's about how easy (and free) it is to set up disk encryption on your computer using a product called TrueCrypt.

Stop Being Stupid; It's Free

I'm not sure why I've been so cavalier about my data since then, but to tell you the truth I've never bothered with hard disk encryption, personally. I think part of it was that I didn't particularly care if anyone got my data, because I like to live an open life, but it's been slowly sinking in that there's no sense making life easy for the bad guys. If I can rob some phisher, hacker, or spammer of a moment's pleasure at little cost to myself, that seems like a worthy goal.

After a few days of researching I stumbled across a thing called TrueCrypt. It meets a lot of my requirements, namely:

• Free
  
• Uses recognizable and known encryption algorithms
  
• Works sensibly with a container file that can be treated as external data (i.e.: backed up to tape entire)
  
• Source code available
  
• No adware or "wouldn't you like to buy me now?" bullshit
  
• Small footprint

Now, it's not as if I'm going to go through and review the entire source code of the engine but I like the fact that it's being developed openly and (as far as I can tell) is part of a project that is not socially or financially beholden to anyone.

A Nice Surprise

technorati tags:information, security, encryption, TrueCrypt

The Weakest Link in Network Security

I found this excellent article on Entrepreneur.com.  It spells out some of the inherent risks in Information Security that come with the reality of giving access to users.  Many things can happen as a result of carelessness that can devastate even a well-protected network.

The recommendations in this article provide an excellent starting point for providing protection against the human element of Information Technology.

The Weakest Link in Network Security

Viruses and spyware threaten your data security--but carelessness can be an even bigger threat.
July 10, 2006
By Peter Alexander

Your small-business network may be protected by firewalls, intrusion detection and other state-of-the-art security technologies. And yet, all it takes is one person's carelessness, and suddenly it's as if you have no network security at all.

Let me give you an example. In March 2006, a major financial services firm with extensive network security disclosed that one of its portable computers was stolen. The laptop contained the Social Security numbers of nearly 200,000 people. How did it happen? An employee of the firm, dining in a restaurant with colleagues, had locked the laptop in the trunk of a SUV. During dinner, one of the employee's colleagues retrieved an item from the vehicle and forgot to re-lock it. As fate would have it, there was a rash of car thefts occurring in that particular area at that particular time, and the rest is history.

The moral of that story is clear: No matter how secure your network may be, it's only as secure as its weakest link. And people--meaning you and your employees--are often the weakest link. It's important to note that poor security puts your business, as well as your partners, at risk. As a result, many enterprises and organizations, such as credit-card companies, now specify and require minimum levels of security you must have in order to do business with them.

The Weakest Link in Network Security

technorati tags:information, security, encryption, risk

Symantec AV Flaw

Wow, hot on the heels of my last post regarding antivirus options, there comes this news regarding Symantec Antivirus:

A new vulnerability has been discovered by security firm eEye Digital Security in Symantec Antivirus 10.x and Client Security 3.x that could allow for remote code execution. This does not appear to affect the consumer versions of Symantec's products.

The vulnerability report:
http://www.eeye.com/html/research/upcoming/20060524.html

Other news articles on the subject:
http://www.eweek.com/article2/0,1895,1967941,00.asp

http://www.cnn.com/2006/TECH/internet/05/25/antivirus.flaw.ap/index.html?section=cnn_topstories

Note that this is only a preliminary report from eEye, and Symantec should be given the opportunity to respond accordingly.

While a vulnerability in a security product can be a scary thing, this shouldn't be too much concern for anyone who has implemented a reasonable amount of layered security, such as a firewall restricting port access to all systems, whether public-facing or not.

Enterprise Antivirus Solutions?

My company's Symantec Antivirus Corporate Edition subscription is about to expire, so I figured this would an opportune time to examine other antivirus options.

I've used a number of antivirus solutions on the enterprise (or at least small-to-medium business) level, including Symantec, Trend Micro, CA, and Panda. I've fooled around on the personal computing level with some of the other options, such as McAfee and Grisoft. I sort of inherited the existing Symantec setup at this company, and it has performed relatively well for us, purely on the level of virus scanning. We had an issue about a year ago with a zero-day virus infection, but one we isolated the executable, Symantec quickly gave us a Rapid Release definition to detect and remove it.

On the other hand, I'm not that thrilled with the centralized administration Symantec offers in this product. The deployment options are kind of klunky, and the ability to determine which computers on the network need the software installed is somewhat inadequate. These are minor annoyances that could certainly deal with if necessary, if the rest of the product is satisfactory.

The one thing I have a major problem with is the performance of the application. A while back (I believe it was with version 10.0.1000), there was a bug that caused computers to boot up extremely slowly due to a startup scan that slowed everything down. I believe the solution was to upgrade to version 10.0.1007, which disabled this scan at startup. I'm not sure if this has been rectified in later versions, but it seems to me that a startup scan would be a good thing, if it didn't hobble performance so much.

In any event, if I didn't think there was anything better out there, I would probably just grin and bear it. But I have had some very good experiences with Trend Micro (on a smaller scale, mind you), and Panda has been highly recommended by some of my peers. I'm not too crazy about CA, just because of some bad experiences with Cheyenne AV back in the Windows NT days.

Any recommendations? Or does anyone have any good resources, such as product comparisons and reviews from a reputable source? I tried searching for reviews, but most of the comparisons I can find are no more recent than 2003.