IT security threats are constantly evolving. It's time for IT security pros to get ingenious
Network and endpoint security may not strike you as the first place to scratch an experimental itch. After all, protecting the company's systems and data should call into question any action that may introduce risk.
But IT security threats constantly evolve, and sometimes you have to think outside the box to keep ahead of the more ingenious evildoers. And sometimes you have to get a little crazy.
10 security ideas that have been -- and in many cases still are -- shunned as too offbeat to work but that function quite effectively in helping secure the company's IT assets.
The companies employing these methods don't care about arguing or placating the naysayers. They see the results and know these methods work, and they work well.
Innovative security technique No. 1: Renaming admins
Renaming privileged accounts to something less obvious than "administrator" is often slammed as a wasteful, "security by obscurity" defense. However, this simple security strategy works. If the attacker hasn't already made it inside your network or host, there's little reason to believe they'll be able to readily discern the new names for your privileged accounts.
If they don't know the names, they can't mount a successful password-guessing campaign against them. Even bigger bonus? Never in the history of automated malware -- the campaigns usually mounted against workstations and servers -- has an attack attempted to use anything but built-in account names. By renaming your privileged accounts, you defeat hackers and malware in one step. Plus, it's easier to monitor and alert on log-on attempts to the original privileged account names when they're no longer in use.
Innovative security technique No. 2: Getting rid of admins
Another recommendation is to get rid of all wholesale privileged accounts: administrator, domain admin, enterprise admin, and every other account and group that has built-in, widespread, privileged permissions by default.
True, Windows still allows you to create an alternate Administrator account, but today's most aggressive computer security defenders recommend getting rid of all built-in privileged accounts, at least full-time. Still, many network admins see this as going a step too far, an overly draconian measure that won't work. Well, at least one Fortune 100 company has eliminated all built-in privileged accounts, and it's working great.
The company presents no evidence of having been compromised by an APT (advanced persistent threat). And nobody is complaining about the lack of privileged access, either on the user side or from IT. Why would they? They aren't getting hacked.
Innovative security technique No. 3: Honeypots
Modern computer honeypots have been around since the days of Clifford Stoll's "The Cuckoo's Egg," and they still don't aren't as respected or as widely adopted as they deserve. A honeypot is any computer asset that is set up solely to be attacked. Honeypots have no production value.
They sit and wait, and they are monitored. When a hacker or malware touches them, they send an alert to an admin so that the touch can be investigated. They provide low noise and high value. The shops that use honeypots get notified quickly of active attacks. In fact, nothing beats a honeypot for early warning -- except for a bunch of honeypots, called a honeynet.
Innovative security technique No. 4: Using nondefault ports
Another technique for minimizing security risk is to install services on nondefault ports. Like renaming privileged accounts, this security-by-obscurity tactic goes gangbusters. When zero-day, remote buffer overflow threats become weaponized by worms, computer viruses, and so on, they always -- and only -- go for the default ports.
This is the case for SQL injection surfers, HTTP worms, SSH discoverers, and any other common remote advertising port. Recently Symantec's pcAnywhere and Microsoft's Remote Desktop Protocol suffered remote exploits. When these exploits became weaponized, it was a race against the clock for defenders to apply patches or block the ports before the worms could arrive. If either service had been running on a nondefault port, the race wouldn't even begin.
That's because in the history of automated malware, malware has only ever tried the default port.
Innovative security technique No. 5: Installing to custom directories
Another security-by-obscurity defense is to install applications to nondefault directories. This one doesn't work as well as it used to, given that most attacks happen at the application file level today, but it still has value.
Like the previous security-by-obscurity recommendations, installing applications to custom directories reduces risk -- automated malware almost never looks anywhere but the default directories. If malware is able to exploit your system or application, it will try to manipulate the system or application by looking for default directories. Install your OS or application to a nonstandard directory and you screw up its coding.
Changing default folders doesn't have as much bang for the buck as the other techniques mentioned here, but it fools a ton of malware, and that means reduced risk.
Innovative security technique No. 6: Tarpits
Today, many networks (and honeypots) have tarpit functionality, which answers for any nonvalid connection attempt. The only downside: Tarpits can cause problems with legitimate services if the tarpits answer prematurely because the legitimate server responded slowly. Remember to fine-tune the tarpit to avoid these false positives and enjoy the benefits.
Innovative security technique No. 7: Network traffic flow analysis
With foreign hackers abounding, one of the best ways to discover massive data theft is through network traffic flow analysis. Free and commercial software is available to map your network flows and establish baselines for what should be going where. That way, if you see hundreds of gigabytes of data suddenly and unexpectedly heading offshore, you can investigate.
Most of the APT attacks I've investigated would have been recognized months earlier if the victim had an idea of what data should have been going where and when.
Innovative security technique No. 8: Screensavers
Password-protected screensavers are a simple technique for minimizing security risk. If the computing device is idle for too long, a screensaver requiring a password kicks in. Long criticized by users who considered them nuisances to their legitimate work, they're now a staple on every computing device, from laptops to slates to mobile phones.
Innovative security technique No. 9: Disabling Internet browsing on servers
Most computer risk is incurred by users' actions on the Internet. Organizations that disable Internet browsing or all Internet access on servers that don't need the connections significantly reduce that server's risk to maliciousness. You don't want bored admins picking up their email and posting to social networking sites while they're waiting for a patch to download.
Instead, block what isn't needed. For companies using Windows servers, consider disabling UAC (User Account Control) because the risk to the desktop that UAC minimizes isn't there. UAC can cause some security issues, so disabling it while maintaining strong security is a boon for many organizations.
Innovative security technique No. 10: Security-minded development
Any organization producing custom code should integrate security practices into its development process -- ensuring that code security will be reviewed and built in from day one in any coding project. Doing so absolutely will reduce the risk of exploitation in your environment.
This practice, sometimes known as SDL (Security Development Lifecycle), differs from educator to educator, but often includes the following tenets: use of secure programming languages; avoidance of knowingly insecure programming functions; code review; penetration testing; and a laundry list of other best practices aimed at reducing the likelihood of producing security bug-ridden code.
Microsoft, for one, has been able to significantly reduce the number of security bugs in every shipping product since instituting SDL. It offers lessons learned, free tools, and guidance at its SDL website.
This story, "10 crazy IT security tricks that actually work," was originally published at InfoWorld.com.
Network and endpoint security may not strike you as the first place to scratch an experimental itch. After all, protecting the company's systems and data should call into question any action that may introduce risk.
But IT security threats constantly evolve, and sometimes you have to think outside the box to keep ahead of the more ingenious evildoers. And sometimes you have to get a little crazy.
10 security ideas that have been -- and in many cases still are -- shunned as too offbeat to work but that function quite effectively in helping secure the company's IT assets.
The companies employing these methods don't care about arguing or placating the naysayers. They see the results and know these methods work, and they work well.
Innovative security technique No. 1: Renaming admins
Renaming privileged accounts to something less obvious than "administrator" is often slammed as a wasteful, "security by obscurity" defense. However, this simple security strategy works. If the attacker hasn't already made it inside your network or host, there's little reason to believe they'll be able to readily discern the new names for your privileged accounts.
If they don't know the names, they can't mount a successful password-guessing campaign against them. Even bigger bonus? Never in the history of automated malware -- the campaigns usually mounted against workstations and servers -- has an attack attempted to use anything but built-in account names. By renaming your privileged accounts, you defeat hackers and malware in one step. Plus, it's easier to monitor and alert on log-on attempts to the original privileged account names when they're no longer in use.
Innovative security technique No. 2: Getting rid of admins
Another recommendation is to get rid of all wholesale privileged accounts: administrator, domain admin, enterprise admin, and every other account and group that has built-in, widespread, privileged permissions by default.
True, Windows still allows you to create an alternate Administrator account, but today's most aggressive computer security defenders recommend getting rid of all built-in privileged accounts, at least full-time. Still, many network admins see this as going a step too far, an overly draconian measure that won't work. Well, at least one Fortune 100 company has eliminated all built-in privileged accounts, and it's working great.
The company presents no evidence of having been compromised by an APT (advanced persistent threat). And nobody is complaining about the lack of privileged access, either on the user side or from IT. Why would they? They aren't getting hacked.
Innovative security technique No. 3: Honeypots
Modern computer honeypots have been around since the days of Clifford Stoll's "The Cuckoo's Egg," and they still don't aren't as respected or as widely adopted as they deserve. A honeypot is any computer asset that is set up solely to be attacked. Honeypots have no production value.
They sit and wait, and they are monitored. When a hacker or malware touches them, they send an alert to an admin so that the touch can be investigated. They provide low noise and high value. The shops that use honeypots get notified quickly of active attacks. In fact, nothing beats a honeypot for early warning -- except for a bunch of honeypots, called a honeynet.
Innovative security technique No. 4: Using nondefault ports
Another technique for minimizing security risk is to install services on nondefault ports. Like renaming privileged accounts, this security-by-obscurity tactic goes gangbusters. When zero-day, remote buffer overflow threats become weaponized by worms, computer viruses, and so on, they always -- and only -- go for the default ports.
This is the case for SQL injection surfers, HTTP worms, SSH discoverers, and any other common remote advertising port. Recently Symantec's pcAnywhere and Microsoft's Remote Desktop Protocol suffered remote exploits. When these exploits became weaponized, it was a race against the clock for defenders to apply patches or block the ports before the worms could arrive. If either service had been running on a nondefault port, the race wouldn't even begin.
That's because in the history of automated malware, malware has only ever tried the default port.
Innovative security technique No. 5: Installing to custom directories
Another security-by-obscurity defense is to install applications to nondefault directories. This one doesn't work as well as it used to, given that most attacks happen at the application file level today, but it still has value.
Like the previous security-by-obscurity recommendations, installing applications to custom directories reduces risk -- automated malware almost never looks anywhere but the default directories. If malware is able to exploit your system or application, it will try to manipulate the system or application by looking for default directories. Install your OS or application to a nonstandard directory and you screw up its coding.
Changing default folders doesn't have as much bang for the buck as the other techniques mentioned here, but it fools a ton of malware, and that means reduced risk.
Innovative security technique No. 6: Tarpits
Today, many networks (and honeypots) have tarpit functionality, which answers for any nonvalid connection attempt. The only downside: Tarpits can cause problems with legitimate services if the tarpits answer prematurely because the legitimate server responded slowly. Remember to fine-tune the tarpit to avoid these false positives and enjoy the benefits.
Innovative security technique No. 7: Network traffic flow analysis
With foreign hackers abounding, one of the best ways to discover massive data theft is through network traffic flow analysis. Free and commercial software is available to map your network flows and establish baselines for what should be going where. That way, if you see hundreds of gigabytes of data suddenly and unexpectedly heading offshore, you can investigate.
Most of the APT attacks I've investigated would have been recognized months earlier if the victim had an idea of what data should have been going where and when.
Innovative security technique No. 8: Screensavers
Password-protected screensavers are a simple technique for minimizing security risk. If the computing device is idle for too long, a screensaver requiring a password kicks in. Long criticized by users who considered them nuisances to their legitimate work, they're now a staple on every computing device, from laptops to slates to mobile phones.
Innovative security technique No. 9: Disabling Internet browsing on servers
Most computer risk is incurred by users' actions on the Internet. Organizations that disable Internet browsing or all Internet access on servers that don't need the connections significantly reduce that server's risk to maliciousness. You don't want bored admins picking up their email and posting to social networking sites while they're waiting for a patch to download.
Instead, block what isn't needed. For companies using Windows servers, consider disabling UAC (User Account Control) because the risk to the desktop that UAC minimizes isn't there. UAC can cause some security issues, so disabling it while maintaining strong security is a boon for many organizations.
Innovative security technique No. 10: Security-minded development
Any organization producing custom code should integrate security practices into its development process -- ensuring that code security will be reviewed and built in from day one in any coding project. Doing so absolutely will reduce the risk of exploitation in your environment.
This practice, sometimes known as SDL (Security Development Lifecycle), differs from educator to educator, but often includes the following tenets: use of secure programming languages; avoidance of knowingly insecure programming functions; code review; penetration testing; and a laundry list of other best practices aimed at reducing the likelihood of producing security bug-ridden code.
Microsoft, for one, has been able to significantly reduce the number of security bugs in every shipping product since instituting SDL. It offers lessons learned, free tools, and guidance at its SDL website.
This story, "10 crazy IT security tricks that actually work," was originally published at InfoWorld.com.
No comments:
Post a Comment