Sponsored Links

Security nebie seeks starting point

Anyone know of some good website(s) that would be a good starting point for me to find out about protecting my company's a small network of PCs from... evil :) (I'm an experienced software engineer with some (but not lots) of knowledge about networky things etc)

They're all running MS windows 9x (or more usually 2k), outlook, IE.
I currently got em behind a hardware firewall, and we got virus detection software going. So my main worry ATM is email viruses that my virus protection sware doesnt know about.

E.g., it'd be nice to force outlook to display HTML as plain text instead of trying to run it & display it as a web page.

It'd also be nice to have some kind of pop3 filtery thing that'd wrap all attachments in (say, a zip file or something) so that by default they never auto-run.

Or something!
 
A copy of Tiny Trojan Trap will do the trick. Trojan Trap "sandboxes" dangerous applications like IE and flavours of Outlook. It now also has a built in virus checker but will stop applications "spawning" out of genuine applications which is what you want.

Download an eval from <a href="http://www.tinysoftware.com" target="_blank">http://www.tinysoftware.com</a> and try it out on one or two desktops. It's not expensive but it gives you an extra layer of defence.

Also consider running some intrusion detection/prevention software on each desktop,particularly non Win2k since they have next to zero security. Your firewall will not totally protect you against intrusion so you need a 2nd (and a 3rd, and 4th ;) layer of defence.

I am meeting with a guy from a US company called Okena tomorrow with a view to re-selling their new "hollistic" intrusion prevention system. It looks superb, going far beyond IDS and sandboxes and even providing anti-buffer overflow protection. It doesn't use signatures but profiles malicious applications and patterns of activity so will even protect against unknown attacks/viruses. It will protect servers and workstations - <a href="http://www.okena.com." target="_blank">http://www.okena.com.</a>

I hope this helps. I am currently working on a new UK security information portal (looking to launch in early-mid April) and that wil have more information on protecting your systems.

Best Regards
Emeric
 
BTW - a VERY good place for everyone to do some reading on security is at the SANS Institute Reading Room - <a href="http://rr.sans.org/index.php." target="_blank">http://rr.sans.org/index.php.</a>

They seem to have covered almost all areas with artles.

Regads
Emeric
 
Sponsored Links
tx! the sans.org site seems frighteningly comprehensive :)

I'll have a good read when i get some time..

You say firewall will not prevent intrusion? If you can briefly tell me why (sorry if this is on the sans.org site, i havent had time to look at much) id be interested to hear (or do you mean it wont protect against email trojans/ viruses on floppies/ downloaded nasties etc, which i know about).
 
Yes, the Reading Room at SANS is terribly comprehensive and daunting!!

Now, firewall security/insecurity - where do you start - whole books have been written on this subject!

OK, lets concentrate on just 3 things:

1) You need to run applications, whether server based or workstation based. All of these open holes in your firewall and your security from the moment you run them is at the mercy of those applications! Web Servers, Mail Servers, IE, Outlook, et al are all vulnerable to various exploits. Keeping up to date with security patches and service packs helps but remember that these are always one step behind the hacker.

Most common attacks are "buffer-overflow" attacks that give "debug" access to your PC or server. An attack of this nature will give the attacker user rights in the context that the application was running - so if you are logged on as Joe then the user can do whatever Joe can, if you are logged on as Administrator - well! Server applications typically run in the system user context i.e. administrator so an attack against a server application will usually yield admin rights! Once in as system an attacker can grab your list of passwords and run them through a cracker at 2.8 million + combinations per second and will usually have all your user passwords in a couple of days unless you use strong passwords with special characters such as @~#%$".

OK, if they break in as Joe then they can use the ftp.exe command line utility to grab a trojan from the Net. They use the Microsoft Task Scheduler to add this to a scheduled process. Task processes will always run in the system context - voila! They hook this into a port that you allow through the firewall (like 53 for DNS) and they can inspect the rest of your network at will from inside your firewall!

2) The TCP/IP protocol was designed before we had much experience with the wide-scale hacking we see today. As a result, there are a number of design flaws that lead to possible security problems. Some examples include smurf attacks, ICMP Unreachable disconnects, IP spoofing, and SYN floods. The biggest problem is that the IP protocol itself is very "trusting": hackers are free to forge and change IP data with impunity. IPsec (IP security) has been designed to overcome many of these flaws, but it is not yet widely used.

3) Firewalls leak. Most people assign too many outgoing permissions. Also you have to allow certain protocols to all users ie. port 53 if you don't run your own DNS server - that exposes holes where people can spoof their source port to get round your firewall. There's lots of info on this. Also stateful inspection firewalls are better than just packet filters. These analyse the type of traffic travelling down a port to see if its the kind of traffic that is normally associated with such a port.

Once a hacker gets a foothold then the more integrated that your network is the quicker they can achieve total comprimise. Consequently, your network is as secure as your weakest link! That is why the weakest links need protecting as well with intrusion detection/prevention/sandboxes/personal firewalls, etc

A good starting strategy is as follows:

1) Disable all unecessary services on servers and workstations. You would be surprised how few services need to run for your system to function. Most importantly disable the Task Scheduler on all PC's.
2) Patch all operating systems with latest Service Packs and security patches. Ditto for all applications - servers and workstations.
3) Have strong passwords - these can still be easy to remember i.e. "£)$(*DbJones is actually shift 230498DbJones - this could be a child's birthday with the shift key pressed and a name.
4) Restrict write/execute access on directories on user PC's to administrator accounts
5) Do not log onto workstations as an administrator account.
6) Remove dangerous command line applications like ftp.exe , tftp.exe, cacls.exe, net.exe, net1.exe from user workstations. They are never used but make things easier for a hacker. Remember even if they get in they somehow need to get files onto the comprimised PC's.

All of the above are referred to as "System Hardening". I am writing some papers on this with explanations which will be useful for people running Windows. There is a lot on the Net but no-one seems to have pulled all of the suggestions together. Even the CIA advice doesn't cover everything ;)

Then think of the rest as medieval warfare. You want to put as many obstacles in the way of the attacker as possible. That's where desktop firewalls, sandboxes, IDS, anti-virus comes in. Hopefully they will just go and find an easier target.

Bear the following statement in mind and be paranoid.

“First accept the following statement - THERE IS NO WAY OF PREVENTING AN INTRUDER FROM ENTERING YOUR SYSTEMS IF CONNECTED TO THE INTERNET. Once you have accepted the statement and its implications then design your security strategy to cope with the consequences of that statement”.

Once you accept the first bit, the second stage is common sense.

I hope this helps.

Regards
Emeric
 
wow, thanks :)

I've already given you a 5-star rating, & it wont let me do it twice :) Really appreciate yr taking the time to write all that, thanks again :)

I'd done a fair bit of your "A good starting strategy" already, just out of general paranoia :)

Re: "THERE IS NO WAY OF PREVENTING AN INTRUDER FROM ENTERING YOUR SYSTEMS IF CONNECTED TO THE INTERNET", this has always been my philosophy (like i say, im paranoid :) ..

Thankfully my company's requirements are v simple (pick up mail, surf net) & i cant imagine we'd be actively targetted by hackers when there are so many tastier targets about - my main concenrns a port-scannery/ mail spammery thing... We've got a good backup policy anyway, so worst comes to the worst I can wipe all our machines & restore from CDs :)

I'll read up some more sans.org (what ive seen sofar is interesting & scary :)

I find it very frustrating that MS leave so many poxy holes by default: All i want is to be able to send/ receive textmails, and *view* webpages. Given these requirements, I dont see why i should be vulnerable at all.. Why the hell allowing some website to execute code on my machine is "cool" as they put it is beyond me:/
 
Thanks. Glad to be of help, hopefully a few more people will read it too who haven't thought about these issues and it may help them.

I have learnt the rather hard way that a good healthy dose of paranoia keeps you alive!!

After what happened to Cloud Nine I intend to devote my time to making sure these b@st@rds don't have it all their own way. If I can make a living at the same time to replace what I lost then so much the better :)

I agree with you about Microsoft! Their view seems to be that hackers can get in anyway so why make it difficult for them!!! A bit like saying that your car lock won't stop your car being stolen so why bother.....BUT removing it just makes certain that it will be stolen.

Regards
Emeric

[ 19-03-2002: Message edited by: Cloud Nine Customer Services ]</p>
 
Sponsored Links
eek2.gif
 
Very interesting, daunting, worying, exciting.

Many thanx Cloud9, I'll be looking into this for a few years I think :eek: <img src="graemlins/shrug.gif" border="0" alt="[Shrug]" />

Hey crashandburn, love the gremlin. Superb
 
Top
Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Vodafone UK ISP Logo
Vodafone £24.00 - 26.00
150Mbps
Gift: None
NOW UK ISP Logo
NOW £24.00
100Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £25.99
145Mbps
Gift: £50 Reward Card
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £17.00
200Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Youfibre UK ISP Logo
Youfibre £23.99
150Mbps
Gift: None
Large Availability | View All
Sponsored Links
The Top 15 Category Tags
  1. FTTP (6027)
  2. BT (3639)
  3. Politics (2721)
  4. Business (2440)
  5. Openreach (2405)
  6. Building Digital UK (2330)
  7. Mobile Broadband (2146)
  8. FTTC (2083)
  9. Statistics (1901)
  10. 4G (1816)
  11. Virgin Media (1764)
  12. Ofcom Regulation (1582)
  13. Fibre Optic (1467)
  14. Wireless Internet (1462)
  15. 5G (1407)
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules