 DanielPremium,MVM
join:2000-06-26
San Francisco, CA
3 edits | A Letter to DSLR Security Enthusiasts Fellow security enthusiasts, at some point in your lives (hopefully, at least) there will come a time when you realize that security isn't about the latest and greatest Windows security tool. It's not about antivirus, it's not about personal firewalls, and it's not about any other tool either. There are basics that are universal across all operating systems and systems. It is these basics that you must learn to stay ahead of the game.
The Basics
Eric Cole of SANS (now Dr. Cole) has a great set of four key principles he talks about. If you master these you will be well on your way to breaking free of the constant Windows-based ratrace of installing tool on top of tool ad infinitum:
•Know Thy System
•Least Priviledge
•Defense in Depth
•Prevention is Ideal, But Detection is a Must
First off, if you're obsessed with security, stop playing with tools and learn about operating systems and programming. You are wasting your time becoming a master of front-ends for concepts rather than learning concepts themselves. Know thy system. This is the single most important thing you can do to become more secure.
Second, use the minimum amount of access that you can. Use a regular user in Linux and Windows, and configure your applications to do the same. It's not a product or OS specific thing -- it's a philosophy that will save your butt.
Thirdly, use different types of protection, not just a bunch of the same kind. And no, this doesn't mean loading up 15 windows security apps in different spaces -- that's missing the point. Learn your OS, harden your applications, take notice of where you browse and what you open, THEN add a few basic defense tools on top of that. That's layering for a home environment.
Finally, have a way to know if something bad has happened. This comes back to number 1 -- knowing what normal is. Consider monitoring your outbound traffic for anomalies using an IDS of some sort. You're not going to be able to stop everything, but have a way to know when do step in something.
Recommendations
- Learn your OS
- Branch out into other OSs if you've only used Windows
- Learn the command line in every OS you use
- Install and get friendly with VMware
- Read major security news feeds, such as Astalavista, HackInTheBox, etc.
- Follow the main security experts. See what they're talking about.
- In Windows, install one AV, one firewall, and one anti-adware/spyware tool. Don't get silly about it.
- Realize that being unsafe in a wealthy suburb is far more safe than being "secure" in a Baghdad hotspot. In other words, you're not going to be safe clicking on random crap regardless of what off the shelf security tool you're running.
- Remember that advanced malware writers have every security tool you do. Don't you think they tested to make sure it wasn't detectable before they started sending it out? Your best bet is to not interact with it in the first place.
Look, I started on this site in 99' -- 8 years ago -- and I went through this whole tool-based phase just like many of you are doing. It's not bad; I'm not judging you. I'm trying to save you some time by helping you skip ahead.
I went from this tool-based approach I started with to a principles-based, tool-agnostic approach and it's yielded me a very fulfilling career in information security. I've worked with government, the banking industry, fortune 500 companies -- both as a part of the internal team and as a consultant. This was made possible ONLY as a result of being open to security as a discipline rather than as something $foo solution provides.
Trust me. Get away from the tools and focus on the concepts. Expand. Read. Watch. Learn. This is the path to being a more well-rounded and highly skilled security enthusiast/professional.
Kind regards,
-Daniel Miessler
--
dmiessler.com -- grep understanding knowledge |
|
 EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7
 ·Callcentric
| Excellent advice!
I'd add my favorite old saw, first observed by Bruce Schneier back in May 2000;
Security is a process, not a product.
Ref »www.schneier.com/crypto-gram-0005.html
Create the process, stick to it and evaluate it periodically. Make changes to meet new needs, threats or risks.
--
BBR's Shooting for a Cause! |
|
 SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:5
 ·Clearwire Wireless
 ·RoadRunner Cable
| reply to Daniel
said by Daniel:Trust me. Get away from the tools and focus on the concepts. Expand. Read. Watch. Learn. This is the path to being a more well-rounded and highly skilled security enthusiast/professional. I'm in total agreement with all that but if my own experience is typical the "tool mode" stage is an important step in that ladder. Learning what a tool does & how it does it was a good starting point for my understanding of the OS & security issues. |
|
| reply to Daniel
Outstanding advice. Not enough can be said for detection. A number of months ago, I installed Ubuntu on one of my machines, and within 5 minutes I knew something was wrong. The freshly loaded machine was trying to make outbound connections to addresses that were not on my list of update addresses, and my network instantly warned me. I wiped that machine, and installed Debian instead. At the time I thought that I had been "man-in-the-middled" on my download. Several months later it came out that the Ubuntu servers had been cracked for six months. I don't know if that's what caused my problem, but I sure felt better knowing that I didn't have that software in my systems for months.
Know your machine, know where your updates come from, decide and know which processes can make outbound connections for updates. If something you haven't specifically authorized attempts any outbound connections, find out what it is, and determine if it should be allowed. That is how you learn your OS and your applications. If you can't figure it out, ask here, this is an outstanding resource at your fingertips. |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to Daniel
I read stuff like this with a jaded, skeptical eye. I run as admin and will never do otherwise. I CHOOSE to do so. I also will never give up ProcessGuard or a similar application just because I understand how Windows works! In fact, the more I understand the more I know I need ProcessGuard and other tools. To suggest that I not use the Proxomitron with Sidki's filters is the height of absurdity. Same goes for suggestions that I should not use my other Security applications.
I do agree though with one thing you said: use VMWare which I have been doing for several years. It is great for beta testing, running malware to test your AV, etc.
As for learning other operating systems than Windows...well, Apple computers are too expensive and judging from Safari for Windows they are too unsophisticated also to be learning. As for Linux, I probably will install Ubuntu and dual boot but I will never be a big enthusiast for many reasons.
What do I need to read those security feeds you mentioned for? In the first place, I hate any kind of feed and never, ever look at feeds. Aside from that, I believe strongly that I get enough security information here, Wilders Security, Castlecops (which I and others here helped the owner build years ago) and GRC NGs.
No one will ever convince me that I should not run the security programs that I use. I am not a stupid newbie. I've been here for over six years and was reading GRC NGs before I came here. I've been a Wilders Security member for six years and the same for Castlecops. I get tired of posts like yours....so supercilious.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
 ironwalker World RenownedPremium,MVM
join:2001-08-31
Keansburg, NJ
2 edits | said by Mele20:I read stuff like this with a jaded, skeptical eye. I run as admin and will never do otherwise. I CHOOSE to do so. I also will never give up ProcessGuard or a similar application just because I understand how Windows works! In fact, the more I understand the more I know I need ProcessGuard and other tools. To suggest that I not use the Proxomitron with Sidki's filters is the height of absurdity. Same goes for suggestions that I should not use my other Security applications. I do agree though with one thing you said: use VMWare which I have been doing for several years. It is great for beta testing, running malware to test your AV, etc. As for learning other operating systems than Windows...well, Apple computers are too expensive and judging from Safari for Windows they are too unsophisticated also to be learning. As for Linux, I probably will install Ubuntu and dual boot but I will never be a big enthusiast for many reasons. What do I need to read those security feeds you mentioned for? In the first place, I hate any kind of feed and never, ever look at feeds. Aside from that, I believe strongly that I get enough security information here, Wilders Security, Castlecops (which I and others here helped the owner build years ago) and GRC NGs. No one will ever convince me that I should not run the security programs that I use. I am not a stupid newbie. I've been here for over six years and was reading GRC NGs before I came here. I've been a Wilders Security member for six years and the same for Castlecops. I get tired of posts like yours....so supercilious.
quote:
In Windows, install one AV, one firewall, and one anti-adware/spyware tool. Don't get silly about it.
He never said do not install the tools you use now mele, jebus, read. |
|
|
|
 StraitShootWho Loves Ya Baby? - Theo KojakPremium
join:2003-02-08
Clinton, MA
kudos:1 | reply to Daniel
I run as admin in my desktop and even on the Vista Laptop. "Paranoia will will destroy ya..." and less is more... I only use the following and this is fine for me.
1. AVG Pro or Avast Home
2. Windows Firewall
3. Secured Netgear Router at Home
4. Windows Defender
5. Firefox with ONLY adblock plus and updater.
That's all...
No crazy "extras" that take more time to run them and tell you nothing anyway.
--
I'm proud to be a troublemaker! America was founded by "troublemakers"!
|
|
 CabalPremium
join:2007-01-21
Austin, TX
·Suddenlink
| reply to Daniel
Excellent post. Security is a process, not a product.
said by Mele20:I read stuff like this with a jaded, skeptical eye. I run as admin and will never do otherwise. I CHOOSE to do so. People drive without their seatbelts, too. Doesn't make it a good idea.
--
Interested in open source engine management for your Subaru? |
|
ironwalker World RenownedPremium,MVM
join:2001-08-31
Keansburg, NJ | reply to Daniel
Only a couple replies and already validating Daniel's point ....there will be more I am sure.  |
|
 Grail KnightWho Dares WinsPremium
join:2003-05-31
Valhalla
kudos:5
·Time Warner Cable
| reply to Daniel
quote:
Learn your OS, harden your applications, take notice of where you browse and what you open, THEN add a few basic defense tools on top of that. That's layering for a home environment.
Very good info in a nutshell right there.
Security is a process, knowledge is power.
Thanks
--
"We must look for consistency. Where there is a want of it we must suspect deception." - Sherlock Holmes |
|
 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5
1 edit | reply to Mele20
Re: A Letter to DSLR Security Enthusiasts said by Daniel: * Follow the main security experts. See what they're talking about. said by Mele20:I read stuff like this with a jaded, skeptical eye. Ignoring the experts explains the consistent level of clue in your posts - sheesh.
said by Mele20  's signature :grep understanding < knowledge > /dev/null
Steve — who has run XP as a limited user since SP2
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to Cabal
said by Cabal:Excellent post. Security is a process, not a product. said by Mele20:I read stuff like this with a jaded, skeptical eye. I run as admin and will never do otherwise. I CHOOSE to do so. People drive without their seatbelts, too. Doesn't make it a good idea. I've run as Admin with NO security products installed except the Proxomitron. I have run without a software or hardware firewall for several years. Gee, did I get screamed at here for doing that. I got Zone Alarm when it was in BETA many years ago long before I found this site and long before almost everyone else had even heard of a software firewall. I used it for several years and then I began to get tired of it. So, I got rid of it and did not have a router. Everyone here said I'd have horrible things happen if I didn't either get a router or another software firewall. Well, nothing bad happened. You see, I had learned well from Steve Gibson. I had my 98SE box tied down very tight using his bindings tutorial.
I've run for over a year about two years ago on XP Pro as Admin with only an on demand AV and the Proxomitron. I have only had a virus/spyware two times...once when I was a newbie and there was a stealth boot virus on a new plastic wrapped blank floppy I had just bought in a store. I had no idea there could be a virus on a new, blank floppy just bought so I didn't I scan it.
The other time was about four years ago when I got an XP machine and a router and I had to undo all the bindings on my 98SE machine to network and share files between the XP Pro host, the VMWare machines and the 98SE machine. My broadband ISP went down one day not long after I did that and I didn't have the software for RR backup dialup yet on the XP machine. I had it on the 98SE one so I fired it up and got on the internet via dialup. I was on no more than 5 minutes when Opaserv came calling. DUH. I felt so stupid. I just completely forgotten that I had undone those bindings to netbeui making that computer vulnerable when not behind the router. Luckily, I had NOD32 on it and it caught the virus. I was shook up though and I uninstalled the dialup software so I couldn't ever again forget and use dialup on that computer as usually it doesn't have an antivirus on it. I installed the dialup software on XP and I keep Windows Firewall on at all times just in case I need to go on dialup as I might not remember to put the Firewall on in a situation like that.
So, twice in almost nine years of having a computer I have gotten malware. So, why are all of you telling me I need to run as a limited user? I believe I know what I am doing.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by Mele20: So, twice in almost nine years of having a computer I have gotten malware. said by Mele20 , what she really means :I still get infected even though I claim to know what I'm doing Steve — no Windows infections, ever
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site |
|
 dadkinsCan you do Blu?Premium,MVM
join:2003-09-26
Hercules, CA
kudos:18 | said by Steve:said by Mele20: So, twice in almost nine years of having a computer I have gotten malware. said by Mele20 , what she really means :I still get infected even though I claim to know what I'm doing Steve — no Windows infections, ever neither have I Steve
FULL ON Administrator. Always!
I run Avast and Windows Firewall on my machines behind a D-Link router.
Not one infection - ever!
The weekly scans I do, I do for entertainment and all that is ever found is "bad" cookies. Meh!
Never professed to be a Security Guru or God.
Don't consider myself one either.
Yet here we are and I don't get hit. Go figure.
Never cower from attachments, I click links, I go to all kinds of porn sites - nada.
So far, *I* am more of a threat to these machines than anything out there.
*TO ME* these things are just complex toys. 
--
Think outside the Fox... Opera |
|
| reply to Steve
I saw under your Avatar you are a consultant, what do consult about? |
|
 KrKHeavy Artillery For The Little GuyPremium
join:2000-01-17
Tulsa, OK | reply to Mele20
Have to admit, at first I found ProcessGuard annoying... but now it hardly ever bothers me, and I find when it does pop up that it's useful information. I really like ProcessGuard, and consider it a strong layer of defense. |
|
DanielPremium,MVM
join:2000-06-26
San Francisco, CA | reply to Mele20
said by Mele20:What do I need to read those security feeds you mentioned for? In the first place, I hate any kind of feed and never, ever look at feeds. Aside from that, I believe strongly that I get enough security information here, Wilders Security, Castlecops (which I and others here helped the owner build years ago) and GRC NGs. This is my point, Mele20, you've already decided that you get enough information; you've limited yourself to a very small view of security. The sites you mentioned focus on a very small percentage of the total information security discipline.
The theme of my post was open exploration of infosec on a larger scale, and that's what I recommend you do. If you don't like feeds then just go to the websites I mentioned and read the content the conventional way. However you get the content -- just get it. If you spend some time on these types of sites you'll soon realize that you've been dealing with the proverbial tip of the iceberg when it comes to infosec.
Cheers,
-Daniel
--
dmiessler.com -- grep understanding knowledge |
|
EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7 Reviews:
·Callcentric
| reply to Daniel
In reading your nicely written article and the responses, I see there are two different levels of security enthusiasts we're dealing with.
One level is the home PC/small network owner who installs, patches and does technical upkeep on their own system or that of friends or neighbors. They deal with the practical everyday level of security, and tools are what they know best since those are the most visible components of their security implementations.
Another level is the IT/IS/IMS professional who deals with business and enterprise level issues that involve not only hardware, OS and utility installation and maintenance, but in the design, testing, management and architectural and conceptual framework of information and business systems. People at this level put their reputations and careers on the line whenever they make recommendations to clients or others with substantial investment, exposure and liability. As such, they need to have a broader view than the essential nuts and bolts technical folks who keep things running on a daily basis.
Folks in the technical level don't have to deal with or may not be familiar with the larger issues faced by those in the architectural and business risk management level, so are more likely to disagree with or misinterpret your recommendations.
I doubt if you'll see any substantial difference of opinion from those security enthusiasts or security and compliance consultants who work at the enterprise or IMS level.
Interpreting "least privilege" as "running as limited user" rather than as an architecture or practice of limiting access or function to what program, users or systems are needed to meet operational requirements is IMO based on an erroneous interpretation of a common architectural principle. Some at the technical level may also interpret your exhortation to move beyond tools to the broader picture that includes database and application design as a call to eliminate the use of utilities and applications. In reading, I saw no indication that you advocate removal or replacement of any specific utility or the elimination of tools as a part of a security implementation.
So, bottom line - I think your article is thought provoking, well written, respectfully composed and deserving of more than accusations of arrogance or contempt on your part.
Thanks,
EG
--
BBR's Shooting for a Cause! |
|
EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7 Reviews:
·Callcentric
| reply to The Rabbit
said by The Rabbit :
I saw under your Avatar you are a consultant, what do consult about?
See »www.unixwiz.net/
--
BBR's Shooting for a Cause! |
|
