dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1396
share rss forum feed

daveinpoway
Premium
join:2006-07-03
Poway, CA
kudos:2

1 recommendation

Think layers of security is all that? Think again

"Of 1,800 serious malware NSS Labs tested, some always managed to get through -- no matter what combination of protection was used":

»www.csoonline.com/article/730731···13-03-26

Depressing.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit

3 recommendations

Well I think the problem with that article is that they missed/ignored the most important factor--the humans.

The assumption is that hardware/software, by itself, is sufficient to stop all exploits. It's not and never will be.

If users click on unsolicited links in email, visit unsafe sites, and so on the chances are malware will get through. That's why "social engineering" techniques are used so often--they work because people do stuff even when they know they shouldn't.
--
Don't feed trolls--it only makes them grow!


slajoh01

join:2005-04-23

Well, here my rule of thumb...

I think one should set up two PCs one with sensitive data on it which would NOT connect to the outside world except within inside a corporate network. In addition, not to allow ANY kind of USB sticks, DVDs on that PC and I would disable USBStore. And use full HDD encryption.

One PC, for general use.



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

2 recommendations

reply to daveinpoway

I consider the human as the most important security layer for any system. A user's customary practice sets a number of important and even "absolute" barriers to entire classes of infectors. Granted, just like with anti-malware programs, there are differences in humans and their security practices... some succeed better than others against the universe of malware. For example, if I were never to install and use Flash, all Flash exploits would be excluded from the cloud of malware that could potentially infect my system. Likewise, if I perpetually disabled JavaScript in my browsing, all JavaScript-related infectors would be excluded. On the other hand, if I disabled JavaScript for many sites, but not all, then I would be slightly opening the door to potential JavaScript-related infectors.

I am convinced that the human user remains the first line of defence against malware... where he goes, what he does or opens, how he does it, settings he enables/disables, all kinds of choices he makes - all play extremely strong roles in keeping (or not keeping) a system free of malware. All of which makes the knowledgeable human user a very powerful component of layered security. But the article, as does much of the discussion of this subject, ignores humans as such a major, perhaps the strongest, layer.

At the end of the day, there will always be theoretical exploits that could penetrate any system and set of user practices. But the concept of layered security reduces the statistical system infection possibilities by compounding the low individual possibilities of infection passing through each layer (including human) to create an extremely low aggregate possibility.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

I think many, even those in security fields, simply fail to ask simple questions.

The purpose of malware, any malware, is for one human (or group) to gain what another has be that data, money, access etc.

Thus the two first questions should be: What? and Why? Once those have been identified you then ask "How?.

The answers to those question are often different for different individuals and organizations.

PS: Imagine I set up up some network with PC's, firewalls, A/V and so on but no-one (i.e. no people) uses it. Who would bother to hack into that system? What purpose would it serve to do so?
--
Don't feed trolls--it only makes them grow!



Woody79_00
I run Linux am I still a PC?
Premium
join:2004-07-08
united state

1 recommendation

reply to Blackbird

Very good points Blackbird! The human behind the controls is the number one determining factor.

Just some food for thought, but I think "The Law of Diminishing Marginal Returns" is something that is overlooked by the layered security approach and its advocates.

I think its plausible that at some point we need to ask ourselves "at what points does adding additional security layers actually begin to generate negative returns"

As with all things, cpu cycles, power, etc are not free. So I do think how many and which layers a person uses should be taken into consideration along with the complexity each layer adds to the system. Exploits in security products such as the ones in the past with Trend, McAfee, Symantec, and others with their AV engine should also be considered.

I personally have moved to the following security model:

1. Whitelisting via Software Restriction Policies --- Administrator approval (A password only I know) is required to run any executable outside of the Windows or Program Files Directories that I haven't explicitly whitelisted...simply put they won't run. It has virually no overhead, takes about 20 minutes to set up, is easy to learn, and stops most potential problems.

2. EMET --- I use Enhanced Mitigation Expereince Toolkit to force all my programs to run under DEP, ASLR, and SEHOP, and other such program hardening rules. Requires no real overhead, its not too hard to setup, and just works.

3. I run 1 real time security product...in this case Vipre because it was cheap. It works, has built in firewall, does its job, which is not really much considering i practice safe hex and nothing seems to get past 1 or 2....especially since all non-whitelisted executables require admin approval with a password to even execute.

4. I scan with Malwarebytes once a week. It never finds anything.

I feel in terms of The Law of Diminishing Marginal Returns...this is the best setup for "me". As adding any other layers would not yield enough of a security benefits for the costs in time, and hardware to be worth it which would make the returns on the investment dwindle down too far towards the negative side of the scale for my likings...not enough benefit for resources expended both real in human and hardware.

Again everyone's needs and system requirements are different. I doubt anyone is going to have the same set up if they think out and design their own plan.

I do think it is prudent to protect yourself in the best and most efficient manner possible. That is going to be different for everyone of course. However, I also believe with layers it can be overdone and using too much results in too little.

I think this type of efficiency is a conversation worth having among professional like all of us fine folks who frequent these forums. I also think whitelisting is something more home users should learn and take advantage of.



jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
Reviews:
·Cox HSI
·Speakeasy
reply to slajoh01

said by slajoh01:

Well, here my rule of thumb...

I think one should set up two PCs one with sensitive data on it which would NOT connect to the outside world except within inside a corporate network. In addition, not to allow ANY kind of USB sticks, DVDs on that PC and I would disable USBStore. And use full HDD encryption.

One PC, for general use.

Good idea, provided everyone has 2 PCs.
--
JKK

Age is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature!

»www.pbase.com/jaykaykay



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

said by jaykaykay:

Good idea, provided everyone has 2 PCs.

I have three plus a tablet and a Windows Mobile device. Now I'm confused as to what to use
--
Don't feed trolls--it only makes them grow!


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to daveinpoway

The thread title reminded me of this recent thread
»how to ensure PDF file viewing does not "call home"....
where firewall rules were often mentioned as a cure/fix.

Firewall rules will often prevent a call home function but it's not guaranteed.
It's just a layer.
The only way to guarantee that won't happen is to physically disconnect from the net.
Disconnecting doesn't necessarily mean a call home won't occur on reconnection but it can & should be considered as a legit security layer.


OZO
Premium
join:2003-01-17
kudos:2
reply to StuartMW

said by StuartMW:

Well I think the problem with that article is that they missed/ignored the most important factor--the humans.

The assumption is that hardware/software, by itself, is sufficient to stop all exploits. It's not and never will be.

If users click on unsolicited links in email, visit unsafe sites, and so on the chances are malware will get through. That's why "social engineering" techniques are used so often--they work because people do stuff even when they know they shouldn't.

I agree. Human is the most important part of security. Computers are made to obey them, at the end... Thus, education, how to run them safely, is the key.
--
Keep it simple, it'll become complex by itself...

Rojo

join:2009-04-14
New York, NY
kudos:1
reply to Snowy

said by Snowy:

The only way to guarantee that won't happen is to physically disconnect from the net.
Disconnecting doesn't necessarily mean a call home won't occur on reconnection but it can & should be considered as a legit security layer.

Definitely.
The cable modem to my iMac sits within arm's reach. Whenever installing or using a new or unfamiliar program, or am going to be in read-only mode for a while, I simply disconnect the ethernet wire. Been doing this for years.

graniterock

join:2003-03-14
London, ON
Reviews:
·WIND Mobile
·TekSavvy Cable

1 recommendation

reply to slajoh01

said by slajoh01:

Well, here my rule of thumb...

I think one should set up two PCs one with sensitive data on it which would NOT connect to the outside world except within inside a corporate network. In addition, not to allow ANY kind of USB sticks, DVDs on that PC and I would disable USBStore. And use full HDD encryption.

One PC, for general use.

It would reduce risk but even that wouldn't be fool proof. You'd have to apply those rules to all the computers on the network. It all boils down to the level motivation and resources of those that want to get in. (Think of stuxnet).

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
reply to OZO

said by OZO:

Human is the most important part of security. Computers are made to obey them, at the end... Thus, education, how to run them safely, is the key.

^^ This ^^
It is all about education, understanding the risks, and understanding how to mitigate those risks. Basic secure computing steps are at least 80%.
said by Snowy:

The thread title reminded me of this recent thread 'how to ensure PDF file viewing does not "call home"' where firewall rules were often mentioned as a cure/fix.

Firewall rules will often prevent a call home function but it's not guaranteed.
It's just a layer.

Exactly. It all depends upon the level of concern or paranoia and the risks involved.

That thread is not particularly a good example since it involved prevention of a PDF reader from reporting usage statistics. The effort to ensure that detail gets sent, independent of reader and irregardless of protective measures, is not worth the benefit of the data obtained. Basic firewall or sandbox methods are likely to be very effective in this case.

For those extremely paranoid or concerned a dedicated PC that never has any network connectivity is a given. For those trusting in the technology a simple VM may suffice but for the truly untrusting a dedicated standalone physical PC would be in order already and such a question would not even be asked.

The old adage that the most secure computer is one that can never be used continues to apply. If you treat every risk as the utmost highest priority you will (a) worry yourself to death and (b) spend a significant amount of time avoiding threats that don't realistically exist.

Using the referenced thread as an example: Even if I were still the most paranoid person such that I was overly concerned that a PDF I downloaded from the internet would "call home" to report every time I read it, that would not change the fact that my download of said PDF was already recorded and likely tracked. The time I would spend to copy that PDF to a portable device and then to a standalone PC would be potentially wasted effort.

Now, if this involved confidential document/information, or any type of PII (Personally Identifiable Information) the risk would be higher and said measures may be appropriate. The OP in that thread did not make this distinction so this is unknown.

Proper education on secure practices, understanding the risks involved, and taking appropriate action based on those risks is indeed the key. I know many people that refuse to do any commerce (even amazon) or banking online yet do not own a paper shredder and think nothing of throwing bills, statements, etc in the garbage intact. I have not disposed of one sheet of paper that had a name, address, or any other PII without shredding in almost two decades and have been regularly questioned about why. Education is truly the key.

MaynardKrebs
Heave Steve, for the good of the country
Premium
join:2009-06-17
kudos:4

said by Shady Bimmer:

For those extremely paranoid or concerned a dedicated PC that never has any network connectivity is a given.

You forgot the 'Tempest' room that the computer is located in.

slajoh01

join:2005-04-23

One of the security layers to keep in mind are monitoring and keeping audits inside your networks.

My most major concern are the users inside a network and not some hacker outside the network. The odds are much lower if someone outside of a network hacks in to your data. The real danger are the insider threats, and yes, I mean the users themself sitting behind the machine.

One of the things we can do, is a "scare tactic" that we gotta let them know were monitoring and keeping an eye on you whatever they do on a network. Hopefully that will send a clear message.



dslcreature
Premium
join:2010-07-10
Seattle, WA
reply to daveinpoway

I've always been a heretic in thinking virus/malware/spyware scanners, IDS..etc are themselves dangerous.

These things can only detect what they are looking for. If it gets to the point where these systems are in a position to do any good you've already completely lost/failed. Unseen viruses or a targeted attack payload is guaranteed not to have its signature detected by any of these systems.

The mere existence of these things creates two serious problems:

1. They make people complacent .. hey we have a virus scanner so I don't have to worry about running this attachment or this thing I downloaded from screen savers r'us.

2. These additional "security" layers themselves are hardly invincible. They are subject to attack and operator stupidity just like the rest of your infrastructure with about the same consequences if successful.

The fact that virus scanners are in practice useful scares me more than free wifi at defcon.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

said by dslcreature:

1. They make people complacent .. hey we have a virus scanner so I don't have to worry about running this attachment or this thing I downloaded from screen savers r'us.

+1

When we have "my A/V is better than your A/V" threads this comes up a lot.

"ABC A/V didn't detect XYZ malware and I got infected so it's junk. Reports show that DEF A/V detects 99.99999999% so it's better".

The argument I love is that "DEF A/V detects more zero-days than yours".

Um, zero-day's are by definition unknown and new. A/V programs use heuristics to try and catch zero-day's but that's not foolproof and never will be.
--
Don't feed trolls--it only makes them grow!