Security and the Politics of Fear
A No Nonsense top 10 list for IT security.
Tis the season to be...fearful? Naah, that can't be right. That is, unless you listen to all the pronouncements of doom and gloom from the countless numbers of security trend reports that come out this time of year.
Security vendors love to remind the naïve masses of their insecurity, which is not necessarily a bad thing since more people shop online this time of year. The bad part is that often the pronouncements of insecurity, in my opinion, exist largely to help drive the vendors' own businesses. Yet, there are still some very real security risks out there that IT users need to be aware of.
What to do, what to do?
(1) Windows 98
You may not be running it but your child's school and neighbor might be.
There are no real hard numbers on how many Windows 98 PCs are actually still running, but there is no question that they are still out there. Microsoft no longer provides regular support for Windows 98 and, as such, it's an OS that represents great security risks. Often when I encounter a location that still has Windows 98 running, it's running on an old PC that still works for e-mail and basic word processing.
The owner of the old PC will say something like, it works so why should I fix it? To complicate matters even more, an old PC cannot be upgraded easily (if at all) to the latest Windows XP SP 2 (definitely not Vista).
There is always Linux though, which will run on just about any old piece of hardware you can find. Users could then be set up with a proper update program to ensure they've got the latest security patches. Bottom line on this is: If you're aware of Windows 98 PCs, get them shelved or changed to something more secure.
(2) Desktop Firewalls
Microsoft Windows XP SP2 has a built in firewall which is woefully inadequate to protect against modern threat vectors. Many anti-virus (AV) vendors (including Microsoft's own Windows Live OneCare) will replace the default Windows firewall with a more secure firewall.
It's still not enough.
One of the first things that many pieces of malware attempt to do is disable AV firewalls that run in Windows. Additionally if the PC in question is being targeted by some form of Denial of Service attack, due to the fact that the firewall is on the PC itself, the attacker essentially wins every time since the firewall spins more cycles to combat the attack and thereby turns your own firewall against you.
The answer is to supplement the desktop firewall with a true enterprise grade firewall at the network gateway. A stateful packet inspection (SPI) based firewall that can also do basic intrusion prevention should really be a mandatory thing for all. Otherwise firewall security is in my opinion woefully incomplete.
(3) Firewall/Security Software Subscriptions
The other issue is security software that is out of date because the user hasn't renewed a subscription. Most hardware firewall vendors update their software regularly, yet in my experience I've seen many users who simple bought the gateway, plugged it into the network and never bothered to renew the subscription after the first year.
The problem is that in many cases the firewall and other security software will continue to run even though it may well be out of date.
Firewalls and security software without updated subscriptions are almost worst than not having them at all since they may provide users with a false sense of security.
(4) No Auto-Update
Directly related to item #3 are users that don't have auto update enabled for their software. Nearly all software is buggy and nearly all vendors patch their software. So long as your subscription is valid you need to have auto update enabled otherwise you're missing the point.
Once a vendor has made an update available what typically happens is the details of the vulnerability become known making all unpatched users targets for the patched vulnerability, which the users themselves have yet to patch.
(5) Empty Your Cookie Cache -- Beware the "cookie monster"
Your cache is a veritable treasure trove of personal information saving recently viewed items, including cookies for faster retrieval. Some things should not be retrieved though, items such as credit card numbers are one such example.
There are a myriad of attack vectors that could compromise your cache and let your cookies fall into the hands of a real cookie monster (not the cuddly sesame street kind).
The best course of action is to empty your cache immediately after completing a transaction in which you entered personal information. If the information is not there, it can't be stolen.
Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) are the real bogeymen of modern IT. The reason is because there is precious little an end user can do about it, or so some security vendors would have you believe.
XSS and CSRF attacks occur at the application side of thing and not on user desktop. A user's credentials are essentially taken from the user and used in a different context for fraudulent purposes.
So how can a user protect themselves against something that isn't at their end?
Well go back to item #5 on this list and empty your cache -- again if the info isn't there, it can't be stolen. Additionally don't have multiple tabs open for sites, which you have to log into. The most common attack vector for XSS and CSRF is by way of taking info from one tab and stealing it for another. Lastly, while XSS and CSRF can exist on any site, it's not any site that will attempt to steal information from you. Just be smart and don't go clicking on suspicious links looking for free copies of paid software.
December 17, 2007
So says a company that sells a rootkit detection and removal product. But at least one analyst concurs that rootkit removal needs work.