Tag Archives: malware

Security policy do and dont’s

When it comes to end user security policies, there are several paths to take. One that I do not particularly like is the kind of policy that simply states that the user has to know every policy and knowing how to act in every way, and if you make a mistake, we are gonna punish you for it. To me, that is not a good written policy, it is a document that was published to make sure senior management can say they are not responsible if anything goes wrong. This is wrong from two perspectives. It does not do the user any good, and if something bad does happen that damages the company, senior management are still responsible.

As an example, having a policy that clearly states that you as a user are not allowed to click on a malicious link, it defies every bit of logic. How is the user suppose to know beforehand that particular link is malicious? After the fact they may realise it, but beforehand? Not a chance. First, what is a malicious link? The link in itself could point anywhere, even to a legitimate website that may have been compromised earlier. The URL string or name is not a good hint for finding a malicious link. So, how is the user suppose to follow the policy? The user is not able to which effectively means that the policy statement is pretty much useless.

Every user can be tricked into clicking a malicious link. Most of us receive a lot of emails which includes links to material online. Do you really check every link you click to read that PDF report or whatever it may be? Probably not, you are probably putting your trust into your company spam filter and anti-virus software that is suppose to keep those malicious emails away from you. You probably trust those technologies a lot more than you realise. Ever since we got short links in our emails, such as bit.ly/abcde, it became even harder to manually inspect links in emails and other forms of content. URL rewrites and redirects are common, so it is virtually impossible to predict where you are going to end up once you click on a link in an email, unless it is an internal email. But even internal resources could be compromised, so just because the URL points to an internal resource, it is not an automatic all clear.

To me, a good end user security policy reminds users of certain rules that need to be adhered to and how they can act to try to remain as safe as possible. There are always gonna be certain rules an employee need to follow, but it must be possible and also simple to do it, otherwise the policy will not be effective.

As an example, sharing internal documents with people outside of your company or organisation is usually not permitted. But in order for a user to follow that rule, there are number of things that need to be in place. First and foremost, a document must be clearly labeled in a way that the user understands. Second, there must be a simple process with a corresponding IT support system to allow user to tag or label documents. Also, there must be a very clear and simple statement on how to tag or label a document to a particular security level. In any of these are missing or unclearly defined, the policy again will fail. If a user cant follow the steps without to much effort, they will not. It is human nature, we are lazy creatures. It is one of the most common mistakes I have personally witnessed throughout my career, having a policy that is virtually impossible to adhere to because the supporting processes and tools are not available.

One of the most important things about any security policy is that it must contain contact information in case users need clarification of the policy content. Interpretation of a policy can result in a very different outcome depending on user perspective, so if possible, keep the language as simple as possible. Avoid to much technical terms as it may confuse users into doing things the wrong way. Also, policy violation can of course not be tolerated, but the threat of punishment is a not good way to getting users compliant. Reward feedback on your security policy allows you as a security officer to enhance it and making sure that end users tend to accept the policy not because they must, but because it aligns with their sense of what security measures are adequate. Trying for force cooperation almost never ends well, and in the end, you want users to adhere to the policy guidelines, not trying to circumvent it because they feel it is getting in the way of how they want to work or accomplish things in their day to day activities.

In order to achieve that goal, you have to have a dialogue with your users, and understand the business model of your company or organisation. If your policy goes against the business model or business needs, it will not be accepted and then it will not benefit anyone. This is perhaps one of the toughest challenges for many security officers, aligning security requirements with the company business model and needs. Thats why it is very important to have senior management onboard when it comes to security strategies so that they align with the business model. Being a CSO without direct access to senior management can be quite a pain when trying to gain acceptance for security policies.

As for advising your users on good security practices, again, it must be easy for them to do so. It should be the obvious way of behaving. Good security practices that are widely accepted by users tend to be transparent. The security is there, but users do not really see it as a security measure. Again, the software used by your company can make or break you as a security officer when it comes to acceptance. Most companies do not condone the use of Dropbox and similar services and often informs users that it is not allowed. What most companies tend to miss is the obvious question why users are turning to Dropbox instead of using your internal document management process and IT system. User friendliness is a key component in gaining acceptance from users, and in order to get good security you have to get acceptance from your users. Do not punish them for turning to a user friendly alternative if the internal tool is difficult or cumbersome to use. Rather try to influence IT in the right direction so your job as a security officer becomes easier. If you have to constantly remind users that they are violating the security policy, there is obviously something wrong with it.

In my opinion, most users want to do the right thing and stay secure, you as the security officer just have to make sure that they can do so in a way that is acceptable to them. So, good luck in writing your security policy. Your users will, if you let them, let you know if they feel you succeeded or not.

Network Protection in Depth

Every company has some sort of network protection, whether it is as simple as a router ACL to the most advanced NGFW or UTM device on the market. The question is what a company really needs to stay ahead of the game today and that is what I am going to discuss a bit in this post.

Network security needs one thing to truly effective, and that is that the traffic must somehow pass through it. The only exception is an IDS running in monitor mode which simply sniffs network traffic and does not require it to pass the device. There are other monitoring systems that provides additional insight on to what is happening on the network as well, and most of these also rely on passive monitoring.

For Packet Filters, Next Generation Firewalls (NGFW), IPS (Intrusion Prevention System) and UTM (Unified Threat Management), these types of devices requires the traffic to pass through them to be of any value. NGFW and UTM are often compared and they do share capabilities, but the NGFW as I see it is merely an extension of the packet filtering ability of a traditional firewall, adding things like application control (http proxy as an example) and IPS functionality. UTM on the other hand tries to do everything the NGFW does, but also adds url filtering, spam blockers, antivirus and other features. Quite simply, the UTM promises to be all the security you need in a single box. Whether this is true or not all depends on your companies requirements.

Personally I do not believe that UTM or NGFW solves every security problem in your company, but it can certainly add to boost your security posture if implemented correctly or put you at serious risk if implemented incorrectly.

First and foremost, you have to know your network to implement a network security solution correctly. If you do not know your network, make sure you learn and understand it before you do anything else. Once you have the full network picture in front of you, you can start looking into all these amazing appliances on the market and see what appliance goes where in your network topology. You also need to decide on which features a network security appliance should have, what matters most to you? What are your security requirements, what do you really want to protect and from what? Simply buying a NGFW or a UTM and slam into your network with the default settings is not gonna help you very much.

You must also understand one thing, even with the most advanced NGFW ot UTM on the market today, none of them protects you at 100%. This is not a statement I make up, this is a documented fact. NSS Labs, which tests these types of devices very thoroughly, last test of NGFW’s was done in 2014, rated no device at 100% being able to block all types of attacks. This is something you need to be aware of so you do not solely rely on a NGFW or UTM to handle all security threats. The SVM (Security Value Map) from NSS Labs below show this, this is NGFW devices and not UTM devices. This graphic below belongs to NSS Labs and is available free of charge. The full report however is not free.


As you can see, no device is 100% effective. If you are wondering why Palo Alto Network rated so low, you can read the full story in the NSS Labs Blog post.

Therefor, these types of devices may add to your company security, but as I mentioned earlier, only if implemented correctly, and also extremely important, used and managed correctly. If you are to invest large sums of money into these devices, do make sure that your firewall administrators knows how to manage them and utilise the full potential. There are a lot of stories about improperly configured firewalls floating around, do not become one of those. As these devices gains more and more capabilities, training must keep up. These are not simple packet filters anymore, simply looking only at SRC, DST, Port and Protocol, nope, they can do a lot more. If you have one of these devices and still treat it like an old packet filter firewall, then you are missing something.

So, now you know you have to know your network topology very well, know what your security requirements you have, and you also need to know what capabilities and limitations these devices have, and also, you have to invest in proper training of your firewall administrators. Is that all then? No, not even by a long shot.

NGFW and UTM devices are simply nothing more than one more tool in your security toolbox and they address one specific thing, traffic coming from one network to travel on to another network. Unless you route all your traffic through them, these devices do not protect you at all from attacks within the same network segment. If they cant see the traffic, they cant do anything. This is a very common problem with many companies, they have a very hard perimeter but very soft networks on the inside. It is like an egg, a hard shell but once that is cracked, everything is accessible.

This is where additional network security resources comes in to play. If you are running a mixed IT environment, you probably have a selection of network security features available on your hosts, where I would like to focus a bit on two of them, The built-in firewall of Linux which is IP-Tables and the Windows operating system host firewall. Both of these firewalls can actually do quite a lot and they should be used to further hardening your network security posture.

IP-Tables are getting additional support for more advanced features such as security zones with the firewallD project from Fedora which is now also part of RHEL version 7. IP-Tables is stateful which means it keeps track of connections, so it can distinguish between new and existing connections and which side initiated the communication. By using IP-Tables to lock down the network presence of your Linux hosts you add to the overall network security posture. There is also an implementation of IPSEC available for Linux, the FreeS/WAN Project. By combining IP-Tables and IPSEC, you can make it a lot harder for an attacker to gain an effective foothold in your company network.

The Windows host operating system firewall on the other hand is also a great tool which should be used. Firewall rules can be managed using Group Policy (Yes I know it becomes hard to manage when the number of policies grow, so without endorsing it, take a quick look at Addlevel Isolation Management for a better view of your central Windows Firewall Management). The Windows firewall is also stateful, it has IPSEC support and it also has the ability to accept or deny connections based on who is making them. As an example, you can have a firewall rule which allows all members in a certain group use RDP to access your server network, but nobody else. If you also use IPSEC, you can enforce the use of strong authentication of both the computer making the connection as well as make sure that the user also is authenticated before allowing the connection to occur. The Windows firewall has many great features which makes me a bit surprised that so few are actually using them.

Another piece of the puzzle is to know what is going on in your network. There are several ways to do this, but what is most important is that your security team really understands how it can be used. Visualisation of network data often makes it easier to track what is happening than a log file with a lot of text in it.

After all, it is you who has the responsibility to understand how well your network is defended, so knowledge is the last key to it all. Without knowing you can not react and you can certainly not predict what you might need to do before something happens. You need to know your network, do correct network security implementations, monitor them and evaluate them, and over time, do it all over again. Security is never a onetime deal, remember that.

Of course there a lot of other things that relate to security which are not network based, but I will focus on those in another post.

Tired of users who spreads malware using USB devices?

Then perhaps you should get them a USB-device that will teach them a serious lesson, no I am just kidding, let me explain.

A russian security researcher nicknamed Dark Purple seems to be inventing a killer USB device, or more a computer frying USB device. It is an interesting way to use a USB device, thats for sure. You can you read more about it here. It is not for sale, at least not yet, but it is quite fascinating to read about it.

If you wish to employ a little less drastic counter-measures, there are some.

  • Use Active Directory to simply deny the use of USB devices

I know, it sounds impossible, but it is not. It all depends on whether you want to take on the administrative burden of managing exceptions or not. Yes, in a large organisation it will most likely be quite impossible. Even though, it is worth knowing that Active Directory can mitigate the threat from USB devices.

  • Malware Protection Engines

Same as the above actually, the rely on the class ID and serial numbers of the USB devices wether to allow it or deny access. The same administrative burden awaits.

I am not even gonna suggest using superglue on the USB ports since it is almost never an option, but instead say that most important thing you can do about USB devices is training and NOT allowing your users to do their day to day work running with local admin privileges. Then make sure you disable autorun and if possible, never allow code execution on removable devices. Stick with those and the USB threat is at least mitigated. Unfortunately, the USB threat is here to stay and will remain a threat to most organisations for a long time.