Wouldn't it just be more sensible
Wouldn't it just be more sensible to have a bit more diversity in the installed base, and a lot more vendor-independent competence among the former certified Microsoft dependent hordes?
There has been a lot of talk in information security circles over the past few weeks about the revelations of advanced persistent cyber attacks on several big name US newspapers including the Wall Street Journal and The New York Times. The attacks, which are suspected to have been launched by Chinese hackers, were highly …
A quite sensible article with some important advice, expressed neatly in the following para :
Signature AV has been the bread-and-butter of the security industry for years and will still protect against 99 per cent of threats. The problem is that the one per cent that cause an organisation real damage, like the targeted attacks above, are not covered.
I don't think, though, that the article title is warranted - we are all helped enormously by the availabilty of cheap AV solutions. It would be a shame if focus shifted so far to the APT side that organisations lost sight of the need to ensure that the basic protections are also in place.
why not try a system that is secure by design - some version of Unix. OS/X & Linux are the most popular.
The above is a good start, but you need to take security seriously: install OS patches, train users to not be plonkers (good passwords, think about what they do, ...)
Hmm, comprehensive reading, a declining skill.
He did not make an exception for Unix systems - they have similar issues in having vulnerabilities. I do agree, however, with his assessment of vulnerability insofar that there are less holes. But a Linux focused trojan will get installed too - users have had years of training entering passwords for privilege escalation.
Which brings me to a question that has been puzzling me about just about any platform: WHY is so much software by default installed at system level without any choice?
And short of a Linux solution, how about not working in an admin account as most windows users do. Enterprise computers are typically locked down to the user for installs and changes, and therefore a bit more secure than joe user at home.
You can always tell a Windows user coming over to try Linux: One of the very first questions they ask is how to log in as root. Sudo and a password protect many a machine...
When the hell is MS going to make standard user the DEFACTO for a new install instead of &*()ing administrator ?
The moment even MS itself can actually code to work with restricted permissions. Try running a non-admin profile account on a Windows box and see how long you last - and it's not the only OS for which coders almost always require escalated privileges to install and run code which should have been perfect to just execute in user space.
<sarcasm>
We've only been having security problems for, of, the last 25 years or so, so it's maybe to far early to expect some fundamental coding principles, no ?
</sarcasm>
Name me a single distro that automatically sets the user as root account ?
Name me a distro that sets a different password for root than the user account on installation?
End users (especially at home) will just blithely enter their password when an installer asks for it, so they are exposed to trojans, irrespective of platform. At least they have some anti-virus which may pick up on a signature before it gets that far.
Do you actually know what you are talking about ?
See above.
Looking from the other end of the telescope - the medium-sized business end of it - none of the AV solutions for Windows appear to offer comprehensive protection against APTs. Some are better than others, but all of them miss a significant proportion of this kind of malware.
So in the absence of a comprehensive solution, we might as well use a commodity AV product that is signature based, and deal with the APTs via a gateway appliance. That has the subsidiary advantage that instead of trying to solve the problem of keeping *every* endpoint locked down (very tough with iShiny executive toys everywhere and even those PCs where the user has to have admin rights) , anything that is malware infested should be prohibited from phoning home.
Unfortunately the kind of product that does this is definitely *not* commoditised & I would greatly appreciate a bit of a price war on the part of the distributors (hint, hint).
Sigh. You cannot buy an APT setup because a proper APT is not a technical "thing", it is a strategy.
A full scale APT treats your organisation as a puzzle, which gets solved a bit at a time. Maybe it needs an inside host first - social engineering and a memory stick? Classic USB keyboard recorder? Spread virus assault via targeted email? Once there is a hook and intel has been gathered, maybe the accounts systems appear to be the most interesting ones, so using the previously established launchpad, slowly the locks are prodded.
Or someone gets bribed in accounts.
I have been saying this for almost a decade now: security isn't just technology, and especially the emergence of APTs indicate that the basics are now reasonably under control - if you get hacked via standard methods you should really re-think your approach. Ah, you didn't have one?
Did you really think that a one off threat analysis and buying some expensive kit would be enough? ...
"... So in the absence of a comprehensive solution, [...], and deal with the APTs via a gateway appliance. That has the subsidiary advabtage ... "
Though overlooked too often in Germany, this approach has already been enforced by (technical) rules. See points M2.73 and M2.75 in "IT Grundschutz" .
Regards, HA
Errr? How exactly does your solution stop something getting loaded into RAM and stealing all sorts of nasty/sensitive stuff from the running system including the H/W write protected flash drives?
The only solution as I see it is not NOT put anything on an Internet connected device that you wouldn't mind getting stolen and even made public.
Then even if the AV etc fails there is not much of any use that can get stolen.
Does make things like internet shopping/banking/life a bit difficult though.
To overcome that you have to get into what you might be hinting at with your second link. Boot up a clean system, login to your fav internet site, do some business and then shut everything down. Rinse and repeat always using a clean system to work with. No saved passwords or account details allowed either.
Now how user friendly is that? Not very much but hey, security is everything isn't it?
The only solution as I see it is not NOT put anything on an Internet connected device that you wouldn't mind getting stolen and even made public.
Not quite. There is also sneakernet via infected USB sticks. There are still plenty of setups left with auto-install enabled :(
How exactly does your solution stop something getting loaded into RAM and stealing all sorts of nasty/sensitive stuff from the running system including the H/W write protected flash drives?
Getting the something to run and do something usefull would be difficult. What a read-only USB device does do is prevent malicious code being inserted into your Operating System, and once you reboot, you are back to a clean system. Certainly you are not exposed to the Advanced Persistent Threat exploits you get with other rich-user-experiece Operating Systems.
That's assuming the USB distro you used was clean, but then you get into the whole "who watches the watchers" thing.
Plus what if the malware, even in RAM, can privilege escalate to root, sniff out other drives attached to the system, mount them, detect installed OS's, and find ways to infect them from there? If some APT hasn't caught on to the idea of infecting offline systems, they probably will in future.
"Plus what if the malware, even in RAM, can privilege escalate to root, sniff out other drives attached to the system, mount them, detect installed OS's, and find ways to infect them from there?
That still doesn't infect my OS and I'm assuming the other systems are already infected, which is why I want to run my own READ-ONLY OS !
It's going to be way, way less than 99% of the effort and spend in any of the minority of organisations which have a clue about security, in my view more likely much less than 5%. 99% is suggested by the article based on (assumed?) threat prevalence.
That's been the case since the first viruses appeared in the late eighties. It's why organisations with valuable data and processes which understand their security needs employ professionals with advanced skills in areas including virtual private networks, intrusion detection systems, firewall technologies, sandboxing of critical process, mandatory access control and most importantly, verification of origin and supply chain of all executable content allowed on critical systems. They involve managers at the appropriate level together with those with relevant technical skills in defining, maintaining and enforcing appropriate access control policies. AV can only be a very small part of such defences.
AV is also very expensive in relation to memory and CPU demand on many so is very inefficient, as well as being ineffective in relation to zero day threats. These products are based on the wrong assumption that it's possible for an AV vendor to know about every program in the world that's bad. Much better to verify that nothing can run on your critical system unless and until it's been confirmed as good to a high level of confidence, Ken Thompson's Reflections on trusting trust paper notwithstanding.
".... Much better to verify that nothing can run on your critical system unless and until it's been confirmed as good to a high level of confidence, Ken Thompson's Reflections on trusting trust paper notwithstanding. ..."
Known since at least thirty years.
"Property: Executable by ...[monitor]" as given in ACLs of TOPS10, a little bit later by RACF of IBM, and then as a label in LSPP.....
Remarks by HA
Its the end users that are still the biggest problem. The number of calls I get from people who had received a yahoo email from their friend with a single URL that was a jumble of letters and they STILL opened it. Despite myself doing a round robin email saying that there's a run on this type of spam.
Across my client base I look after free AV, MSE, Avast, AVG etc some have paid for such as Kaspersky and biz have Symantec with Brightmail, others use Sophos. None really do 100% protection, most sort of contains it, but interestingly I have seen limited accounts get infected even on W7 boxes with ACL on.
All we can do is learn how to get rid and carry a bartPE around.