Didn't i get this from tech republic just this morning...
A study confirms Internet Explorer 9 is the safest web browser
http://www.techrepublic.com/blog/window-on-windows/a-study-confirms-internet-explorer-9-is-the-safest-web-browser/6707?tag=nl.e064&s_cid=e064
Discussion on:
View:
Show:
The actual article describes how IE9s blacklist is better than the blacklists of the other browsers. That's all that was tested, only the blacklist.
And the blacklist offers no benefit if the user has turned off the use of it for slowing down the already considerable navigation lag in IE9.
And the blacklist offers no benefit if the user has turned off the use of it for slowing down the already considerable navigation lag in IE9.
It makes it easier to manage security with those certain browser required sites.
Ontime prefers chrome, Sharepoint needs IE, OWA needs IE, pretty much everything else uses firefox.
Avant can be set up to automatically switch engines based on site. And each tab maintains its own engine so you can have all 3 running at the same time.
Ontime prefers chrome, Sharepoint needs IE, OWA needs IE, pretty much everything else uses firefox.
Avant can be set up to automatically switch engines based on site. And each tab maintains its own engine so you can have all 3 running at the same time.
Don't use a computer! I mean reading what you listed it is probably the most valid. Just don't!
SmoothWall. There's a free version that does everything you really need. It lets you use some old computer, that's otherwise useless, to do one of the most important jobs in the house, and do it well.
I wouldn't recommend it, but it'll run fine on a 486 machine with 64 MB RAM and a 4 GB hard drive, I set that hdw up for a home user a while back. A retired Pentium III box makes a smoking hot firewall with SmoothWall.
I wouldn't recommend it, but it'll run fine on a 486 machine with 64 MB RAM and a 4 GB hard drive, I set that hdw up for a home user a while back. A retired Pentium III box makes a smoking hot firewall with SmoothWall.
A 30 day password expiration policy sounds great on paper but we have it in place. From what I have seen, it promotes weaker passwords and insecure habits. No sooner do they have the new one memorized when they have to change it again. People resort to using weaker passwords (a word with an incremented number at the end) or writing their passwords down.
As an employee of a company that requires password changes every 45 days, I just end up using the same password with a different number at the end. It's hard enough to come up with a strong, unique password THAT I CAN REMEMBER (most companies frown on writing down your password and keeping it anywhere you can easily access it). How is the average employee supposed to do this every 30-45 days? I get the theory behind frequently changing passwords, but in my experience, the reality is completely different.
This is a pain in the you-know-what for both the user and the administrator. I spend more time unlocking users every time they change their password and this happens in cycles, depending upon the user's hire-date. One month we had 250 users that got locked out of their SSA accounts. This was at our hub alone, not counting world-wide. The helpdesk was flooded with requests and couldn't unlock users fast enough. There was somthing like a 4-hour lag-time on the helpdesk plus the system unlock which takes up to 4 hours to process.
If anything enforce longer passwords with alpha-numeric combinations, upper-lower alpha characters, and allow non-alpha-numeric characters.
If anything enforce longer passwords with alpha-numeric combinations, upper-lower alpha characters, and allow non-alpha-numeric characters.
Before you raise shields, I'm not a Linux hater but upon reading item 1 I was disinclined to continue, and may have missed some valid points as a result.
The reason is simple - if admins are using Windows it's normally because a) it's what they're trained with and comfortable supporting or b) because the business or the users want to use windows (or proprietary apps on Windows, as you mention). This much is common sense and, I'm sure, known to you. So, here's the rub:
A windows admin on a windows network deploys Linux desktops in the name of security. The result may very well be less functionality and less security overall. Why? (images of frothing Penguin lovers firm in their belief that Linux am bettar)
Here's why. Windows by default is a very promiscuous OS - Linux admins can certainly agree on that. BUT IT CAN BE CONFIGURED TO BE LESS SO. Linux by default is less promiscuous. BUT IT CAN BE CONFIGURED TO BE MORE SO. Windows admin trying to make a Linux desktop work effectively will likely make mistakes over the course of time, and may be forced to bypass some of Linux's default config to make it work with existing network architecture.
Before anyone jumps to say 'But Jack didn't say 'Windows administrator''. 'Good techies should know Linux'. 'Linux would still be more secure' or some other such commentary, consider this:
Any admin using a technology they aren't familiar with is prone to more mistakes than usual. Computers and OSes that run them are flawed because we make them so. By increasing the likelihood that further mistakes are made you inherently decrease the chance of security in a network. This is true for Mac admins, Windows admins and Linux bods as much as it is for any other platform.
Linux is nowhere near the security powerhouse that some in the Linux community want everyone else to believe. The recent onslaught of Red Hat security vulnerabilities being reported in the security communities should be proof enough of that. Windows is no longer the only security target these days.
Look, bottom line is this. I'm a Windows/Cisco tech with some Linux experience. Give me a choice between the two to produce a secured environment and despite the press and known issues I'd still go for Windows because I'm more confident in my ability to manipulate that than I am with Linux. This isn't because i think Windows is 'as secure' (it isn't by default) and it's not because I can't learn how to do it on Linux (time and tech constraints play their parts).
Don't underestimate the power of good administration, whatever your platform of choice. Prefer Linux? Power to you. Would rather secure Windows properly? Hey, power to you too. Just don't think changing some of your windows architecture may help a lot because if misconfigured, it'll hurt rather than help.
The reason is simple - if admins are using Windows it's normally because a) it's what they're trained with and comfortable supporting or b) because the business or the users want to use windows (or proprietary apps on Windows, as you mention). This much is common sense and, I'm sure, known to you. So, here's the rub:
A windows admin on a windows network deploys Linux desktops in the name of security. The result may very well be less functionality and less security overall. Why? (images of frothing Penguin lovers firm in their belief that Linux am bettar)
Here's why. Windows by default is a very promiscuous OS - Linux admins can certainly agree on that. BUT IT CAN BE CONFIGURED TO BE LESS SO. Linux by default is less promiscuous. BUT IT CAN BE CONFIGURED TO BE MORE SO. Windows admin trying to make a Linux desktop work effectively will likely make mistakes over the course of time, and may be forced to bypass some of Linux's default config to make it work with existing network architecture.
Before anyone jumps to say 'But Jack didn't say 'Windows administrator''. 'Good techies should know Linux'. 'Linux would still be more secure' or some other such commentary, consider this:
Any admin using a technology they aren't familiar with is prone to more mistakes than usual. Computers and OSes that run them are flawed because we make them so. By increasing the likelihood that further mistakes are made you inherently decrease the chance of security in a network. This is true for Mac admins, Windows admins and Linux bods as much as it is for any other platform.
Linux is nowhere near the security powerhouse that some in the Linux community want everyone else to believe. The recent onslaught of Red Hat security vulnerabilities being reported in the security communities should be proof enough of that. Windows is no longer the only security target these days.
Look, bottom line is this. I'm a Windows/Cisco tech with some Linux experience. Give me a choice between the two to produce a secured environment and despite the press and known issues I'd still go for Windows because I'm more confident in my ability to manipulate that than I am with Linux. This isn't because i think Windows is 'as secure' (it isn't by default) and it's not because I can't learn how to do it on Linux (time and tech constraints play their parts).
Don't underestimate the power of good administration, whatever your platform of choice. Prefer Linux? Power to you. Would rather secure Windows properly? Hey, power to you too. Just don't think changing some of your windows architecture may help a lot because if misconfigured, it'll hurt rather than help.
However, the #1 way to increase network security- eliminate that disconnect between the keyboard and the chair! You'll solve all your problems!
We cannot say old ones are best in all situations. In case of technology, new products are best as it keeps on updating with new features!!
You know, Pebcak? As in Problem Exists Between Chair And Keyboard? As alluded to by dangoody27.
That's an old service desk joke. That's all I meant.
That's an old service desk joke. That's all I meant.
On newer version of Windows there is a setting that doesn't allow remote capabilities for accounts with blank passwords. You still have to deal with physical security, but it is more secure than using a well know or short password.
It's interesting that Mac's used to be considered more secure than Windows until recently (and as they became more main stream and more people were looking at them). I don't necessarily think this is the case with Linux, but a systems security level is very dependent on the total composition of the software installed so if there is a smaller less well maintained package installed then the Linux system may be easily exploited. You can see this fairly easily with Drupal and other Linux based CMS systems. Basically I am simply saying that Linux is not a silver bullet like some people say, but all systems need maintenance and monitoring to be secure. Someone who is a good Windows admin may not be able to install a Linux machine and secure it very well.
Bill
Bill
It's interesting that Mac's used to be considered more secure than Windows until recently (and as they became more main stream and more people were looking at them). I don't necessarily think this is the case with Linux, but a systems security level is very dependent on the total composition of the software installed so if there is a smaller less well maintained package installed then the Linux system may be easily exploited. You can see this fairly easily with Drupal and other Linux based CMS systems. Basically I am simply saying that Linux is not a silver bullet like some people say, but all systems need maintenance and monitoring to be secure. Someone who is a good Windows admin may not be able to install a Linux machine and secure it very well.
Bill
Bill
The reality that most mainstream techs usually forget is that Windows and programs like IE, MS Office, SQL server and so on are targeted in the first place for one reason - their ubiquity. The fact that some of these platforms are inherently open to abuse is a bonus.
Let me give you an example to clarify the point. If you're a cracker and you want in to a system for nefarious gain will you:
a) Focus your efforts on breaking a system you know is on millions of computers that will have the data you want
b) Focus your efforts on breaking a system that you know is on 100s of thousands of computers that will have the data you want
c) Focus your efforts on breaking a system that you know is on thousands of computers that will have the data you want
If you answered a) and you found that those platforms to also be easy to beak into then you'd be a happy little cracker indeed.
Mac OS was never a high profile target. Not when oppertunist hackers and those after a large portion of computers could simply focus on Windows. As numbers of Mac users with valuable data rose, so too did the interest that malicious little code monkeys had in fruit rather than glass, if you get where I'm going. Same happened with Linux as more home users adopted it (and failed to secure it properly) and more devs wrote stuff for it (and introduced vulnerabilities).
I still laugh to myself when remembering what a Mac-toting marketeer once said to me, "I don't need security. Macs don't get viruses. That's a windows thing. Macs are just better"
Er....guess again, tango brain. Back to your fisher price, if you please
So, yeah, I think you're right - a large portion as to why Macs are no longer considered super secure is because the focus is now on them in the hacking community because they are becoming a big enough target to bother with.
The only secure computer is one not connected to anything. In the age of the internet, who wants that?
Let me give you an example to clarify the point. If you're a cracker and you want in to a system for nefarious gain will you:
a) Focus your efforts on breaking a system you know is on millions of computers that will have the data you want
b) Focus your efforts on breaking a system that you know is on 100s of thousands of computers that will have the data you want
c) Focus your efforts on breaking a system that you know is on thousands of computers that will have the data you want
If you answered a) and you found that those platforms to also be easy to beak into then you'd be a happy little cracker indeed.
Mac OS was never a high profile target. Not when oppertunist hackers and those after a large portion of computers could simply focus on Windows. As numbers of Mac users with valuable data rose, so too did the interest that malicious little code monkeys had in fruit rather than glass, if you get where I'm going. Same happened with Linux as more home users adopted it (and failed to secure it properly) and more devs wrote stuff for it (and introduced vulnerabilities).
I still laugh to myself when remembering what a Mac-toting marketeer once said to me, "I don't need security. Macs don't get viruses. That's a windows thing. Macs are just better"
Er....guess again, tango brain. Back to your fisher price, if you please
So, yeah, I think you're right - a large portion as to why Macs are no longer considered super secure is because the focus is now on them in the hacking community because they are becoming a big enough target to bother with.
The only secure computer is one not connected to anything. In the age of the internet, who wants that?
For #1: This would not be acceptable to people who have used OWA in Internet Explorer because of the rich features or use Outlook themselves. For the majority of organizations I have encountered they even hated used Firefox or Chrome because it lacked features that were present in IE
For #8: This is a standard practice when you have networks where people don't want to have multiple shares with restricted access. If they only want ONE share it is best to share with everyone and lock down access via NTFS permissions. Even season IT professionals use this if their higher ups don't want multiple shares with restricted share permissions.
For #8: This is a standard practice when you have networks where people don't want to have multiple shares with restricted access. If they only want ONE share it is best to share with everyone and lock down access via NTFS permissions. Even season IT professionals use this if their higher ups don't want multiple shares with restricted share permissions.
So, what do we do now? Obviously, the study concentrated on just one security problem for which web browsers are susceptible - we cant use it as the only criteria for choosing a web browser. However, the study does suggest that perhaps it is time information technology professionals reassess their web browser choices. When is the last time you took a close, objective look at your current web browsers security capabilities?
I think it's better to use a pass phrase or longer password (12+ characters) with a longer time between password changes (180+ days) than shorter with frequent changes since users will have a tendency to use incremented passwords or simply write them down.
Remote Desktop and equivalents are so easy to use. Setup one or more servers as browsing-terminal servers and force your users log in to those to do all their browsing, logging in with normal access rights of course, and with *different* user IDs, so some malware cannot automatically attack their PCs or any other network resource.
Only let those servers access the 'outside' world.
A few servers are much easier to secure properly.
Make one read-only share with subfolders for each user so that they can get their downloaded files.
One problem is that nowadays browsers take up too much memory, so I don't know how many 'browsing terminals' such servers can handle.
I used to do that to myself when I was using some windows server as my workstation (so much more stable). I was remote desktoping on my own workstation as a low-rights local user, doing all my browsing from there
Only let those servers access the 'outside' world.
A few servers are much easier to secure properly.
Make one read-only share with subfolders for each user so that they can get their downloaded files.
One problem is that nowadays browsers take up too much memory, so I don't know how many 'browsing terminals' such servers can handle.
I used to do that to myself when I was using some windows server as my workstation (so much more stable). I was remote desktoping on my own workstation as a low-rights local user, doing all my browsing from there
Security is NOT convenient
Our current policy is at least nine characters, three of the following four: upper case, lower case, number, symbol. Must be changed every 90 days. Cannot reuse the last 24. Cannot change more than once every 24 hours.
The more complex the password has to be the more likely users will write it down, use incrementing passwords, and employ other methods to meet the requirements, but add no real security.
Now ask yourself what is the purpose of these policies.
Policy: Change every X days.
Purpose: To ensure that leaked passwords are made useless after X days.
User work around: Incrementing password, ie Password1, Password2, ...
Policy: Password must be complex
Purpose: To increase the number of characters required to brute force a password
User work abound: Use the easiest method to get around, i.e. Password1!, Password2@, ...
Policy: Password cannot be reused.
Purpose: Prevent swapping between two passwords
User work around: Incrementing passwords
If you want a policy that will actually provide some security set a requirement for long passwords, 12 characters minimum, and provide user instructions on how to create them, Pass phrases, Password Haystacking, or Password patterns. Length is more important than strength.
Even a 12 character lower case password provides decent protection. Adding an upper case letter makes it even stronger. Remember that someone brute forcing a password doesn't know that you used all lower case. Even if they checked all of the lower case possibilities first an offline fast attack scenario: (Assuming one hundred billion guesses per second) would take 9.85 months to break it.
The reality is you are more likely to have the password disclosed by the system you are accessing, than the weakness of the password.
Our current policy is at least nine characters, three of the following four: upper case, lower case, number, symbol. Must be changed every 90 days. Cannot reuse the last 24. Cannot change more than once every 24 hours.
The more complex the password has to be the more likely users will write it down, use incrementing passwords, and employ other methods to meet the requirements, but add no real security.
Now ask yourself what is the purpose of these policies.
Policy: Change every X days.
Purpose: To ensure that leaked passwords are made useless after X days.
User work around: Incrementing password, ie Password1, Password2, ...
Policy: Password must be complex
Purpose: To increase the number of characters required to brute force a password
User work abound: Use the easiest method to get around, i.e. Password1!, Password2@, ...
Policy: Password cannot be reused.
Purpose: Prevent swapping between two passwords
User work around: Incrementing passwords
If you want a policy that will actually provide some security set a requirement for long passwords, 12 characters minimum, and provide user instructions on how to create them, Pass phrases, Password Haystacking, or Password patterns. Length is more important than strength.
Even a 12 character lower case password provides decent protection. Adding an upper case letter makes it even stronger. Remember that someone brute forcing a password doesn't know that you used all lower case. Even if they checked all of the lower case possibilities first an offline fast attack scenario: (Assuming one hundred billion guesses per second) would take 9.85 months to break it.
The reality is you are more likely to have the password disclosed by the system you are accessing, than the weakness of the password.
Leaked passwords aren't as much of the problem as password hashes. Malware with sufficient privileges can steal the hash of the logged in user and possibly other users that have logged into the machine (depends on a number of factors). The longer the time between password changes the longer the malware or operator has to utilize that hash. With hashes even a single digit change will completely change the hash. The only problem with this if the plan text is known (such as having it brute forced).
There are a lot of brute forcing programs that will string together words in various different combinations so simple pass phrases may not be as strong as many think. It is always good to do something a little out of the ordinary to increase the strength of a pass phrase.
Users will still use simple passwords at 12 characters so it may still be a good idea to enforce complex passwords with Windows since that is the only way to guarantee users won't use the same character 12 times in a row.
Bill
There are a lot of brute forcing programs that will string together words in various different combinations so simple pass phrases may not be as strong as many think. It is always good to do something a little out of the ordinary to increase the strength of a pass phrase.
Users will still use simple passwords at 12 characters so it may still be a good idea to enforce complex passwords with Windows since that is the only way to guarantee users won't use the same character 12 times in a row.
Bill
You say "Security is NOT convenient ". How right you are.
One of the things you quickly learn about IT security (network, application or otherwise) is that it's a constant trade-off between functionality and security. The more secure you make it, the more functionality you're forced to restrict or inconvenience you're forced to introduce.
Every company has it's own ideal on this balance and it seems that there is no universally accepted level. In this case, one size doesn't seem to fit all.
One of the things you quickly learn about IT security (network, application or otherwise) is that it's a constant trade-off between functionality and security. The more secure you make it, the more functionality you're forced to restrict or inconvenience you're forced to introduce.
Every company has it's own ideal on this balance and it seems that there is no universally accepted level. In this case, one size doesn't seem to fit all.
Why not use a Managed Security Services Provider (MSSP) with Linux system such as Network Box. It is a hardware firewall that also anti-virus, content filtering, spam & monitored IDP/IDS. This cost is actually lower than purchasing all the separate elements of security. Also always have a strong security policy endorsed by your management.
SORRY DIDN'T READ THE MOST VOTED COMMENT - Funny how a previous article from TechRepublic says that IE9 is proven to be the safest browser and here you are telling folks to switch. What up with that?
http://www.techrepublic.com/blog/window-on-windows/a-study-confirms-internet-explorer-9-is-the-safest-web-browser/6707?tag=nl.e064&s_cid=e064
http://www.techrepublic.com/blog/window-on-windows/a-study-confirms-internet-explorer-9-is-the-safest-web-browser/6707?tag=nl.e064&s_cid=e064
I agree with an above post that length trumps entropy. After having it explained to me on a Security Now! podcast, it makes sense and can pretty much make you immune to brute force. You still want to use the entire character set. Use a 6-8 character password that is easy to remember (no words used in rainbow table attacks), but make sure you use the entire character set. Then pad that with 6-8 more characters with an easy to remember padding. As for change frequency, it was talked about changing the password too frequently (if ever) is useless too. When passwords are harvested, they are used almost immediately. So weather you changed it just 5 days ago, or 6 months ago doesn't matter. If your policy is 30 days or even 5 days, it will be too late. Just keep a strong password and pay attention to the news to see if there has been a breach for something for which you have an account for and change it right away. And yes, don't use the same password for everything.
Looking to deploy that ASAP. I have been trying to find a good NAC and especially something for a guest network. At our school all the time I have parents trying to get internet access while doing PTA stuff. I also know some small businesses that would love something free like this that can help set up guest net for their customers. Totally agree with dl_wraith, and would love for the teachers at our school to understand why they cannot install stuff (man they can get cranky).
forgot to mention the hardware firewall and content filters are necessary evils in education environment especially. SonicWall and iPrism (now Edgewave) here, love both pieces of hardware, iPrism hardware about 4 years old and sonicwall just at 3, never had an issue with either and they are fast as he11. No slow downs or anything with both.
I've used pf, I found smoothwall a lot easier to deal with and it's proved to be remarkably secure. Only had one get compromised, and it failed safe. (disconnected the internet) It was only compromised because it was 8 updates behind.
I've run smoothwalls on P-II equipment with 800-900 day uptimes without the slightest problem.
Setting up an isolated "purple zone" is easy as heck. A wireless portal with easy access for the PTA that is totally isolated from the internal LANs). I've set up dozens of them. Smoothwall puts old hardware that's otherwise useless to important use. ie read "free hardware."
Customers like free.
I've run smoothwalls on P-II equipment with 800-900 day uptimes without the slightest problem.
Setting up an isolated "purple zone" is easy as heck. A wireless portal with easy access for the PTA that is totally isolated from the internal LANs). I've set up dozens of them. Smoothwall puts old hardware that's otherwise useless to important use. ie read "free hardware."
Customers like free. 
1. Use Linux. I disagree. This only helps if A) ALL desktops are switched to Linux and B) admins are familiar with hardening and maintaining Linux. If you're not doing A, you're just doubling the attack surface. You haven't eliminated problems with the Windows boxes, and now you've got care and feeding of Linux boxes to manage, too. If you're not doing B, admins will perform risky actions without knowing they're doing anything wrong.
2. Block users from installing software. Can I get an "AMEN!" from the audience? This is one of my pet peeves, #2 on the SANS 20 Critical Controls list, and something very few small companies implement effectively. Don't stop at removing local admin rights - use something like Bit9 for application whitelisting.
3. Update AV. Sure, updating is a good thing, but this definitely wouldn't be #3 on my list. AV is easily and routinely bypassed. You're better off assuming AV is not going to stop anything. Check out http://computer-forensics.sans.org/blog/2012/04/09/is-anti-virus-really-dead-a-real-world-simulation-created-for-forensic-data-yields-surprising-results. Luckily, most "AV" nowadays is actually a full-on endpoint protection suite bundled with things like a network traffic monitor, file integrity monitoring, malicious URL interception, etc. The actual "AV" is (imho) one of the least effective parts of the package.
4. Switch your browser. Bad suggestion. A GFI study earlier this year listed IE as the 8th most vulnerable application for 2012. Webkit was 4th, Firefox was 3rd, Safari 2nd, and Chrome was #1. So yeah, attacks are going after your browser no matter what you use (unless you're switching to Opera, I guess). A large number also attack Flash, Adobe Reader, Java or other plugins. You're likely to have those no matter which browser you choose. Also, IE has the advantage of controlling settings en masse through group policy. Better suggestion: reduce your attack surface by picking one approved browser for network users and uninstalling all others.
5. Disable add-ons. I agree wholeheartedly, but isn't this just a subset of suggestion #2?
6. Hardware firewall. I agree, but wouldn't abandon the client firewall. We should still use it, tightened as much as possible. Many endpoint security products come bundled with their own firewall to replace the Windows firewall. We should also deploy proxy firewalls on the perimiter (don't just inspect packets passing through - terminate outside connections at the firewall and rebuild packets to send to the client). And don't forget about egress filtering on both!
7. Strict password policy. I'm sorry, but 30 day resets is a dangerously bad idea. That's effectively telling your users "I want you to either write this down or put the month in the password." Better idea: Preach that password length matters more than anything else. Example: "StrictPwPolicy=HorribleIdea" isn't hard to remember, but at 27 characters is extremely resistant to brute force attacks. "But it has dictionary words in it!" So what? It is still better than any 8 character passwords your users are going to choose. Users make freak when you first tell them they need 24+ char phrases, but once you show how easy it is to remember a new phrase twice a year as opposed to a random 8 character string that changes every 30 days, they'll come to accept it. And a 24 character crappy password is still several orders of magnitude better than an 8 character crappy password.
8. "Everyone" folder access. I wouldn't do this even temporarily. Temporary access become long term access because "we've got it working" and there are always other issues to fix. I wouldn't grant access individually, either. Auditing individual access becomes a nightmare on even a moderately sized network. Grant access to an appropriately named group, then add users to the group. All you have to do to audit access is verify only the appropriate groups are on the share, and then check who is in the groups. Also, use limited access (RO/RE/RW/MOD) as opposed to full control when possible. Example group: PayrollShareRO for those who need to see content of files in the Payroll share, but do not need to create or change them.
9. Use a NAC. Agreed. PacketFence is a good suggestion for first time NAC users.
10. Content filtering. Not sure what "content" is being discussed. Email? If so, keywords are horrible at both detection and false positive rates. Alternative suggestion: block all attachment types except those absolutely needed for business, disable direct-clicking of links in Outlook, and educate your users on current phishing techniques. Use filters based on multiple factors, including the reputation of the sending domain/server. For web filtering, I prefer using a service such as SurfControl to allow certain categories of sites and block everything that hasn't been categorized. Individual sites that fall into normally blocked categories can then be added to a whitelist on a one-off basis.
I kinda ended up picking this list apart, so it is only fair I offer up my own top 10 for critique:
1. User education. Users should know what is normal PC behavior, what is not, and who to contact when something odd happens. Java icon unexpectedly popped up on the taskbar while web surfing, sluggish pc, unexpected reboot, certificate error, new homepage, phishing emails, etc. They should also be trained to think twice before clicking on anything. Make your users into an intrusion detection system. Stroke their ego and let them know they play a vital part in protecting the network.
2. Application whitelisting. If it isn't necessary, the file doesn't run. Extremely effective in warding off infection. Even moreso if you can prevent legit running processes from having malware injected into them, but I have yet to see an elegant solution to that.
3. Know thyself with network monitoring. Something like SpiceWorks (ad-supported free version available, but not open source) is great for taking inventory of what is on your network, both in terms of software and hardware. You can't protect what you don't know is there. Deploy something like SecurityOnion to see what traffic is already present on your network and detect anything new/unusual.
4. Get security to be a management priority at the START of projects. Otherwise, you run the risk of hearing things like "ok, we've licensed this product for the next five years and have already installed it on the network - it gets updates via FTP and is managed through an outdated embedded web server that doesn't support SSL and requires an old version of Java on the client PC. Now make it secure."
5. Have a secure configuration standard that is always followed when deploying a new machine. Know what software/services are supposed to be installed/running on each machine, and which aren't.
6. Centralized logging. If buying a commercial SIEM isn't an option, use something like Splunk (free for less than 1GB/day) or OSSIM. Good logs can be crucial in determining the scope of a security incident.
7. Check all web apps against the OWASP Top 10. It's shameful how many still fail at the basics.
8. Perform regular vulnerability scans. Use trials of various scanners (Nessus, NeXpose, etc) until you find what fits your needs/budget.
9. Patch religiously. Not just MS auto-updates, either. Get a 3rd party patching solution and take care of all the software on your network. Of particular importance on clients are Flash, Acrobat, Reader, Java, QuickTime, and browsers. On servers, databases and web servers are the most common targets.
10. Run drills. You don't get to be great at playing linebacker in football just by describing what you would do on the field. Similarly, you need to get experience in realistic network threat scenarios - see what works and what doesn't. Tweak your defenses and test again.
2. Block users from installing software. Can I get an "AMEN!" from the audience? This is one of my pet peeves, #2 on the SANS 20 Critical Controls list, and something very few small companies implement effectively. Don't stop at removing local admin rights - use something like Bit9 for application whitelisting.
3. Update AV. Sure, updating is a good thing, but this definitely wouldn't be #3 on my list. AV is easily and routinely bypassed. You're better off assuming AV is not going to stop anything. Check out http://computer-forensics.sans.org/blog/2012/04/09/is-anti-virus-really-dead-a-real-world-simulation-created-for-forensic-data-yields-surprising-results. Luckily, most "AV" nowadays is actually a full-on endpoint protection suite bundled with things like a network traffic monitor, file integrity monitoring, malicious URL interception, etc. The actual "AV" is (imho) one of the least effective parts of the package.
4. Switch your browser. Bad suggestion. A GFI study earlier this year listed IE as the 8th most vulnerable application for 2012. Webkit was 4th, Firefox was 3rd, Safari 2nd, and Chrome was #1. So yeah, attacks are going after your browser no matter what you use (unless you're switching to Opera, I guess). A large number also attack Flash, Adobe Reader, Java or other plugins. You're likely to have those no matter which browser you choose. Also, IE has the advantage of controlling settings en masse through group policy. Better suggestion: reduce your attack surface by picking one approved browser for network users and uninstalling all others.
5. Disable add-ons. I agree wholeheartedly, but isn't this just a subset of suggestion #2?
6. Hardware firewall. I agree, but wouldn't abandon the client firewall. We should still use it, tightened as much as possible. Many endpoint security products come bundled with their own firewall to replace the Windows firewall. We should also deploy proxy firewalls on the perimiter (don't just inspect packets passing through - terminate outside connections at the firewall and rebuild packets to send to the client). And don't forget about egress filtering on both!
7. Strict password policy. I'm sorry, but 30 day resets is a dangerously bad idea. That's effectively telling your users "I want you to either write this down or put the month in the password." Better idea: Preach that password length matters more than anything else. Example: "StrictPwPolicy=HorribleIdea" isn't hard to remember, but at 27 characters is extremely resistant to brute force attacks. "But it has dictionary words in it!" So what? It is still better than any 8 character passwords your users are going to choose. Users make freak when you first tell them they need 24+ char phrases, but once you show how easy it is to remember a new phrase twice a year as opposed to a random 8 character string that changes every 30 days, they'll come to accept it. And a 24 character crappy password is still several orders of magnitude better than an 8 character crappy password.
8. "Everyone" folder access. I wouldn't do this even temporarily. Temporary access become long term access because "we've got it working" and there are always other issues to fix. I wouldn't grant access individually, either. Auditing individual access becomes a nightmare on even a moderately sized network. Grant access to an appropriately named group, then add users to the group. All you have to do to audit access is verify only the appropriate groups are on the share, and then check who is in the groups. Also, use limited access (RO/RE/RW/MOD) as opposed to full control when possible. Example group: PayrollShareRO for those who need to see content of files in the Payroll share, but do not need to create or change them.
9. Use a NAC. Agreed. PacketFence is a good suggestion for first time NAC users.
10. Content filtering. Not sure what "content" is being discussed. Email? If so, keywords are horrible at both detection and false positive rates. Alternative suggestion: block all attachment types except those absolutely needed for business, disable direct-clicking of links in Outlook, and educate your users on current phishing techniques. Use filters based on multiple factors, including the reputation of the sending domain/server. For web filtering, I prefer using a service such as SurfControl to allow certain categories of sites and block everything that hasn't been categorized. Individual sites that fall into normally blocked categories can then be added to a whitelist on a one-off basis.
I kinda ended up picking this list apart, so it is only fair I offer up my own top 10 for critique:
1. User education. Users should know what is normal PC behavior, what is not, and who to contact when something odd happens. Java icon unexpectedly popped up on the taskbar while web surfing, sluggish pc, unexpected reboot, certificate error, new homepage, phishing emails, etc. They should also be trained to think twice before clicking on anything. Make your users into an intrusion detection system. Stroke their ego and let them know they play a vital part in protecting the network.
2. Application whitelisting. If it isn't necessary, the file doesn't run. Extremely effective in warding off infection. Even moreso if you can prevent legit running processes from having malware injected into them, but I have yet to see an elegant solution to that.
3. Know thyself with network monitoring. Something like SpiceWorks (ad-supported free version available, but not open source) is great for taking inventory of what is on your network, both in terms of software and hardware. You can't protect what you don't know is there. Deploy something like SecurityOnion to see what traffic is already present on your network and detect anything new/unusual.
4. Get security to be a management priority at the START of projects. Otherwise, you run the risk of hearing things like "ok, we've licensed this product for the next five years and have already installed it on the network - it gets updates via FTP and is managed through an outdated embedded web server that doesn't support SSL and requires an old version of Java on the client PC. Now make it secure."
5. Have a secure configuration standard that is always followed when deploying a new machine. Know what software/services are supposed to be installed/running on each machine, and which aren't.
6. Centralized logging. If buying a commercial SIEM isn't an option, use something like Splunk (free for less than 1GB/day) or OSSIM. Good logs can be crucial in determining the scope of a security incident.
7. Check all web apps against the OWASP Top 10. It's shameful how many still fail at the basics.
8. Perform regular vulnerability scans. Use trials of various scanners (Nessus, NeXpose, etc) until you find what fits your needs/budget.
9. Patch religiously. Not just MS auto-updates, either. Get a 3rd party patching solution and take care of all the software on your network. Of particular importance on clients are Flash, Acrobat, Reader, Java, QuickTime, and browsers. On servers, databases and web servers are the most common targets.
10. Run drills. You don't get to be great at playing linebacker in football just by describing what you would do on the field. Similarly, you need to get experience in realistic network threat scenarios - see what works and what doesn't. Tweak your defenses and test again.
IE9 just WON in some serious creds in its security testing recently as Jeff mentioned. Same article also from TechRepublic... today! The former... an excellent article....I read the PDF. This one I'm afraid leaves MUCH to be desired. The combination of both articles on the same day, in my humble opinion, harms Techrepublic's reputation as a good source of info for all of us in the IT industry.
Only the blacklist was tested. Nothing else.
DITTO on the 1st comment - "Contradicting report on number 4", and Same again with dl_wraith's "Issues with #1". From the looks of this article "10 things you can do to improve network and PC security", Nothing Jack has Said would make me want to take too much Notice of what he has sprouted, Maybe he would be better of sticking to writing Novels!
Internet Security at Home or at Work require's some COMMON SENCE as much as Defence tools and for my 2 bob's worth Internet Security should be attacking cybercrime, NOT taking a defencive role!
Internet Security at Home or at Work require's some COMMON SENCE as much as Defence tools and for my 2 bob's worth Internet Security should be attacking cybercrime, NOT taking a defencive role!
My 15 years experience within the world of first unix, netware and Windows supports all the assertions/arguments put forward by the commentators that linux despite all its obvious improvements over the years isn't convincing enough for many to migrate their windows workstations over to linux for home or work environments. Windows has matured in security, functionality and usability to the degree that Linux continues to be slightly behind..thou as many well argue windows takes a a little bit more effort to get it to the same level of security.
I haven't used a windows desktop at home or work since the last century and I certainly don't feel like I'm missing out on anything, except getting infected. In many ways I feel far more advanced than my windows-using counterparts. For example, I can't remember for how many years I was enjoying multi-tabbed internet browsing before the boys caught up.
same here. A lot of the things I've done with Linux I never would have been able to start with windows, because I wouldn't have been able to afford the software!
Linux exclusively on my PCs since 1999.
Linux exclusively on my PCs since 1999.
Seems to me if you're reading this then you are not the standard user. No matter how convinced you are that linux is great, you will not persuade the great mass of users to convert to a new OS. (Look how many still prefer using MS Office to Open Office despite the aggrevation entail in the switch from 2003 to 2007. And the Navy is still using Windows XP despite the release of Vista, Windows 7, and now Windows 8.)
The point of the article was to convert all the desktops in the org to use Linux. That means the users. I hope you have means of dealing with the ensuing lynch mob.
The point of the article was to convert all the desktops in the org to use Linux. That means the users. I hope you have means of dealing with the ensuing lynch mob.
I agree with #6 and #8. A typical everyday user can and will infect a windows based computer with ANY browser. If you choose to do #2 - you will upset your users to the point that they will think about choosing a new contractor. - Good one Jeff!
Your first recommendation includes this statement:
"...just make sure you set up OWA so that the Linux users can access Web mail."
AFAIK, OWA does not support email message encryption. So, now, with 1/4 of the desktops required to use OWA, it seems to me that you've just *lowered* security vastly.
"...just make sure you set up OWA so that the Linux users can access Web mail."
AFAIK, OWA does not support email message encryption. So, now, with 1/4 of the desktops required to use OWA, it seems to me that you've just *lowered* security vastly.
OWA uses IIS as its web server. It most definitely does support whatever encryption you configure for IIS, all the way up to accepting only TLS 1.2 connections.
All major modern browsers support at least TLS 1.0. I know IE and Opera support TLS 1.2, but Chrome currently tops out at TLS 1.1. Google for "BEAST attack SSL" to find stories about why browsers need to start supporting TLS 1.1 and 1.2. SSL and TLS 1.0 have weaknesses which were made public late last year.
Even if OWA used a web server that didn't support encryption, you could always just put a load balancer/SSL accelerator in front of it to do the encryption.
All major modern browsers support at least TLS 1.0. I know IE and Opera support TLS 1.2, but Chrome currently tops out at TLS 1.1. Google for "BEAST attack SSL" to find stories about why browsers need to start supporting TLS 1.1 and 1.2. SSL and TLS 1.0 have weaknesses which were made public late last year.
Even if OWA used a web server that didn't support encryption, you could always just put a load balancer/SSL accelerator in front of it to do the encryption.
I'm not a sys admin, but I do read this publication. If OWA does support encryption, as you say, I find it curious that the company I work for, a Fortune 50 company (think large Aerospace company in Seattle), does not support message encryption with OWA.
I've worked for big organisations, and switching rom Windows to a Linux desktop is simply a non starter. It shouldn't even be in the list, but then it's coming from someone with a Linux orientated background.
Jack, have you any idea what a monumental task that would be in a reasonably sized organisation? From that prespective, it's a ridiculous proposition. Think about 2 immediate things: re-training all the IT staff to a level they can provide good support is one thing, what about training thousands of end users.
That point should be qualified by adding a "for small companies only" clause.
Spend the money on securing your Windows infrastructure instead. Much more beneficial in the long run.
Jack, have you any idea what a monumental task that would be in a reasonably sized organisation? From that prespective, it's a ridiculous proposition. Think about 2 immediate things: re-training all the IT staff to a level they can provide good support is one thing, what about training thousands of end users.
That point should be qualified by adding a "for small companies only" clause.
Spend the money on securing your Windows infrastructure instead. Much more beneficial in the long run.
Where's the evidence for what is secure and what isn't? Jack seems to think that anything from Microsoft is insecure and everything else is more secure, isn't that just anecdotal?
As Microsoft software and OSes are so prevalent then of course they're the prime target for attacks and have been for some time. That actually means they are better tested and through the myriad updates we get they should ultimately become the most secure. Now that OSX is becoming more popular we are starting to see more attacks on it and it is not proving to be as secure as once thought, it's just had fewer attacks.
As Microsoft software and OSes are so prevalent then of course they're the prime target for attacks and have been for some time. That actually means they are better tested and through the myriad updates we get they should ultimately become the most secure. Now that OSX is becoming more popular we are starting to see more attacks on it and it is not proving to be as secure as once thought, it's just had fewer attacks.
As we've seen even as top-notch as Microsoft's software is not hacker-proof with numerous security vulnerabilities, at least its usability is driven more and more away from being fool-proof for increasing complexity.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
