Posts Tagged ‘Spyware’

Security Park – It is the employer not the employee who is the weakest link in a companies IT security

Tuesday, June 21st, 2005

Security Park – It is the employer not the employee who is the weakest link in a company###s IT security

It is the employer not the employee who is the weakest link in a company’s IT security

SurfControl has today announced the results of a new UK survey that uncovers an alarming level of complacency by employers when it comes to combating spyware in the workplace. The poll found that 21.3 percent of all respondents’ employers did not prohibit the use of Instant Messaging to contact friends, Web-based email, recreational surfing, downloading free software, personal online banking, storing personal files, sharing free music/video files, playing online games, running CD-Rom/DVD media or the use of USB flash drives on work PCs.

Read more

—————————————-

Well I agree with the sentiment.. well some of the sentiment, if not all of what they claim are ‘threats’.

One has to bare in mind who sponsored this report, and who is presenting the news: Surfcontrol; and they have a rather large stake in this kind of discussion.

Litterally anything can be a threat if you look hard enough. I would not call IM-ing friends a threat. I might call file-transfer via IM a threat, but not much of one…    Use of USB drives?  Well its the same issue: not being able to fully control what files pass in and out of your network.

At the moment, with the current state of affairs when it comes to files and file-systems, I would say its just about impossible to lock down your network to stop foreign files from entering your network. They trick is to mitigate what threat they do pose. AV on the desktop is one part of that, a strickt and enforced lockdown policy of the desktop enviroment is another..  and the same can be said for permiter defenses…

Its that old cost vs usability vs security arguement. You can have a little of all three, but not all at the max level. People use IM and play games to give themselves a little distraction, which I believe is a healthy thing, in moderation. Not to mention IM being the perfect productivity tools if used for work purposes.

USB sticks? Well they have taken the place of floppies. I often see people resulting to USB sticks if its the easiest alternative for getting to their data. Shutting off access to USB may mitigate some of the foreign-file threat, but I dont think it stands in relation to the added support costs you incurr, or the effect it has on worker morall. Instead, perhaps you should be focussing on giving your users what they need: Easy (and secure) access to their files; remove their reason for trying to work around the system.

And what the hell is wrong with ‘Web-based email’, ‘recreational surfing, personal online banking’. How is this a security threat? yah sure.. downloading trojans perhaps .. spyware? Mabe.. .  .. how about a software restriction policy then? If you run windows 2000 and up, you already have the mechnism to impliment it…  just a case of doing it.
How about locking down Internet Explorer? Turn of ActiveX via group policy.. its not perfect.. but its a start! Think about running Firefox on desktops yet…  might be worth considdering!

I am against the view that Surfcontrol seems to take, that any freedom you give employees, both online and off, is always a bad thing.  Try turning off all net access in your company, and lets see what it does for morale? Work should be a place you want to go to, or at the very least, not mind going to, so that means employees should be giving at least some thought to distraction and relaxation, finding that balance of productivity and fun. Blanket blocks on certain activities are not the awnser, a far more nuanced approach is needed that combines and weighs out those important ellements in the way that best suits your companies needs: cost vs usability vs security.

Companies Scramble to Deal With Spyware – My 2 cents on how to deal with it.

Monday, November 1st, 2004

http://www.newsisfree.com/iclick/i,59061908,1466,f/

I always have a little chuckle when I read this kind of article.

For quite some time I tried pointing out to people the weakness of the egg-shell model. The way in which companies place all their trust in a hard outside.. the Firewall, and basicly ignore any security inside their ‘egg’ ..  and they are thus keeping their security eggs in one basket.

When it comes to virusses, usually, companies have their act together. Of course the reason for this is that the viral threat is quite an established thing, and has been with us for quite a long time now.

However.. there are quite some virusses out there that get around virus scanners now, by using vulnerabilities in Windows that allow infection via service ports..  Blaster, Sasser are great exmples of this. I have now myself seen examples of NT4 workstations infected with trojan horse software that installs an FTP server, and it was only detected during a manual scan!

If you mention the word ‘virus’ to the average lay-person, he will know its a bad thing, and knows that you need a virus scanner. (and he may even know what he has to keep it up to date, but probably not).
However, right now, if you say to the average person the word “Spy-ware”… they dont know what you are talking about. Its gonna take a long time for it to filter into the public conciousness.

To return to my original story; security in-depth is something I still hardy see in any company. Apaprt from anti-virus messures, it seems that very few admins understand the need to secure workstations beyond some simple administrative lockdowns (turn off regedit tools, lock access to config screen, etc.) and of course a viruscanner (though not always centrally managed and thus not always up to date).

Spyware by and large, is not picked up by firewalls or virus scanners. Granted, this is slowly changing, like with Mcafee recently adding support to detect Spyware.

We are seeing a change in the marketplace. The traditional firewall is basicly dead, replaced by smarter content-filtering software. But right now, enterprise-level content filtering firewall solutions (and with solutions I mean complete systems), like that from Checkpoint, is rather expensive. Many many small to medium businesses are not in a position to upgrade or purchace additional content-level filtering systems.

Spyware is a fantastic example of WHY one should apply the principles of in-depth security and overall hardening of the IT enviroment.

(Hackers coming into your intranet though open entryways like line-of-bussiness web-applications that are insecure, or other ways that ignore permiter firewall, is another story entirely, but its not as easy to explain, doesn’t make it any less of an issue of course.. I will deal with that in a later post)

Keeping your workstations updated with the latest security patches is the least one could do to minimize the Spyware/Adware/Trojan threat, as a lot of spyware managed to install because of security flaws in Windows and IE.

On top of that, you can prevent a huge ammouint of spyware problems by locking down IE settings using system or group policy. Turning off ActiveX is of course a start, set strict security settings on the ‘Internet’ security zone via security policy.

IF you are running XP on desktops, and if you possibly can (without breaking every line-of-bussiness web-app you have), roleout Service Pack 2! The information bar is a godsend for getting end-users to understand what is going on, the kind of information IE6 with SP2 puts out about software installation and downloads is just great.

As for software, it might even be worth it drawing up and official list of websites that have been approved by you or your department, and that have thus been specificly added to group-policy as trusted sites for instance. of course you can completely configure the properties of the trusted site zone.

When it comes to software itself, you might want to specificly lock down which applications are even allowed to run or be installed within your desktop enviroment.

Remember that simply denying the right to install software on workstations is a useless restriction if spyware manages to exploit a hole in Windows or XP. On top of that, there are always people in your company that will run outright with local admin privileges, yourself for instance, but often also developers and other members of your IT department, like your service desk. Can you be sure that those systems wont be infested with adware?

Using Software Restriction Policies to Protect Against Unauthorized Software

Granted, its gonna be a lot of work initially.. but once you have this implimented, you are able to retain almost complete control over what is running on users’ systems. Any new software can be easily added to the list if needed. Make up an easily accessable list on your intranet, explain why you are doing this, educate! educate! educte!, and make it as easy as possible for people to request software to be added to the approved list, as there will invariably be a need for this.

The key to a successfull security strategy is getting the user-base on board!
Educate!
(An uninformed user is an insecure user)
Explain! (Why am I implimenting these restrictive security policies)
Be open about it! (This is what I am doing, and this is why, and here is where you can respond with your feedback)
Get them involved! (Get into a two-way relationship with them about discussing security vs ease-of-use, exept feedback and remember their point-of-view! Do round-table discussions, talk to key users, talk to management about corperate security policy, etc.)

Oke..

Thats about it for now…  I can continue like this for hours, as I burst with security-related idea’s..   But I am at work right now, and should be running calls 😉

I will end with a bunch of great links to tackle desktop security and the Like.

Security/Patching recources @ MS Technet Desktop Deployment Centre

Internet Explorer Security Centre @ MS Technet Security Resource Centre

The AntiVirus Defense-in-Depth Guide @ MS Technet Security Guidence Centre

Chapter 6: Software Restriction Policies for Windows XP Clients @ Windows XP Security Guide

Microsoft Security Guidance Center: Desktop Security Index

Using Software Restriction Policies to Protect Against Unauthorized Software @ Maintaining Windows XP

Spyware Explained @ Anti-Trojan.org

Building and Implementing a Succesfull Information Security Policy @ WindowsSecurity.com

Web Browser Vulnerabilities: Is Safe Surfing Possible? @ WindowsSecurity.com