As a security professional, you realize that security is a process, it’s a state of mind, and it’s a continuous technological game of cat and mouse against the bad guys. In many ways, the situation is no different than that we encounter in medicine. There is a constant race between pharmaceutical companies and bacteria and viruses. Each time a new antibiotic or antiviral agent is developed, the bacteria or virus is able to defeat it by mutating to a strain that is resistant to the antibiotic or antiviral agent. The pharmaceutical companies then need to come up with a new drug to combat the mutated strains. This has been going on since penicillin was discovered and will continue until the end of time.

However, we have reached at least a dynamic balance, and for the most part, the battle against infection has been won. Sure, you read about high profile cases of Methicillin resistant Staph Aureus (MRSA), but the actual number of cases are infinitesimal. HIV is a bigger problem, but I believe that we’ll win that battle too. However, we’ll likely never win the war.

I believe that we have the same situation in the computer security scene. We have a wide variety of technologies that can be deployed at every level that can help us defeat the bad guys. The bad guys come up with a new worm or virus or trojan, our technologies are updated to defeat it. We’re in a state similar to that in medicine now, where we have a dynamic balance indicating that we’ve won the battle against the bad guys. However, in the same way that we’ve won the battle against infection, we’ll likely never win the war.

Why? Users. Look at the HIV situation. It’s really easy to not get HIV if you adjust your behavior (let’s exclude the unusual cases, such as blood transfusion). It’s really not to get a virus, trojan, bot, or not to lose information due to a phishing or other social engineer scheme — just change the user’s behavior.

Users still click on links from untrusted individuals, they still go to Web sites that they should not go to, they still download programs and applications from untrusted sources, they still enter personally identifiable information on phishing sites, and they still open email attachments. They still do all the things they were doing ten years ago, and they’re even doing it in greater numbers and more often.

If you look at the major security incidents in the last three years, you’ll see something interesting. The incidents didn’t take place because there weren’t enough firewalls in place, they didn’t take place because there wasn’t enough AV or AM software installed, they didn’t take place because of lack of perimeterization, and they didn’t take place because of a lack of an SSL VPN.

They almost all took place because the user did something unwise from a security point of view.

We will never get close to winning the war if we don’t require that users meet minimum knowledge requirements for using a networked computer. In the past there were discussions of an “Internet Drivers License” and at the time I thought the idea was ridiculous. It just goes to show that I’m wrong more often than right, because the Internet Drivers License concept is probably the only thing that will get us close to winning the war against bad guys.

I therefore propose that no user should be allowed to work on a networked computer without passing a test and requalifying ever year. The test would show that the user can tell the difference between a real email message and a scam message, that the user can tell what a safe Web site is from an unsafe site, that the user doesn’t open email attachments from untrusted users, and can tell whether or not an attachment from trusted users is safe, and that the user is able to recognize a number of social engineering exploits.

This solution won’t be a panacea, but it will be a major step in the right direction. Will it ever happen? I think so. Governments from all over the world are increasingly insinuating themselves in the personal lives of their citizens, and a national security argument can definitely be made for this type of requirement.

What do you think?

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Found a really interesting article on ten ways you might be breaking the law with your computer, written by Deb Shinder (who happens to be my wife). With so many new laws coming out every month regarding computers, computing and networking, you can be sure that sooner or later you’re going to be on the wrong side of one of them. Check out this article to see if you’re in violation already (applicable to US laws):

http://blogs.techrepublic.com.com/10things/?p=356

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Another interesting article came up on my radar this week. This article, entitled “7 Dirty Secrets of the Security Industry” covers what Joshua Corman, principle security strategist for IBM/ISS are the 7 secrets that security vendors don’t want you to know. To read the original article, check out http://www.networkworld.com/cgi-bin/mailto/x.cgi?p...s.html

Like most wonks (including myself) he’s more often wrong than right regarding these secrets. To prove this, let’s take a look at each of these:

Antivirus Certifications are misleading. Corman states that “Certification means a product caught 100% of 25% of the bad stuff”. He doesn’t provide any data to back up this claim, but I don’t have any data either, so let’s give them one to him. The data backing up his claim certainly appears to be a secret.

There is no perimeter. He’s where Corman is dead wrong, as we’ve discussed many times on this site. As we know, there is no “perimeter”, there are multiple perimeters. And using his own words, you’d have to believe in Santa Claus to believe there are no perimeters

Risk analysis threatens vendors. He essentially is saying that if companies analyze their requirements, they won’t buy security software. He’s right and wrong here. In some cases, companies won’t buy security software after doing a risk analysis. In other, and arguably more frequent cases, companies will do a risk analysis and realize that they do need to purchase security software. So, Corman is half right here, but more importantly, half wrong.

There is more to risk than just weak software. Corman gets an A+ for being right about this one. The weakest link in the security chain is your users’ not complying with computing best practices.

Compliance threatens security. Corman makes a somewhat slippery conclusion that if an organization seeks to comply with industry regulations, they will provide attackers key information about what exactly has been done to secure the network and it’s data. As we know here at Windowsecurity.com, regulatory guidelines are so vague that any information an intruder might have about your defenses by using those guidelines is worthless. In fact, the entire process of regulatory compliance forces a company to look at their current security posture, and thus overall improves security due to increased awareness and attempts at due diligence. Here again, Corman is wrong.

Vendor blind spots allowed the Storm worm outbreak to happen. The argument Corman makes here is that AV solutions are not perfect, and also they don’t work if you don’t have them installed. What can I say here? Yes, he’s right. But this is no secret.

Security has grown well past do-it-yourself. Corman says that software needs to be installed and configured. Yep, you bet. And your IT staff can do this themselves. Not only is this not a secret, it’s just incorrect. I know hundreds of companies that manage their own security, and do it well. Again, Corman comes out in the Red on this one.

I’m glad Joshua came up with these secrets and gave a talk about them at Interop in Las Vegas this year. I found them very interesting, and clearly he was trying to stir up the crowd. Sometimes when you stir up the crowd you have to mislead them a bit. Just as when P.T. Barnum told his crowd “this was to the egress!”

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

I read an interesting blog post by Chad Perrin at http://blogs.techrepublic.com.com/security/?p=455&...l.e036

What I found interesting about it is that Chad was trying to correct the misconceptions or the attempt to promulgate misconceptions by software vendors, regarding the issue as to whether there is a “perimeter”. Chad’s argument is that there is “a perimeter, kinda”.

It’s fascinating to me to hear these things, since experts in network security have known for years that there is no such thing as “a perimeter”. The fact is that there are, and have always been, multiple perimeters on computer networks. The problem is that people who aren’t in on “the know” still believe in the education nee marketing promulgated by Cisco and other firewall vendors that there is one perimeter — the Internet Edge of the network. This is not true, nor has it ever been true.

Perimeters can be defined in multiple ways, but they always represent a demarcation between security zones. There are multiple ways you can define security zones. For example, you can define a security zone by the level of trust you have in a collection of computer resources, and then place those devices within the same security zone. Or, maybe you should consider your level of mistrust in a collection of computers, based on what the damage would be if one or more of the machines in that collection are compromised. Or you can define your security zones based on the level of trust you have for different levels of users, and define your perimeters based on users inside and outside your organization.

The key issue is that communications moving between your different security zones must cross a perimeter device that does the following:

• Controls who can cross the perimeter
• Control what can cross the perimeter
• Control what protocols can cross the perimeter
• Logs who has attempted access across the perimeter
• Logs what applications have attempted access across the perimeter
• Reports on who has accessed what content using what protocols and what time and what day across the perimeter

Only by recognizing that there are multiple perimeters that must be maintained and monitored will you be able to achieve real access control and the ability to perform accurate forensics in the event that there has been a data breach.

Note that this example includes only network perimeters. There are other perimeters that you need to control. The computer hardware perimeters of the CD/DVD drive and burner, the USB port and the FireWire port all represent hardware perimeters that you need to control.

The data itself also represents a perimeter. You need a way to determine who has accessed the data, who the data was sent to, and who copied or printed the data.

Data security is all about security zones and perimeters. That’s why I always get a laugh when I heard about “there is no more perimeter” — that’s right, there never was “a perimeter”, there have always been multiple perimeters.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Ran across a great site today that contains tons of useful information for the Microsoft Security admin — the U.S. Department of Defense Information Assurance Support portal. Here you can find helpful security information such as Security Technical Implementation Guides (STIGs) for Windows and other operating system, including so-called “hardware” operating systems.

The portal is located at:

http://iase.disa.mil/index2.html

On the Security Technical Implementation Guides (STIGS) and Supporting Documents page, you’ll find helpful information including:

• Security Checklists
• Security Readiness Review Evaluation Scripts
• Security Technical Implementation Guides (STIGS)
• DoD General Purpose STIG, Checklist and Tool Compilation CD

If you go to:

http://iase.disa.mil/stigs/stig/index.html

You’ll have direct access to the downloads. If you click the SRRs link, you’ll have access to the Windows Gold Disks, which include tools that you can use to evaluate and configure your environment.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Windows Server 2008 includes the Server Manager, which you can use to install Server Roles and features. One of the major enhancements included with the Windows Server 2008 Server Manager is that when you install roles and features, security best practices are built in and the machine is configured with an optimal security configuration to support the services and features you installed through Server Manager.

So, you’d think there would be no place for the Security Configuration Wizard (SCW) in Windows Server 2008, right? We needed it for Windows Server 2003, since the installation routines for server roles and features didn’t take into account security best practices. But why would we use it in Windows Server 2008?

Well, you can use the Windows Server 2008 Security Configuration Wizard to help keep your server secure by checking for possible vulnerabilities that were introduced after the Server Manager installed the Roles and Features. You can also use the SCW to create policies for roles not installed by using Server Manager (you might have programmatically installed a role or service, which bypasses security best practices).

You can also use SCW to create an apply server security policies when you:

• Modify the configuration of a default component on a Windows Server 2008-based computer. However, using SCW after modifying a role or feature through Server Manager is not a requirement.
• Create and apply policy for server roles not installed through Server Manager, such as Microsoft® SQL Server® or Microsoft Exchange Server. SCW includes policies for many roles and features not installed with Server Manager.
• Define new roles for non-Microsoft applications and create and apply policy for those roles. Run SCW whenever a non-Microsoft application is added or removed. SCW has a public schema for organizations to create new roles

And remember, the SCW also is tightly integrated with the Windows Advanced Firewall, so it takes care of the inbound and outbound access control rules you need for the firewall.

For more information about the Windows Server 2008 SCW, check out:

http://technet2.microsoft.com/windowsserver2008/en...r=true

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

George Ou notes in his blog that Microsoft has recently released a free Secure FTP server for the IIS 7 platform. You can find his post at http://www.formortals.com/Default.aspx?tabid=36&am...yID=39

One thing that I’d like to clarify is a point that George made regarding server certificates. When deploying secure SSL (TLS) servers, you need to install a server certificate. You can use commercial certificates (that you purchase from commercial certificate providers) or you can create your own certificates.

The advantage of using commercial certificates is that the commercial certificate providers have their root CA certificates included with Windows operating systems, which is included in the Trusted Root Certification Authorities user and computer certificate stores. This allows your user account and the machine account to trust the certificates presented to you by the secure server that you’re connecting to.

This solves the problem of the dialog box popping up in the browser indicating that you don’t trust the machine and would you like to continue. In addition, many applications will not present you with a dialog box asking if you would like to connect in spite of not trusting the certificate presented to you by the server; instead, the connection just fails.

It doesn’t matter if the commercial certificate is a “brand name” or something like GoDaddy. What does matter is that the commercial CA’s root certificate is in your clients’ Trusted Root Certification Authorities certificate store.

I checked my Windows XP computer’s Trusted Root Certification Authorities store and found GoDaddy’s CA certificate there, as seen in the figure below. So, your GoDaddy certs are as good as any certificate from VeriSign, since GoDaddy is trusted by your client machines.

In contrast, when you create private certificates, you do so because you do NOT want unmanaged machines to connect to your secure resources. In order to trust your private CAs, you have to use other mechanisms, such as Active Directory and Enterprise CAs and autoenrollment.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

Tarek Majdalani (known by his friends as Elmajdal) has put up a great article on how to install Hyper-V on a Windows Server 2008 machine. Part 1 is up now, and part 2 should be up sometime next week.

While not trickily a security issue, I think you’ll enjoy Tarek’s articles. He shares my passion for including screenshots with articles, which makes them a lot more fun than reading a bunch of words and trying to figure out command line arguments :)

Check it out at:

http://www.elmajdal.net/Win2k8/Installing_Hyper-V_...I.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

One of your key skills as a Microsoft network security admin is to be able to read network traces. In order to read network traces, you need a way to obtain them. One of the best (and free) network analysis tools available today is the Microsoft Network Monitor. No, I’m not talking about the old Network Monitor included with versions of Systems Management Server (SMS). I’m talking about the new, standalone version, Network Monitor 3.x.

However, you need more than just a network analysis tool. You need parsers that the tool can use to translate the protocols that you’re sniffing. The latest version of SMB, SMB2, hasn’t had a parser for Network Monitor. That is, until now.

Download your new parser for NetMon 3.1 at:

http://blogs.technet.com/netmon/archive/2008/05/06...1.aspx

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

You know about Network Access Protection (NAP). It’s the new Windows Server 2008 technology that allows you to control what hosts are allowed to connect to your network based on the security configuration of the client systems who try to connect to your network. If the client can’t pass the NAP tests, then it’s not allowed to communicate with hosts on your network, except for those you have allowed them to connect to so that they can remediate.

Forefront Client Security (FCS) is an enterprise grade anti-malware solution that provides for centralized management of malware detection and prevention that also gives you enterprise security status reporting.

Wouldn’t it be great if you could have these two technologies work together? Work together so that you can establish a system health policy that NAP uses to determine whether client computers that run Forefront Client Security comply with the policy before they are allowed access to network resources? Yes it would!

If you agree, then check out the Microsoft Forefront Integration Kit for Network Access Protection at http://blogs.technet.com/secguide/archive/2008/03/...n.aspx

The benefits of the solution include:

• Boosts security.  The Kit strengthens your malware defenses by integrating two key Microsoft security technologies: Forefront Client Security and Network Access Protection.
• Saves time and reduces IT costs.  The Kit’s system health validator (SHV) allows you to quickly establish health policies for Forefront Client Security installations on all network clients. The system health agent (SHA) automatically monitors the health of these installations network-wide, and remediates problems—freeing up scarce IT resources for other tasks.
• Easy to deploy.  You can install and configure the Kit in just a couple of hours.  

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)