Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: From extreme to in depth - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
From extreme to in depth
Warning: some might get offended by some of the initial thoughts in this story. Please read till the end before you vent the frustration.

I'm also not trying to bash on Microsoft. If I were I'd have borrowed a subject of some spam message I got recently: "forget microsoft, get big and hard". I'm just trying to show how you can come from an extreme reasoning to a workable solution to protect those assets that need protection.

Suppose you defend a place that has high to very high security needs and wants to avoid the wmf thing at all cost. Reasons to do this should be based on a risk assessment, but elements that might lead to such extreme conditions might include:
  • No patch in sight from Microsoft
  • Not wanting to infect peers such as customers
  • Not wanting to rely on anti-virus signatures when people are developing versions of the exploit with a highly random nature
  • Not wanting to rely on IDS devices due to the same randomness and the "it's too late already" aspect
Suppose you are basically just not capable of accepting the risk associated with the WMF vulnerability, almost no matter what you break. In such a case you have big avenues to walk:
  • Ban Microsoft products in your environment
    • I told you we were going to start from the extreme viewpoint, so hold your horses.
    • What does it buy?
      • No windows, no windows WMF vulnerability
    • What does it not buy?
      • You still can pass on dangerous payload to others like to your customers.
      • If a single escaped machine remains or a single machine snuck back in, you still might get affected.
  • Ban all communication and/or file exchanges
    • Extreme again isn't it? Moreover it is perceived very hard in a modern world.
    • What does it buy you?
      • You prevent yourself from getting and giving dangerous payload to all peers
    • What does it not buy you?
      • If a single file would sneak in, or be present already, you might still have a major problem
      • You have sacrificed a lot of the availability to gain confidentiality and or integrity
With those extreme paths in mind, think about what it can do for you, which parts can help you in your setup and  with your risk assessment help.

Most of our readers do not have the extreme "at all cost" risk situations.

Most of us have a situation where we have a business, and the business must continue to operate. In such a business however you will identify  -if you look for it- areas that might need more protection and are willing to sacrifice more for that protection than other parts of the same business.  That difference in need for protection is what you can play on to do something.

E.g.: Suppose I know the accounting department was considered sensitive and due to the risk analysis performed, worthy of more extreme measures then other departments.

What could I try to do to use some of the very extreme ideas and build a safer solution for them now and in the next weeks ?
  • Isolate them frmm the rest of the company. Plug a firewall between them and the rest of the internal networks. Disallow all unneeded communication with the rest of the company, making sure their servers are on their new inside.
  • Use advanced networking solutions to prevent (accidental) hookup of unauthorized equipment to the sensitive network. E.g.:
    • Make sure switch ports automatically shut down when try try to learn a second MAC address
    • Assign only DHCP addresses to known MAC addresses
    • Kick unknown MAC addresses into a separate VLAN
    • Use layer 2 measures (such as private VLANs) to prevent client-to-client communication
  • Disallow dangerous usage:
    • Disallow IM
    • Disallow web surfing
    • Disallow email, or strip all attachments from the more secure email server they get access to.
  • Now no surfing, no email, ... etc can be hard on the users and they might have really good arguments to have the functionality back.
    • Build a second less sensitive network on different infrastructure
    • Add machines for those that need the web/email/...
    • Allow them to surf the web (with traditional restrctions) on those "less" secure machines but not on the "sensitive" machines which are to be used exclusively for their sensitive application(s).
    • Be very procedural and build the needed infrastructure if you want to allow transfers between the two environments.
  • The more traditional stuff should not be forgotten, especially not on the more secure side:
    • Take a tough stance on updating Anti-virus signatures
    • Look for unregistering the DLL as per Microsofts suggestion
    • May be consider an unofficial patch from some reputable source
  • Look for other platforms
    • This is hard as training users to switch platforms takes time, and worse applications might not have clients for other platforms that work properly. Still it's one way out of the de-facto monoculture of operating systems and related vulnerabilities. We know from agriculture monoculture has risks. If we want not to accept the risks we need to act on it as well.
  • Look for other strongholds to build
    • If you have more than one sensitive section in you company, build more of these strongholds, do not build larger ones.
    • More smaller ones will contain the spread of infections and the associated risks and costs in clean up better under control.
So basically I'm back to a very in depth security approach that when compared to medieval defenses is the equivalent of not trying to build a city with a huge wall around it, because it's too much of a hassle and too costly. But instead trying to build a city with a somewhat flimsy wooden palisade and build for the few nobles we have a big sturdy donjon to protect them, even at the cost of some discomfort in the process.
Add to that that families of nobles get their own donjon so as not to risk all nobles getting wiped out in one go should disease strike the city.

--
Swa Frantzen







Swa

760 Posts

Sign Up for Free or Log In to start participating in the conversation!