Try These StrategiesBy David F. Carr | Posted 2006-02-06 Email Print
As network attacks become more sophisticated, companies must constantly sharpen their security strategies to compensate.
"In that case, the e-mail is going to be handcrafted, with a subject line designed to appeal to that specific person," says Patrick Hinojosa, chief technology officer at security software firm Panda Software.
Whenever the attacks get more sophisticated, your defenses must, too. Here are three strategies corporations need to review.
1. Wrap Security in Layers
Rather than seeking a cure-all, you want what security experts call a "defense in depth" strategy, where one layer of protection will save you when another fails.
In other words, protect the perimeter of your network with firewalls, e-mail filters and other automated guardians. But operate on the assumption that some attacks will get around those perimeter defenses. That means taking steps to educate users about proper security hygiene as well as equipping desktop computers and servers to defend themselves.
2. Spread the Word
When it comes to attacks that employ social engineering, "the last link in the security chain is always going to be the user," says Travis Witteveen, a vice president at antivirus vendor F-Secure.
The role of user education in protecting against these attacks is the subject of some debate. Computer security pioneer Marcus J. Ranum argues in his essay "The Six Dumbest Ideas in Computer Security" that trying to inform users about every attack they could be subjected to is a losing battle and that systems should instead be redesigned to be more secure.
Yet, in the absence of inherently secure computer systems, many security experts think user education has to be part of the game plan. "I think it's essential for businesses of any scale to help users be aware of security issues," says Steve Fallin, director of the rapid response team at WatchGuard, a maker of e-mail security appliances.
John Loyd, director of information technology at Chantilly, Va.-based engineering and land development firm phr&a, says that when his staff noticed an uptick in attacks based on the Bagle worm last June, his e-mail filtering software caught it. But he still sent a security bulletin to employees reminding them that they would violate corporate policy if they used work computers to access personal e-mail accounts, which would not be protected by the company's filters. "Education is not futile," he says. "It's part of a layered program."
3. Harden the Targets
Because something could sneak past your perimeter and network defenses—and then also manage to fool your users—each computer on the network needs to be smart enough to defend itself. Ideally, systems ought to be able to fend off even a new attack for which no attack "signature" has been identified. As Brozycki's experience at the credit union shows, some antivirus products are smart enough to recognize malicious code even without a specific attack signature.
Loyd uses a product from SecureWave called Sanctuary that's designed to stop worms and viruses by preventing unrecognized software from executing on the user's computer. This is a "whitelist" approach that allows only recognized software to run. Loyd's staff maintains a whitelist that includes standard Windows executables and other authorized programs.
With this approach, Loyd hopes to protect against zero-day attacks. For example, in response to the Microsoft wmf vulnerability, phr&a removed the viewer for that file format from its whitelist. That may not have been the perfect solution, but it gave the company a degree of protection a couple of weeks before Microsoft released a patch for the bug.
But this tactic means users who want to run a program downloaded from the Web—such as the land planner who wanted access to Google Earth—must first put in a request for Loyd's staff to review it and add it to the whitelist.
For some large companies, that process may be too cumbersome. Gary McGraw, who researches software security as chief technology officer of Cigital, says his firm developed a similar whitelist solution, which is used by the National Security Agency. But so far, he doesn't see great demand for such a restrictive solution from most corporations. In McGraw's words: "It's definitely heavy-handed."