Security Watch

Windows Security: Thinking Beyond the Day-to-Day Hype

Why you shouldn't be worrying about many of the recently reported Microsoft vulnerabilities. Really.

• By Russ Cooper
• 04/05/2006

Why?

I mean, really, why should you get alarmed? Why should you care? What's happening that really matters to your day-to-day business?

The answer is absolutely nothing. Let's consider some facts:

• New viruses emerge every day. Typically, a new virus definition file is published by your anti-virus vendor every day. If you don't get the update, potentially you could get one of the new viruses.
• New sites with spyware, adware or out-and-out malware are set up every day. The vast majority of such URLs are unknown, and those that worked yesterday probably won't work today -- they've either been taken down or just changed their URL.
• Some employees will try something today to get something they shouldn't be allowed to, either by social engineering, running a tool or continuing their brute force password attempts.
• Bots continue to run every day, randomly trying to break into IP addresses they generate. They try many ways, usually attempting to exploit the latest vulnerabilities announced.

In other words, we're under constant and relentless attack now. We have been for a long time, and are likely to be for a long time to come. If you think the only reason you haven't been compromised yet is because you've kept up-to-the-minute with patches and anti-virus signatures, then I have a bridge to sell you.

Attacks vs. Attack Methods
As you know, most attacks come by e-mail, Web or insiders. You can get granular over the latest attacks, or you can focus instead on protection from these methods:

• E-mail: Malicious e-mail without an attachment is virtually non-existent in the real world (excluding phishing). You can either block the attachments, or if you must let them through, pick a two-character extension that anyone wishing to send you an attachment must use. Doing so prevents everything from automatically executing should a user double-click on it. Yes, it seems more cumbersome, but how will you feel about not having to worry about e-mail as an attack vector any more?
  
  As for phishing, to stop it dead in its tracks, convert HTML mail to plain text. URLs that once read "www.yourtrustedbank.com" will become "304.192.77.1/passwordstealer.php."
• Web: The real threat from the Web is that a popular trusted site becomes compromised. It has happened in the past, and it's going to happen in the future. There's nothing we can do about that except hope that the site isn't really that popular. The attack that will be used is likely to be an old one. Patch your browser regularly, but remember that you're patching against an extremely rare occurrence. Ask yourself, how many times have your browsers been compromised by visiting a reasonably business-related site?
  
  Make sure you have a policy in place informing your employees they shouldn't be taking risks with the sites they visit while at work. Should an employee's browser become compromised, they likely have visited a site they shouldn't have, and have therefore violated the policy. That should be enough to keep them away from the sites most likely to exploit a browser flaw. I realize it sounds too simple to be true, but it's enough to turn the already rare occurrence into an unbelievably rare one.
• Insiders: More often than not insiders are going to do something trivial, not write and run an exploit against a vulnerability. They'll watch an administrator type a password, or use a desktop that's already logged in and not protected with a password-locked screensaver. In other words, you've got lots of non-vulnerability related stuff to worry about already -- work on those. Certainly you have to pay attention to vulnerabilities in your critical security infrastructure -- domain controllers, payroll servers, etc. -- but desktop vulnerabilities can be way down your list of things to get hyped up over.

Risk Assessment vs. Panic
We've been told about alert levels going up because of the disclosure of some vulnerability…to what end? The easy answer is that because they went up, because people were alerted…we missed the "digital pearl harbor" or massive attack. Bah! People got press, the media had a story to write about, and life continued as if nobody had said a thing.

I'm all for worrying about risk, but if you live in a constant state of panic, how will you know when you really need to burn the midnight oil doing something to protect yourself?

Here's a set of questions you can ask yourself the next time someone's warning you about some new vulnerability:

• Is there actually an attack? If no, forget about panicking.
• Does the attack require me to do something to be compromised (e.g., go to a Web site, click on a link or execute anything)? If yes, forget about panicking.
• Does the attack yield higher privileges than the victim has? Can it easily get the "goose that lays the golden eggs" at your company? If no, forget about panicking.
• Can the attack ruin your company's reputation? If no, forget about panicking.

Effective risk analysis is the key to successful administration. It really is that simple.