Defeating Zombies: Five Ways To Improve Defenses

Defeating Zombies

Attackers have a number of avenues leading directly into your network, and more importantly, into your data. Each week I read about new data losses, phishing scams and the release of hundreds of new vulnerabilities and exploits. Organizations are employing a rear guard action that is not necessarily tuned to today's attack techniques.

Tried and true defensive measures such as firewalls, anti-virus software, Intrusion Detection Systems provide "operational security", but even if this is running flawlessly, it is typically not enough. Security programs need to evolve with the latest attack trends and Internet technologies. A great blog post by Tim Mugherini titled, "Don't be the Smelly Kid" sums this up nicely. This defines a shift from attackers targeting network services, and moving towards attacking web application and client software. These new methods require updated education for management and the implemention of new and different security projects to protect your infrastructure.

Considering Halloween is around the corner, your security strategy can be compared to the situations in typical horror movies. When the defenseless victims are under attack from whatever threat is posed (zombies, Jason, Freddy, Michael Meyers, etc.), they often make common mistakes such as taking all of the furniture in the room and piling it in front of the door and leaving the windows unsecured. Shooting zombies in any other location other than the head is another good example (those who have read "The Zombie Survival Guide: Complete Protection from the Living Dead" know that the only way to destroy a zombie is to destroy the brain!).

This picture demonstrates the incorrect way to kill a zombie. Don't make the same mistakes when defending your networks!

What follows are five common areas in almost every organization that may require a change in defensive strategy. Included are examples where existing technologies and information you already collect can help you stop attackers. Additionally, some tips for using Tenable products to deal with the ever changing threat landscape are included.

1. End User Browsing of the Internet

This is one of the most exploited activities by attackers and is not just limited in scope to so-called phishing attacks. The vulnerability really lies in the user, as they will have access to valuable information at some point in their day; therefore, they become the prime targets for attackers. The attacks come in various forms, such as email phishing, malware distribution web sites,and social engineering. By far the most popular method is to embed malicious code in a web site and wait for victims to visit or use techniques to lure them. However, in some cases users require access to the Internet to perform their work, and will inevitably gain access if you restrict it by using Internet hot spots and home Internet connections. The first line of defense is to ensure that the most up-to-date client software has been installed. Popular applications to attack are Microsoft Office applications, Adobe Flash and PDF readers as well as web browsers. Keeping these applications patched can be a laborious process.

Nessus has numerous plugins to test for a wide variety of applications installed on the user's desktop. Some recent scanning of my own personal systems revealed that some applications were out of date! Even the most careful users can easily end up running vulnerable software, so it’s important to double check software installations with a local, credentialed scan of the computer that looks for software vulnerabilities. Nessus has this functionality and, in my case, found an outdated VMware Fusion vulnerability, and a vulnerability in Microsoft's Remote Desktop Connection software for OS X I wasn't using this at the time, but in certain circumstances it could be exploited by attackers if they manage to get the program to execute by enticing the user to click on a link or open an attachment.

The above screen capture comes from the latest Nessus 4.2 beta version. The plugin report output represents the new format for the latest version, and includes the extended information for the vulnerability, including the CVE, BID and OSVDB references.

2. Firewalls & Network Segmentation Providing Security

There is no question; good network design provides a more secure environment. Some decisions have to be made about how to segregate systems into subnets and what level of access is required. However, too much time is spent on this idea, when in reality it does not provide a high enough level of protection to warrant the effort in most cases. Penetration tests are typically not slowed down by network segmentation; exploiting vulnerabilities in the protocols that the systems communicate with. If you were to take this to the extreme, you would give each port on the switch its own VLAN and its own firewall rules tuned for every device that is plugged into the network. On the flip side, you could just have a wide open network where everything can talk to anything and everything. You need to land somewhere in the middle, find a comfortable balance and stick with it. Instead of relying solely on segmenting the network to provide security, consider using intrusion detection systems, and the passive vulnerability scanner on the inside of you network. This will help detect if an attacker has gotten in, detect when systems are compromised and if they are being used to attack third-party systems..

3. Believing That Anti-virus Stops Attackers

Anti-virus software serves as a good line of defense for known threats and detects some malware on systems by analyzing the behavior. There are several sites, such as Virus Total, that will test malware to see which anti-virus systems detect which strains of malware. Both professional penetration testers and attackers alike are using these sites to construct malware that will bypass defenses. Similar to intrusion detection systems, anti-virus systems need to be monitored closely and correlated with other events. In an event analysis posting on the Tenable blog, Security Center is used to verify if systems have been infected with malware by analyzing outgoing traffic. You can also use Nessus to ensure that the latest anti-virus software is installed on all of the systems in your environment. The final tip to a successful anti-virus implementation is to use more than one product. For example, use one vendor for the email anti-virus software, and a different product on the desktop. This increases your chances that any one given malware will be detected.

4. Implementing IDS/IPS Without Process

Intrusion detection systems are an integral part of your security program. However, they are only effective if you are reviewing the logs and taking action on them. Intrusion detection systems also have a tendency to put out more information than you can handle, but is still useful in correlation with other data sources, such as systems logs. There are several examples of this on the Tenable blog. For example, in a brute force SSH attack, where thousands of alerts are generated but correlation can tell you if a system was compromised or not. Not only is correlation important, but process as well. Processes need to be in place to frequently review the log information and correlate it against other sources, then act upon it in accordance with the incident response program in your organization.

5. Forgetting About "Zero Day"

While a solid patch management program is essential to your defenses, don't forget about "Zero Day". I've put "Zero Day" in quotes for a reason, as in this context, it can encompass more than just an undisclosed vulnerability that someone has written an exploit for. Fully patched systems can be vulnerable to numerous threats, such as weak passwords and mis-configurations that allow an attacker access. Not only do systems need to have the latest patches (and a process to ensure patches are installed), but must be checked regularly for default or weak passwords. Nessus contains over 31,000 plugins, some of which cover various checks for default passwords. In addition to passwords, mis-configuration can lead to compromise. For example, you may think that your Apache servers are not implementing Basic authentication, but how do you know unless you are checking? This is where Nessus's ability to perform configuration audits comes in handy as you can compare the configurations in your environment to known standards and even customize them to meet your own security policies.

Conclusion

While attackers are developing new methods to break into networks and steal data, you can take steps to defend your networks and systems. Evolving defenses does not mean starting from scratch; several of the methods described above are derived from technologies and programs that already exist in your environment. If I had to throw in a bonus defensive measure, it would be end-user education. Don't give up on this in your environment as it can be one of the most effective measures to stop the unknown threats.