Chief Security Officer’s Tool Kit (Small to Large Jobs)
This article will be the first of my old routine in blogging. I will be talking about a “Chief Security Officer’s Tool Kit (Small to Large Jobs) ”. This will entail what a Chief Security Officer should do for what condition kind of a do’s and don’t idea. Some of it may be to lamens terms in the “Home User” section.
Home users usually need less security tools like a UTM (Unified Threat Management) Tool but you can give them many tools on the market to keep them safe and a few basic precautions and things to look out for when being online.
Recommended Tool’s to Fix or Help User
Anti-virus – (recommended) Avira Anti-Virus Suite great free tool and they offer tools with more features for a small amount. They offer many products ranging from mail, web, Sharepoint, Anti-Spam, 3 types of web proxy’s, Exchange, they offer many server solutions and even for your mobile, and bundles and free stand alone tools as well. They offer products for windows and linux but I could not find the linux one. Downsides of the free product is you get a pop-up every time you boot to advertise their products. – http://www.free-av.com/
Spybot Search & Destroy – Anti-Spyware tool with great host file update tool called “Immunize”. For more on your host file or more tools check my article at Your Host-File Can be your Best Friend if in Use!!! – http://www.safer-networking.org
SUPERAntiSpyware – Anti-Spyware tool that has great memory features. – http://www.superantispyware.com/
Secunia – This tool is for finding any application in its database and will find if that application has a flaw know to the public and if a fix is available. This will also work on the operating system also. – http://secunia.com/
Ccleaner – This tool is a tool will help you to remove temp files. This tool makes it very easy to find and remove many locations in the OS. This tool has many ways to remove files. They have algorithms like simple (one wipe), DOD 5220.22-M (3 pass), NSA (7 pass) and Gutmann (35 pass). They also have a reg cleaner. – http://www.piriform.com/ccleaner
TrueCrypt – This tool is a great encryption tool that has many tools and features with in the application. – http://www.truecrypt.org/
PC Tools Firewall Plus – (recommended) – http://www.pctools.com/firewall/
Combodo – This tool did not give me a good experience but it was annoying. It is rated among the world as one of the best firewalls and it did do that. Has a great sandbox feature but if anything in the sandbox can’t be saved on the OS that I found and not that user friendly. – http://www.comodo.com/
Sandboxie – This tool is one of the best tools I ever found. This tool helps you run any application, any except it self in a sandbox. It will let you know if you are in a sandbox by putting a # on the top of the application. This tool will not save you from exploits I don’t think did not test yet. It will stop all files from the OS. This will tell you if a file wants to access the OS and make it a little to easy to bring it to the OS. – www.sandboxie.com/
Avast! – I found out about Avast! Process Visualization (avast! Sandbox) it seems like a good technology and threat detection. I did not use it. I would not recommend it as a first try. I found that Avast! Signatures are not as advanced and up-to-date. (my tests don’t give me hate mail) –
For more tools you can see my older article at The Guide to Locking Down a PC
or my article to test your computers security at Test Your Computers Security!. I also have an article to add entry’s to your Host File at
1. Log on web sites and trust the site (If you don’t trust the site do research on the site see if they are a legit site from what they offer), look again (URL is it the site or has been changed, look letters can be changed E can be a 3 or a 8 can be a B or a 5 can be an S, letters or numbers or special characters can be added to your site name), and SSL (TLS).
2.Passwords on websites turn to long pass phrases. You can use a tool witch is my favourite like “Last Pass”. This tool organizes all your passwords in a web style interface in your browser with many security features to keep your information safe. It also encourages long pass phrases like I said will allow you to store long gibberish strings of information that will not be susceptible to dictionary attacks and to brute force a long set of characters, numbers and special characters together will take hours with a cluster of machines all trying to guess it online and will put up many red flags on the account on the website, and still will take many days or years, and if you change the pass phrase when they finish they have to start all over. So lesson here lone pass phrases not in an easy location, only you can access. That encrypts your data so no one can see it like “Last Pass”. Don’t use same passwords for sites, keep your passwords at least 5-10 characters long.
3.If you find a machine is compromised by a virus or unauthorized access to the machine, format (new install of the operating system) but first backup all your important data to a media like a read only media, CD or DVD will work. I don’t care if you can remove any infection, if I created a virus I would always have a backup plan, i.e. Backdoor to the machine (exploit not patched, backup of virus, different strain of virus in different location,registry key, fuzzed application, persistent backdoor like a process etc…). I always say “Any infection is still an infection”. This still goes for if someone gains your credentials to a website change it as soon as you can.
First limited user always. Unless needed for maintenance for that session. Don’t click links, copy URL also don’t open e-mail that looks odd and also never open attachments from people unless you have contacted the person conforming that they did send it to you.
To tell customer what to look for
- 1. Look for the https:// in front the sites name if the http:// has no s, put one there and refresh the page. This will make sure that the site you trust will establish a secure connection to the site if not don’t trust the site (sorry but if any one in between the connection can see the traffic I don’t trust the site). Check for a certificate for the site. Usually a lock in the URL, bottom of page in bottom left of the screen. If you can establish a https:// connection and can’t see the certificate. You might have a mixed connection or the connection is forward to a http:// connection on the server side. But still I think if you really need to get on the site and does not have a certificate use a tool like “Wireshark” and it is located at http://www.wireshark.org/ . It can monitor your connection to see if the certificate is established.
- 2. Tell the customer about tools like “Last Pass” and tell them how convenient, secure like the features about the service and it can be found at http://lastpass.com/. I also found a talk about the product in great detail on how it works, and the features, security found at “Steve Gibson’s” Podcast called “Security Now” located at Episode # 256 Called “Last Pass” http://media.grc.com/sn/sn-256.mp3 or a transcript of the show at http://www.grc.com/sn/sn-257.txt.
3. Tell the customer if their machine is compromised what happened that how they passed the defences like an exploit in easy terms like a link, program, email, web exploit, etc… Describe what can happen if not removed like they will have full control of their computer and any activity and passwords can be monitored. Even If you can remove an automated tool like a virus I still say the machine is not 100% secure there was still an exploit that they used to gain control of their machine and if you were a malicious person that wants control of a person’s machine would you add a backdoor if someone found your tool? I would so the only way to be 100% is to format their machine and re-flash their BIOS. New rootkits will look at what version of your motherboard, BIOS and will fuzz it to add a backdoor. This is very uncommon but still in the wild.
You can also add a frozen state of the machine like Windows Steady State found at http://www.microsoft.com/downloads/details.aspx?familyid=d077a52d-93e9-4b02-bd95-9d770ccdb431&displaylang=en
This may have many tech Support Calls because it takes a snapshot of a system and freazes it so any changes made after the change will not be saved. You can set locations to allow saves and also easy account lock downs.
You can also tell them to receive a router that has Network Address Translation (NAT) even if they have only one computer. Also with a Demilitarized Zone (DMZ)This will prevent direct attack if targeted by an attacker on the outer layer of the network. Also have static IP addresses assigned and have a white list to only allow the present computers on the network that are trusted and block all others.
Talking about routers, you have to see if your router may be vulnerable to attack. Remember that it is still an embedded device and the firmware may be at fault or the user name or password may be to easy to brute force or may be defaulted. Also check if UPnP may be enabled and do not allow it to be allowed. If so a UPnP software/hardware on the network may ask the router to allow ports and services to enable without any credentials used or logged.
Next change the default DNS settings to a trusted DNS service like OpenDNS found at http://www.opendns.com/ and set it up in the router. This will give you a performance and security gain by using a powerful DNS service with many filters to stop bad sites on your network or for parental control. Also OpenDNS offers a great filter service and has a great blacklist of bad sites. It also has a prevention tool to prevent DNS Rebinding attacks.
Most information I said in the Home user will be relevant here.
A small business should have a UTM (Unified Threat Management) solution like the Astaro Security Gateway. They should also look at a type of patch management solution. They also should be PCI Compliant. Like the home user they should have end-point security like a anti-virus solution like some of the tools I said in the “Home User” section. They should have a software firewall and look into a hardware firewall/UTM/ Content Filter. Check if any servers are active and up-to-date.
If they have a web server that is web facing they should move it to a separate network within their network. They should do the 3-way network, 2 routers minimum needed and a switch, the switch will be public facing out side the routers connecting to it will be one router will be the network and one will be the web server. They will isolate the server so if any server attack to the web server will not allow the infection out of that part of the network. Only if their is some communication to the other network that is persistent on that network to the other. This might still be obtained but will be harder to jump onto the other range.
If a domain controller, you should put stringent policy’s. First limited user always. Unless needed for maintenance for that session. Next, you should look for a way to look at logs in an easy fashion. You should also allow an ip filter tool like PeerBlock (Windows only) found at http://www.peerblock.com/ . This tool will allow you to monitor ip addresses and ranges that are malicious or you don’t want on your network.
Lock down your shares (SMB) and make sure you have no anonymous access is allowed. Also make sure the access of the shares only are allowed to what hey need. Try to insure no execution off applications on the share. Make sure your logs are being monitored.
Also check if if you have any FTP servers are used if so make sure they don’t have a bad password that can be brute forced. Also if you do use FTP at all make sure you have a SSH tunnel you traffic through so your credentials are not seen in clear text. Also make sure your SSH server does not have the same credentials and good password not to be brute forced. Lastly on the SSH Server make sure you give it an encrypted key that is known to the user and make the SSH user a non admin to minimize risk. To make it easy for the user to use this implementation you can use tools like WinSCP found at http://winscp.net . For more information look at http://www.hak5.org/it/ssh-certificate-based-authentication and also http://www.hak5.org/episodes/episode-416. If you want to find a SSH client on windows you can use Putty found at http://www.chiark.greenend.org.uk/~sgtatham/putty/ they also have a key generator called PuTTYgen and a key storage application called Pageant.
Lack of information! Will do more research.
Lack of information! Will do more research.
This will be made when the article is done.