How to combat the Sans Institute's top 10 security threats

Timothy Mullen, vice-president of consulting services at NGS Software, offer advice on protecting your systems from the most pressing cyber threats of 2008

If one were to go back through the archives of the Sans Institute's Top Threats lists, some of which I have contributed to, one would find the range of threats and vulnerabilities shifting and changing through the years along with the ever-changing security landscape itself, writes Timothy Mullen, vice-president of consulting services at NGS Software.

Even the name has changed. You will see references ranging from the "Top 10 Internet Security Vulnerabilities" to the "Top 10 Risks" to the "Top 10 Threats". Actually, these are three very different things, so let me say now that I disagree with some of the items on the 2008 list. However, I will leave that for now and concentrate on the list itself.

Over time, issues such as the default installation of Internet Information Services (IIS), weaknesses in the Lan Manager authentication protocol and Null Session attacks gave way to vulnerabilities in plug and play services, Windows Messenger services, and internet browsers. Those in turn were replaced by exploits in Microsoft Office applications, instant messaging programs and even in security products, such as anti-virus software.

But even though the names and faces of the top threats have changed, the core concepts that support the solutions to and prevention of these threats have stayed fundamentally the same. The following suggestions on how to avoid being hit by the new Top Ten Threats are all rooted in defence in depth, least privilege access rights (ie. need to know), and user education (aka The Big Three).

One should strive to create a network environment where threats, both known and unknown, are obviated by the design itself, and not the specific technical details of every threat or exploit that comes along. Embracing these Big Three concepts will allow this, as you will see from the following suggestions.

Threat: Increasingly sophisticated website attacks that exploit browser vulnerabilities

Prevention: Programs and code launched from exploitation of browser vulnerabilities are executed in the context of the interactively logged on user. Logging on as a "normal" user (not an administrator) significantly limits what action malicious code can take, if it runs at all. The first step therefore is never to run as admin unless you are performing tasks that require administrative privileges. One should never casually surf the net when logged on as an administrator. This is an example of "Least Privilege, ie. a user has only the fewest possible privileges essential to perform a specific function.

Also, keep your software current. This includes operating system updates with proper firewall configurations, browser updates, and current anti-virus/anti-spyware. This is "defence in depth," which provides multiple layers of security to protect you when one fails. Also, keep the security settings for untrusted sites high, and don't allow visits to sites that you can't trust if it can be avoided. That is good user education teach your users what to look for and how to help spot malicious sites.

Threat: Increasing sophistication and effectiveness in botnets

Prevention: Regardless of how sophisticated botnets get, they have to get on your machine in the first place. Typically administrative privileges are needed for installation. Even if you have an unpatched machine with one of the aforementioned browser vulnerabilites or you have no anti-virus but still open that SeeBritneyNaked.exe Trojan in an e-mail, if you are not logged in as an administrator, in most cases, the bot will fail to install.

This comment is not carved in stone, and it is not an excuse to do mindless things, but it is certainly a best practice - don't run as administrator don't watch Britney videos (this is just good social advice) and obviously, keep updated, maintain anti-virus/spyware updates, and don't try to install software that comes from untrusted sources like "Jimmy Jank's House of Codecs".

Threat: Cyber espionage efforts by well-resourced organisations looking to extract large amounts of data

Prevention: This is a bit different than your standard "internet threat" as it is really just an expansion of the environment that surrounds organised crime and the methods criminals use to steal corporate information spies are just adding cyber attacks to their bag of tricks.

If your organisation is the target of a focused attack to steal corporate information, you must first accept that you are in trouble. Targeted attacks specifically against you are far worse than random internet activity because well resourced organisations won't stop until they get what they want.

Double-checking your firewall rules and sending out warning e-mails to the "everyone" distribution list won't cut it. You will need professional help at many levels: legal, technical, law enforcement, etc.

In that regard, I have a hard time listing this as a Top Ten Risk (the auspice under which the item was originally listed). Is it a threat? Sure - so is someone breaking into your house - but is it a risk shared by enough businesses to warrant a Top 10 listing? Personally, I don't think so.

Even so, the technical process of protecting against a specifically targeted attack begins the same way as one protects against anonymous, random attacks:

● Isolate servers and services into DMZs

● Limit what information your users can access

● Have written employment and system usage policies in place that are communicated and enforced that spell out what information they can and can't share, and the ways the information can be shared in the first place.

Professional help in the face of a targeted attack will help identify the particular methods that someone is using to get your data, but a foundation of The Big Three will give you some protection until the cavalry arrives.

Threat: Mobile phone threats, especially against iPhones and android-based phones plus voice over IP

Prevention: I do not to second-guess the minds that Sans has tapped, but I do not regard this as a Top Ten risk or threat. It may become one, but it is not one today. That said, the main concern here is that these types of units are not just "cell phones" but they are cellular- or Wi-Fi-enabled handheld computers. That means organisations may underestimate, or even disregard, the extent to which a vulnerability on these platforms could be leveraged.

Information leakage from lost or stolen phones (consider that all your e-mail is easily accessible from these devices) is bad enough. But consider the implications of an iPhone "rootkit" that constantly and silently passes all communications, including telephone calls, to some malicious back-end server.

Regarding Voice over IP, most companies completely underestimate the capabilities of the system, and therefore the risk. Many VoIP systems not only provide voice communication capabilities, but they provide white-board, desktop-sharing, and file transfer functionality as well.

The first step in securing these devices is to threat them as if they were desktops or laptops. Assume hackers can that can attack them the same way, infect them the same way, and can so access your network the same way. And do NOT assume that just because they are cute little devices that look and act like phones, that they ARE just phones. Of course, that will be difficult because the deployment of iPhones and gPhones (or whatever Google chooses to call them) is still in its early stages - but at least you know where and how to start worrying.

Threat: Insider attacks

Prevention: Again, I believe "insider attacks" are not "internet attacks." If they have made the list now, then they should have been on the list from its inception, and they should have a slot carved out from now on. But their classification in this regard does not make them less insidious.

The Big Three will help here, but to honest, I am quite sceptical about how one can stop an inside attack effectively. An insider attack is probably the best model one can use to illustrate the difference between threat and risk. You can ensure that your users are not local administrators, but if they have physical access to the hardware, it is trivial for them to bypass that precaution. The same applies if they have physical access to your servers or controllers.

There may be a threat that an employee can access service hardware, but unless the risk is great enough (meaning doing so would yield a valuable enough asset) then you won't spend the money required to secure the server room physically from a reasonably predictable attack.

So identification of threat and assignment of risk must take place on a per-incident basis. Practice security in depth, implement least privilege, but in the end, insider attack is a trust problem with humans, and not a technical issue.

As such, I think its inclusion is the list is wrong. You can't solve it technically. At some level, you must trust a human to protect your assets. You can set up as many elements and guards as you want, but you must always ask, who guards the guards?

Threat: Advanced identity theft from persistent bots

Prevention: It doesn't really matter what the bot does. An "advanced ID theft bot" is no different than the aforementioned "sophisticated and effective" bot. Don't get caught up in what data a bot targeted and try to close the stable doors after the horses have been rustled. Don't let the bot install in the first place. So, don't run as administrator, keep current on your updates, and filter and/or limit outgoing traffic at the border.

Threat: Increasingly malicious spyware

Prevention: See above. At some point, spyware will reach out of your monitor and beat you until you tell it what sites you have visited and what your password is. Don't worry about how increasingly malicious spyware gets - worry about keeping it off your system from the start. Think "Big Three."

Threat: Web application security exploits

Prevention: User education, or better yet, developer education is key here. If your business depends on your web application to be successful, then make sure that you give your developers the resources they need to do the job right.

Budget for it. That includes not only direct education for your team, but also third party review by expert, professional testers. I am not saying this to flog NGS services - I'm just saying that no matter who you choose to penetration-test your web apps, make sure that you choose someone competent.

Simply contracting "Bob's House of Port Scanners and Britney Video Archive, LLC" to run simple script-kiddie attacks against your website is not nearly enough. If the attack isn't both broad-based and mounted from right outside the web server, you are missing a very large threat base.

Various training courses can tell you how to build secure web applications, so don't assume that your team will immediately become experts on WebAppSec. Go into it knowing that you are going to need help, that it will take time, and that you are going to pay for it.

Obviously the Big Three apply here as well:

● Create physically separate DMZ segments to protect internal assets from web-accessible resources

● Ensure database services are running under restricted user accounts

● Sanitise user input by checking values, variable type enforcement, and content inspection.

Threat: Increasingly sophisticated social engineering

Prevention: Social engineering is a people problem, not a technical problem. You can't solve it with technical means, so don't bother trying. Unless they mean phishing, which is different.

In my opinion, regarding "sophisticated social engineering" in its true sense as a top internet risk is a waste of time for administrators and system engineers.

An exploit against a vulnerability on a computer works against multiple systems because they all share the same vulnerability vector - computers don't have a "disposition." But every human is different. While there are 10 people in an organisation who will give out their password when asked for it, there are 10 more that won't. It all depends on how you ask them.

If the FBI called and threatened to put me in jail if I didn't give them my PGP key, I would tell them to get my cell ready. But if they called and said that they had my kid and to give them my PGP key, they would have it in one second flat.

There is always a clever "trick" one can use to make someone give up information, whether it is posing as Ned the Network Nerd to get credentials, or using flat-out-threats. Just remember, your employees are not going to put your data ahead of their, or their families' personal safety.

That said, one can best mitigate typical social engineering attacks by combining written, circulated, and enforced corporate policy with user education.

● Never circulate install programs or other executables to customers and users via e-mail, and let them know. That means they won't go out of their way to run executable e-mail attachments.

● Never solicit personal information, including username and password, over the phone or via e-mail, and let customers and staff know that so that they won't give out that information to unsolicited callers.

● Have and enforce policies and processes on how to set up technical support calls and follow-up, and make sure that your employees know the procedures so they won't be fooled by people calling up pretending to be network support personnel.

Even if an employee did give out their credentials, least privilege practices should restrict what the attacker can do with those credentials. If you practice security in depth too, techniques such as dual-mode authentication (eg. using an RSA fob for VPN or OWA access, or smartcards for log-on) would keep attackers from leveraging the credential from outside, even if they had the soft data.

While you can limit risk introduced via social engineering techniques, you can't prevent it. Again, it's The Big Three that will save you by mitigating the extent of attack.

Threat: Supply chain attacks infecting consumer devices (USB thumb drives, GPS, digital photo frames, etc.)

Prevention: I am at a complete loss as to how this made it onto the list. This is a "Top 10 Internet Threat/Risk Vulnerability List" after all, and not a "Top 10 Conspiracies" list.

There were indeed some Maxtor hard drives, manufactured by a contractor in Taiwan, that shipped with the ghost.pif Trojan, and discovered in 2007 Kaspersky Labs did indeed warn Seagate that they found it on "at least one" drive.

Of course, now you will find a million people who say they found it on their drives, but I think that is like the million people who will tell you they were at Woodstock. In any case, there is no way this threat is a "Top Ten" anything.

Oh, and for what it's worth, you would have to be running as admin to install that ghost.pif Trojan, and most current anti-virus would pick it up anyway.

Read more on Hackers and cybercrime prevention