Saturday, June 28, 2008

Book Review: Endpoint Security

I've just finished reading this book by Mark Kadrich, and I have to admit that it's highly informative and focus on the pain points. We are fighting malwares everyday and spending millions of dollars on solutions built to stop known attacks and fail to stop the unknown. I'd like to share with you some interesting quotes from the book:

(I’m not aware of any SOx template that ever stopped a worm. Granted, it was a great
example of “find a need and fill it” mentality, but it also gave many people the false
impression that being SOx compliant meant being secure.)


(How can this be? We have antivirus! We have firewalls! We have IDSs! We have
authentication systems! We have HIPAA, SOx and let’s not forget GLBA! With all this
heavy artillery, how can the evil worms of war still manage to break through our
defenses? Why do we have systems infected with bots? How can we have all this security
and still have a polluted network

What we can understand from this?

I think the problem is either the current security standards are not as effective as before to stop malwares, or we are not implementing them correctly. A security standard will give you the foundation of the whole security architecture which your network needs. If you don't follow the book, it's your problem. I've seen many security administrators who give no attention to patch machines properly. Or even, check the firewall logs to observe any botnet activity!. Such case, is a big example of how malwares manage to penetrate your defenses to infect the endpoints.

I'll give you some tips from my daily work:

To stop malwares we need to close all the holes, which are:

1) Internet - We have different sources of risks, so let's break them down:

Websites: Install a content filtering solution (e.g, Websense)
Spam: Install a respected antispam solution (e.g, Bordware MXstream, Cisco IronMail)
P2P: Block these applications using a firewall or IPS. Or even prevent the installation of them at all.
Malwares: Block risky ports on the FW. Deploy a network IPS. Deploy a gateway Antivirus (HTTP scanning)

2) Removable drives - these devices are "Mobile Mass Infections" weapons, which I'll never allow them during my watch.

The only countermeasure against them is device blocking policies using some software that will give a full control of them.

The list still not yet finished, please keep reading:

- Patch management strategy: OS + Applications patching. 80% of malwares are targeting a specific vulnerability in your system. I always say "A patched machine with a real IP is safer than unpatched one behind a 100 FW".

- Browser security: Get a secure browser (FF3 or Opera9). Read my lips: No *F* ActiveX anymore!

- Network Access Control: check Cisco NAC or Symantec SNAC solutions.

- User Awareness: e-mails with some cartoons, sessions, screenshots of malicious activities and how to report them.

- Training and reading: If your admin spends his day playing "FreeCell", it's the time to level up his knowledge. Because an ignorant admin will decrease the value of any security solution. Most customers will utilize 40% of the solution because their lack of knowledge on how to use the advanced features which may help them to compact the original problem.
here's the link for the book on Amazon. Click here
I'm done here,