back to article Pen-testers outline golden rules to make hacks more €xpen$ive

Not one administrator to rule them all, but a few: that's the advice offered by seasoned penetration testers Aaron Beuhring and Kyle Salous to enterprises wanting to be less attractive to hackers. In a presentation at the MIRCon 2014 conference in Washington the duo listed a series of low cost changes to access controls, …

  1. Anonymous Coward
    Anonymous Coward

    Hmmm....

    we never run as "Admin" on boxes, always have named account, but white-listing? Cost nothing?

    Holy crap, do you know how much time and effort that would take? By the time you've finished the 1st sweep, there probably would be another hundred programmes to add. Unless they are purely on about servers, even then for the several hundred we run, that would STILL take an age.

    It really is a effort vs cost issue.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hmmm....

      "Sorry sysadmins, you just lost root access in the name of security"

      Or you could just use another OS that can properly handle constrained delegation of specific security rights without having to use having to resort to kludge and high risk tools that run as Root like SUDO....

      1. Anonymous Coward
        Anonymous Coward

        Re: Hmmm....

        OS/400?

      2. NogginTheNog
        Thumb Down

        Re: Hmmm....

        Or you could just use another OS that can properly handle constrained delegation...

        Seriously?? They're discussing a consistent approach to securing diverse enterprise-wide systems and you bring it down to "my fave OS is better than yours!". Do grow up!

  2. Destroy All Monsters Silver badge
    Paris Hilton

    Whitelisting!

    SELinux, then?

    It is a difficult beast and needs maintenance and package-level support.

    But ... no Perl? I don't see this. This is like saying "no programs on this machine, so we are secure". Well, yes, but that's not the goal at all.

    1. Anonymous Coward
      Anonymous Coward

      Re: Whitelisting!

      "SELinux, then?"

      That's a bit like hiding the holes in Android with Knox - it doesnt actually address the several fundamental security shortcomings in Linux - it just puts an extra wrapper on them.

      1. Destroy All Monsters Silver badge

        Re: Whitelisting!

        > the several fundamental security shortcomings in Linux

        > puts an extra wrapper on them.

        WUT?

        You better get yourself a manual and start reading.

  3. Stretch

    block anything made by Apple

    I like these guys already

    1. Dave Bell

      Re: block anything made by Apple

      It's the sort of thing that makes me wonder just what they really know.

      Is the Apple enviroment flawed, or is it that they don't understand it?

      On this, I would want to know what they really said, and not have to worry what some reporter might have turned it into

  4. John Smith 19 Gold badge
    Unhappy

    let me see if I've got this right.

    1) Set network monitoring tools to "listen" mode and find out what sites users really use and what apps they really need.

    2) Bar everything that's not on that list.

    3)Disable scripting on those apps.

    4)Disable admin rights on all users. And find out what software is so retarded it cannot berun in any other way.

    5)Disable admin rights on most tech support accounts.

    6)Repeat periodically.

    Oh the indignity Oh the inhumanity

    Here's the thing. Users are here to do work. This is how grownup businesses operate.

    The question is to what extent do their core apps need internal scripting to work as well.

    Otherwise I see a lot of AC's who seem to be posting BS.

    1. Duncan Macdonald

      Re: let me see if I've got this right.

      Unfortunately two very common apps - Word and Excel - have scripting built in - good luck in getting those apps banned.

      Also a number of businesses have web based apps that use scripting (using IE, Firefox or Chrome).

      Given the above item 3 on the list has very big problems.

      1. david 12 Silver badge

        Re: let me see if I've got this right.

        >Unfortunately two very common apps - Word and Excel - have scripting built in

        And trivially disabled for users on Windows platforms: dunno about the modern (cloud) versions or the Mac versions.

        And I've worked with Excel and Word scripting. Many people use Excel and Word scripting: many people don't. Unless your Network Admin is in a building on the other side of the <whatever> and doesn't give a <whatever>, it is trivially easy (in a Windows environment) to whitelist people or apps that need scripting, and block everything else.

  5. Katherine Bean

    DUMP - STOP - BAR

    This seems like a watered down version of a presentation I did some months ago at SQL Bits.

    https://dvana.com/library

    Then you look at the DUMP - STOP - BAR Intro document, it is a PDF.

    There is a lot more that needs to be done, and what they are suggesting is only the tip of the iceberg.

    It is necessary to take a more holistic view of the world and not simply jump into the passwords and credentials. There are so many more ways that a system will be breached than the Admin account.

  6. Gotno iShit Wantno iShit

    I recently implemented a whitelisting system for a client, the one in an orange wrapper. The customer was sufficiently clued in to understand the flip from blacklisting via antivirus & the like to whitelisting. It was quite easy to set up but eye wateringly expensive. Really quite unbelieveably wallet wilting and yet the orange box solution is at the cheaper end of the whitelisting scale.

    It needs a few of the AV firms to start offering a whitelist alternative, priced at double the cost per seat of their blacklist product is would sell. The current whitelist products are orders of magnitude above the cost of AV.

  7. Cipher

    Just a thought...

    ...but in addition to no admin rights for users, how about no browser unless the needs of the business specificaly require them? Use the hosts file to control where they go on top of that.

    The university I last worked at (2000+ staff users) had such a policy. Need software outside the image provided set? Request it. A WUS, delayed to allow testing, pushed updates/patches.

    The overwhelming majority of users had no need of a browser to get their work done. So why put a malware vector on the machine to start with?

    And when the crying starts, remind them they are there to work, not play, and the browser is used for far more play than work in most settings...

    1. graeme leggett Silver badge

      Re: Just a thought...

      I'll agree with the basic premise of removing that which is not required is one answer to improved security. And I know of some organisations that operate a basic image and any extra software needs to be justified. (eg a default setup of Word and Lotus 1-2-3 - it was a while ago - but Lotus couldn't handle scientific graphing resulting in a sizeable number of installs of Excel )

      Unfortunately I know of at least one organisation where the process to request anything other than a non-standard image is flawed, and/or the people handling the requests are not up to the job of evaluating and delivering on the request even when it is identified as a genuine business need.

      So before you can introduce a system, of no admin user rights, and turning off stuff, there needs to be a good system for providing them when they are required. Which might add to the implementation cost, but will carry opinion with you rather than turning everything off and waiting for the shouting to start to find out what's been missed.

    2. Adrian 4

      Re: Just a thought...

      "The overwhelming majority of users had no need of a browser to get their work done. So why put a malware vector on the machine to start with?"

      What century are you living in ? This might be true of a few sweatshop environments, but for any creative work (and I'm talking engineering, not just arty airheads) it's completely ludicrous.

      Just try disabling your own internet access (I'm assuming you're in some IT role) and see how much work you can get done.

      1. Anonymous Coward
        Anonymous Coward

        Re: Just a thought...

        "Just try disabling your own internet access (I'm assuming you're in some IT role) and see how much work you can get done."

        Well for starters - no el Reg and hence a massive increase in productivity 8) But we lose the benefit of their insightful comments.

        Jon

    3. John Tserkezis

      Re: Just a thought...

      "And when the crying starts, remind them they are there to work, not play, and the browser is used for far more play than work in most settings..."

      It's almost as if you've never actually seen anyone do work.

  8. Anonymous Coward
    Anonymous Coward

    As many rules as there are *cough* experts *cough*

    There are WAY too many variables involved to make one golden set of rules for all enterprises. If you have wall to wall developers, you first get them all to agree to a sensible approach (like all software that needs admin level lives in a VM where they can do whatever they like), but you know you need less lecturing on running unidentified code.

    If you have people who mainly do word processing and admin, you can lock them out of admin without too many problems, and if we had software manufacturers who actualyl CARED about security they'd give us the option of installing at user level (i.e. without deep rights) or system wide. But they don't, which is why you have to avoid things like Adobe reader.

    There are many ways to skin this cat, or (for vegetarians) to peel this banana. About the only thing you can do that is consistent is follow the index of ISO 27002 and get some of that in place. Those are common practices that have been established and kept up to date over years. Even if you don't implement it in full, it's still a very useful checklist. If you're coding, I found OSSTMM very helpful, and OWASP is quite a good approach to shake the tree a bit of you're online.

    Oh, and if you're serious about wanting security to work, avoid OCTAVE like the proverbial plague (Ebola, thus), you can smell the "let's make lots of work for consultants" stench from quite a distance. I think that was mainly designed to blow a massive budget to make it appear someone was doing something useful, but it's way to granular to leave a working organisation after that has been applied. Which says something about the places where it has been implemented...

  9. Missing Semicolon Silver badge
    Happy

    S.O.P for IT departments

    ... turn it off/disable it, see who screams.

    1. nijam Silver badge

      Re: S.O.P for IT departments

      Too often, in the real world, the IT department is not competent to know what any given workflow needs, or to understand the business case made for subsequently reinstating services/access/whatever. So you end up in a situation (my organisation is just arriving there) where the question becomes "turn off or disable the IT department?" which is a quite different way to read your post.

  10. Anonymous Coward
    Anonymous Coward

    Rule of thumb for company IT security

    NEVER trust third-party software suppliers to have a clue about securing their POS applications, or even what minimum privileges they need to operate properly!

    1. Anonymous Coward
      Anonymous Coward

      Re: Rule of thumb for company IT security

      Also never trust your own support guys to understand how to lockdown systems using even the basic OS tools (and there are lots of useful security elements available in most OSes but they are off by default).

      I've been in enterprise level IT security for over 15 years and although there have been increased availability of actual controls built in to OSes and applications, it is still a majority case of 'insecure by default' for the simple reason of 'usability'.

      It is still a truism that you can make a system very secure by using wire cutters against the power supply lead but only if security is your most important factor.

      If you want to work in IT Security my best advice would be .. learn to juggle.

  11. Anonymaus Cowark

    I can understannd that autoit and perl could be abused to ran malware, but what was that about anything from Apple? Did they just mean applescript and things like it or apple Software/Hardware?

    1. Charles 9

      I'd hate to be the one to enforce a no-Apple policy when the board uses iPads...

      1. iAMPatman

        Agreed. Especially when an iPad is probably the device least likely to introduce malware into the enterprise.

  12. Dominion

    Application Vendors...

    ...are the biggest hurdle to locking down systems securely. What they consider to be adequate security is simply shocking.

  13. Anonymous Coward
    Anonymous Coward

    It's amazing what passes for expertise these days.

  14. lucki bstard

    I'm surprised that no-one has mentioned the pointy haired bosses yet. Just because IT requests an application to be banned, it doesn't mean a thing unless management approves it.

    Most PHB only get concerned when a security threat affects them. If they want to play farmville at lunch, well tough they will play farmville at lunch.

    1. Anonymous Coward
      Anonymous Coward

      "Most PHB only get concerned when a security threat affects them. If they want to play farmville at lunch, well tough they will play farmville at lunch."

      Yep and your carefully crafted Squid ruleset gets neutered to allow them access to gambling sites etc etc.

  15. jdan

    Podcast

    Just listened to their podcast and they're talking about enterprises that run windows which is + 80% of large and medium size corporations. The itunes and the bonjour service don't need to run on a Windows machine. Most of those script don't need to run on a std win 7 image either. They do talk about getting buy in from higher ups which is going to be difficult. The amount of logs they collect sounds insane though. The link to their podcast is at the end of this article.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like