by
Shawn Bass
If
you read "Part 1: There's Only Two Types of Data" and "Part 2: Centralization Helps in Other Ways: of my "VDI and Terminal Server are not more
secure than physical desktops" series you may have noticed that I ended them without providing advice on how we can reduce the data security risks. Your wait is over!
Look at this cool wooden horse we made for you…
According
to Greek folklore, during the battle of Troy the Greeks withdrew from Troy
after delivering a large wooden horse. The Trojans believed it to be a
peace offering of sorts and towed it inside the city walls of Troy. After
the Trojans went to sleep, approximately 40 Greek soldiers emerged from the
giant wooden horse and opened the gates of Troy where the rest of the Greek
army was waiting. The army easily overran the Trojans and claimed victory
over Troy.
In
modern day terms a Trojan Horse is a piece of computer software that the end
user believes is a legitimate piece of software or a document that they
actually wanted. Instead the software or document has malicious intent
that can range from stealing information such as software licenses, banking
account information, website passwords, etc. Trojans often will control
the PC from that point forward (becoming a "zombie" PC) receiving
command/control instructions from central system(s) on the Internet.
Collections of these "zombie" machines are called Botnets and
in many cases contain millions of PCs.
How computers get compromised
Most
computers will get compromised by one of the following methods:
-
Downloading software that contains a virus/trojan horse. This method can
largely be prevented by not allowing users to install software and locking down
their PCs.
-
Inserting a removable storage device that contains a virus/trojan that executes
automatically upon insertion of the drive. Even though the user may not
intend to invoke the software there are many ways to compromise various operating
systems simply by inserting media into a PC.
-
Opening an infected document. A very common exploitation vector for
viruses / trojans over the last few years has been opening documents such as
Office documents, JPG/PNG images, PDF Documents or ZIP libraries. There
has been massive investments by Microsoft, Adobe and other vendors to try and
sandbox their software to reduce the likelihood that their software will cause
the compromised entry point of the PC. This remains the largest security
concern for targeted attacks since an attacker can do research on people that
work at a particular organization, discover their email addresses and then
deliver a spearphishing attack via email. Through some effective social
engineering, this can be a highly effective means at getting directly to the
source of information you are trying to obtain. Also, through the use of
new unknown zero day attacks, the recipient of said exploit will be largely
unprotected against it by any means of A/V, HIPS, IDS, etc.
-
Visiting a compromised website. Drive-by downloads, client-side
Javascript, XSS, CSRF, etc are all forms of web-based attack mechanisms.
While each of these attacks differs by the amount of potential damage it
can cause on a system, in all cases information security when it comes to
browser is completely compromised.
Of
the above methods, the opening of a document file (usually delivered via email)
and the attack delivered via the web browser are the most common security risks
we face today.
Does it matter where the PC is located for these attacks?
It
is almost completely immaterial where the PC is located for one of these
attacks to be successful. A user could be on a VDI desktop in the data
center or they could be on a laptop connected over a 3G connection via a
tethered cell phone. If the exploit code is a few megabytes worth of
content embedded into an email attachment it will execute the same way whether
it has a Gigabit connection in the data center or a latent crappy mobile
network connection.
Once the machine has been compromised, the data
center connection certainly makes it easier for the attacker to reach hundreds
if not thousands of other machines inside the corporate network (assuming you
don't isolate systems). However, these machines could also be accessed
over a 3G connection or a home DSL/Cable connection as well. Modern day
attacks will often be created to not port scan a network aggressively because
attackers know that serialized port scanning at a high rate will be caught by
an IDS system. Instead the attacker will use randomized port scanning or
even manual efforts to avoid detection. So while there are people out
there that insist that
being in the data center increases your risk, that's just plain FUD.
So how do we improve security against the email/browser threat?
Joanna
Rutkowska has
a great blog article that talks about the three main
ways to implement security. I encourage you to read the whole article, but in short here's a
summary of the three ways we can try to implement security.
-
Security by Correctness - Security by correctness means we shouldn't create
software bugs in the first place. This is obviously a very difficult
thing to do. If it wasn't hard to do then there literally would be no
security software/hardware companies in the first place because there would be
nothing to prevent attacks against. Software developers are human and
they make mistakes. Because of that, we can't count on this resolve our
issue.
-
Security by obscurity - Security by obscurity is all about creating methods to
make it more difficult for an attacker to compromise a system by known
weaknesses. Examples of this method are things like code obfuscation
which makes it more difficult for an attacker to reverse engineer someone's code
by mangling it so it's execution is not as easy to follow within a debugger.
Another example of a security by obscurity solution is Address Space
Layout Randomization (ASLR) which is designed to allow code to load in
"somewhat random" addresses within memory in order to prevent a
predictable memory loading address which would allow an attacker to more easily
perform buffer overflows, etc. While security by obscurity solutions do
improve security, we can hardly count on this to resolve all the issues.
-
Security by isolation - Security by isolation is exactly what it sounds like.
Find a way to isolate the resources that would be exposed to an attacker
when the code in question executes. If you find a way to create a secure
perimeter around a piece of code, then you potentially mitigate the risks of
running that code on your system.
Security
by isolation provides the best method of defense and can be implemented in a
number of different ways. Stay tuned for part 4 where I'll discuss the
different methods of security by isolation and how they help (and hinder) our
end users.
(Note: You must be logged in to post a comment.)
If you log in and nothing happens, delete your cookies from BrianMadden.com and try again. Sorry about that, but we had to make a one-time change to the cookie path when we migrated web servers.