If you read "Part 1: There's Only Two Types of Data" and "Part 2: Centralization Helps in Other Ways: of my "VDI and Terminal Server are not more secure than physical desktops" series you may have noticed that I ended them without providing advice on how we can reduce the data security risks. Your wait is over!
Look at this cool wooden horse we made for you…
According to Greek folklore, during the battle of Troy the Greeks withdrew from Troy after delivering a large wooden horse. The Trojans believed it to be a peace offering of sorts and towed it inside the city walls of Troy. After the Trojans went to sleep, approximately 40 Greek soldiers emerged from the giant wooden horse and opened the gates of Troy where the rest of the Greek army was waiting. The army easily overran the Trojans and claimed victory over Troy.
In modern day terms a Trojan Horse is a piece of computer software that the end user believes is a legitimate piece of software or a document that they actually wanted. Instead the software or document has malicious intent that can range from stealing information such as software licenses, banking account information, website passwords, etc. Trojans often will control the PC from that point forward (becoming a "zombie" PC) receiving command/control instructions from central system(s) on the Internet. Collections of these "zombie" machines are called Botnets and in many cases contain millions of PCs.
How computers get compromised
Most computers will get compromised by one of the following methods:
- Downloading software that contains a virus/trojan horse. This method can largely be prevented by not allowing users to install software and locking down their PCs.
- Inserting a removable storage device that contains a virus/trojan that executes automatically upon insertion of the drive. Even though the user may not intend to invoke the software there are many ways to compromise various operating systems simply by inserting media into a PC.
- Opening an infected document. A very common exploitation vector for viruses / trojans over the last few years has been opening documents such as Office documents, JPG/PNG images, PDF Documents or ZIP libraries. There has been massive investments by Microsoft, Adobe and other vendors to try and sandbox their software to reduce the likelihood that their software will cause the compromised entry point of the PC. This remains the largest security concern for targeted attacks since an attacker can do research on people that work at a particular organization, discover their email addresses and then deliver a spearphishing attack via email. Through some effective social engineering, this can be a highly effective means at getting directly to the source of information you are trying to obtain. Also, through the use of new unknown zero day attacks, the recipient of said exploit will be largely unprotected against it by any means of A/V, HIPS, IDS, etc.
Of the above methods, the opening of a document file (usually delivered via email) and the attack delivered via the web browser are the most common security risks we face today.
Does it matter where the PC is located for these attacks?
It is almost completely immaterial where the PC is located for one of these attacks to be successful. A user could be on a VDI desktop in the data center or they could be on a laptop connected over a 3G connection via a tethered cell phone. If the exploit code is a few megabytes worth of content embedded into an email attachment it will execute the same way whether it has a Gigabit connection in the data center or a latent crappy mobile network connection.
Once the machine has been compromised, the data center connection certainly makes it easier for the attacker to reach hundreds if not thousands of other machines inside the corporate network (assuming you don't isolate systems). However, these machines could also be accessed over a 3G connection or a home DSL/Cable connection as well. Modern day attacks will often be created to not port scan a network aggressively because attackers know that serialized port scanning at a high rate will be caught by an IDS system. Instead the attacker will use randomized port scanning or even manual efforts to avoid detection. So while there are people out there that insist that being in the data center increases your risk, that's just plain FUD.
So how do we improve security against the email/browser threat?
Joanna Rutkowska has a great blog article that talks about the three main ways to implement security. I encourage you to read the whole article, but in short here's a summary of the three ways we can try to implement security.
- Security by Correctness - Security by correctness means we shouldn't create software bugs in the first place. This is obviously a very difficult thing to do. If it wasn't hard to do then there literally would be no security software/hardware companies in the first place because there would be nothing to prevent attacks against. Software developers are human and they make mistakes. Because of that, we can't count on this resolve our issue.
- Security by obscurity - Security by obscurity is all about creating methods to make it more difficult for an attacker to compromise a system by known weaknesses. Examples of this method are things like code obfuscation which makes it more difficult for an attacker to reverse engineer someone's code by mangling it so it's execution is not as easy to follow within a debugger. Another example of a security by obscurity solution is Address Space Layout Randomization (ASLR) which is designed to allow code to load in "somewhat random" addresses within memory in order to prevent a predictable memory loading address which would allow an attacker to more easily perform buffer overflows, etc. While security by obscurity solutions do improve security, we can hardly count on this to resolve all the issues.
- Security by isolation - Security by isolation is exactly what it sounds like. Find a way to isolate the resources that would be exposed to an attacker when the code in question executes. If you find a way to create a secure perimeter around a piece of code, then you potentially mitigate the risks of running that code on your system.
Security by isolation provides the best method of defense and can be implemented in a number of different ways. Stay tuned for part 4 where I'll discuss the different methods of security by isolation and how they help (and hinder) our end users.