SAFE - keyboard key

Computer security hardening – safeguarding your systems

Computer and book wrapped in chains
Putting your computer in chains is one way of hardening the system

Computer Security.  Kind of scary, actually.  With the likes of Target going down to hackers in late 2013, and a large attack on Home Depot in 2014, what can the rest of us do?  If Home Depot can be compromised, how can I protect myself?

The bad news — you are a target.  Why though?  Well, let’s consider:

  • Do you have any financial data on your computer?  You are a target.
  • Does your company operate a health care agency with HIPAA/HITECH protected data?  You are a target.
  • Do you have a point of sale system where you perform credit card transactions?  You are a target.
  • Are you attached to the Internet?  You are a target.  What?  That is crazy sounding.  Why am I a target just because I am using the Internet? Because a hacker can use your computer as a relay to attack other computers!

At this point you are likely thinking, oh great, thanks for making my day.  But remember, we are trying to make your computers safer.  Before we get into that though, let’s take a look at how malware gets on your computer in the first place.

How malware infection happens

You may think, hey, the only way malware can get on my system is through the network.  A firewall is sufficient to protect against those blasted attacks!

Hey look!  I have a new email!  But... is that email a virus?
Hey look! I have a new email! But… is that email a virus?

Unfortunately, not all malware infects systems the same way.  Certainly, network attacks are one attack vector, but there are others.

There are email attack vectors, mp3 attack vectors, html attacks, mpeg attacks, apk attacks, over privilege attacks, Excel attacks, Word attacks, PDF attacks, and in fact the list never ends.  An attack is possible anytime there is an interface to a computer.  Sure an mp3 attack may come through a network or USB, but it isn’t a network attack.  It is an attack on the software that is rendering the mp3.  Exploring attack surfaces is well beyond the purpose of this paper, and will not be fully discovered in this paper.

Gorilla with a big grin on his face, thinking he has outsmarted the bad buy
Pixabay – Laugh is on them! But wait, not exactly. Don’t think that your data is safe, and neither think that your data is not worth stealing

One thing to note though.  You might think hey, I don’t really care if someone exploits my mpeg player.  That is a risk I’m willing to take!  What are they going to get?  A movie?  The laugh’s on them!

Well… not exactly.  The way system exploitation works is, exploit a low hanging fruit and get a shell on that system.  Once an attacker has a root shell?  Game over.  He owns you.  Even worse, he may own your network, depending on perimeter defenses that are in place.  Think: defense in depth.

How to protect your computer

Alright already, we’ve covered enough.  You may be thinking, this is way too much to pick up. You are right, it is!  The short question is, what can you do to make your computer more safe?  Let’s explore a few ways to help protect you from an attack.

1. Update your operating system software

Picture of an old computer in a graveyard looking cave
Nothing lasts forever! It might be time to retire your system if you can no longer receive patches and updates

The first thing you should do is to make sure you are using a modern operating system if at all possible.  Sure, sometimes this isn’t possible — for example, some programs, especially embedded programs, are still operating on XP.  If that is the case for you, you’ll have to make other concessions to safeguard your systems, your networks, and your data.

You may be thinking is, why in the world should I pay to update my operating system?  I paid for a version, it is working fine, so why should I update?  Because hackers know that there is a delay between the time a patch comes out and the time it is fully adopted in the community.  What happens when a patch comes out, especially a security patch, is that hackers are going to reverse engineer those updates to determine how an existing installation can be compromised.  And compromise they will.

Again, if at all possible, upgrade your operating system to a modern x64 bit solution and keep that operating system patched.  Are you using an outdated version of Windows and don’t wish to pay for an operating system?  Then use a free operating system such as Ubuntu or one of the other Linux platforms.  If that is not possible, then realize you are providing a fluid and rich attack surface and do what you can to protect perimeter systems.

2. Update your application software

An old manual typewriter ... yes, it might be time to buy a new word processor!
Is your application software end of life? Might be time to find a new software solution!

Are you still using a x16 or x32 bit application?  Do what you can to upgrade that application.

In the same way as outdated operating system software present security vulnerabilities, outdated user applications present security vulnerabilities in a very bad way.  Each time an application is updated, hackers are very likely to review the updates to identify vulnerabilities in the existing installed user base.

Freeware software

Do you use an outdated version of Firefox?  Or an outdated Adobe reader?  My suggestion is:  Don’t.  But how about if our company forces you to use an outdated version of one of these applications?  Yes, that can be an issue.  You can only do so much especially if these decisions are above your pay grade.  If you are forced to use outdated software, realize that those are reasonable attack vectors.  Being aware is the first step to security.

Paid commercial software

But what about paid applications, you might ask?  You paid nearly $5000 for your AutoCAD solution and more than a thousand for Adobe, is paying for an updated version really necessary?  The answer is yes.  You happen to be using a coveted piece of software.  If you spent thousands for AutoCAD, it is likely that you have drawings and blueprints that are worth thousands more.  Someone could use those drawings, especially if they can freely exfiltrate them from your computer.

How about layered applications like Internet Information Services, or IIS, used to serve web pages to the world?  Well, you picked up on an easy target!  IIS is a common attack vector, in part because it is easy to thumbprint the version that is being used on a network.  Once an attacker identifies that an old version of IIS is being used, the attacker only needs to find a known vulnerability with that particular version of IIS to compromise the server.

Keeping your application software updated will go far in protecting your systems.  Will it cost money?  Yes, it likely will cost.  I am a big proponent for open source software and the Free Software Foundation,  so I’m not supporting the idea of having to spend money on new software.  If you can find an equivalent open source software package that can do an equally good job for you, I’d suggest migrating to that open source software.  Otherwise, yes, you’ll have to pay for that update.

Software updates or compensating controls

If an application cannot be updated, do what you can to find a different and more modern application to use in its place, or add some other compensating controls to the software deployment

3. Use a virus protector

A lot of people are going to discount virus protection as part of the solution.  Why?  Because virus protectors provide a false sense of security.  Virus protectors only protect against “known” viruses.

This is true. Virus protectors do provide a false sense of security.  That said, virus protectors do provide protection against known viruses, so why not use one?

There are several free solutions, one of which is Windows Defender.

4. Download only from known good sites

This is a really important artifact.  Download only from known good sites.

For example, are you looking for an HP printer driver?   Then go to the HP web site for the download.  Do what you can to avoid “third party” driver sites.

Are you looking for a game or a program?  Download from downloads.com / cnet.com, or from another known good source.  There are web sites that are devoted to providing you excellent software — with associated trojan or other form of malware attached.

Are you looking for a free Hollywood movie or free APK sideload of the latest Android software through The Pirate Bay? Then be aware that the free download may also have a free Trojan attached.  How will you know whether that illegal download is malware?  You likely won’t know, even if you run it through the Cuckoo Sandbox automated malware analysis software.

5. Behavior modification

Happy dog at the beach -- but maybe you should think deeper than this!
Don’t be Pavlov’s dog! If your behavior is “security unsavory”, then it is time to change your behavior

Wait a second, behavior modification?  I’m not looking for a psychologist!  I don’t want to be Pavlov’s Dog!  Well, that is not exactly what I mean by behavior modification.

  • Be careful about downloading software that you are not absolutely sure about. Downloading it to your primary computer, especially if you use that computer for financial transactions, is doubly dangerous.  Set up a second computer or a Virtual Machine where you can run any questionable programs,. If those programs perform unexpected actions your financial records will not be compromised.
  • You know those sweet popups that promise the first thousand who click on the banner will win a free iPad?  Yeah, you aren’t going to get a free iPad.  What you will get is infected.  Don’t click that ad.  Sadly, that the ad even popped up may be very bad news, you may already be infected.

6. Use reasonable passwords

It might be better said as:  Don’t use unreasonable passwords.

Yellow sticky with a note saying "see my password on the back side" -- yes, this is not sufficient.
Protect your passwords! Writing them down in a conspicuous place is not suffiicent

What does this warning mean anyway?  One of the ways a hacker attempts to gain access to a system is through password cracking.  Password cracking is a method to gain access to a system by way of basically “guessing” the password.  A trained hacker will use one of the many password cracking software suites.

Is it reasonable to use abc123 or 1234 for a password?  Probably not.  Is it reasonable to use a single dictionary word?  Probably not.  Once a hacker has identified a username these types of passwords are very quickly guessed.

So what are more reasonable passwords?  Throw in a few upper case letters and maybe symbols.  For example, @bC123* is going to be a much less likely guess compared to abc123, and a long passphrase like Mygr3atsecretpa$$w0rd is better still.

7. Periodic scans

Another great safeguard is to run periodic full scans of your system.  Run Microsoft Defender/Security Essentials full scans, but also run other scans such as the free Trend Micro Housecall.

8. (Advanced) Use a two way firewall

This might not at first sound reasonable.  Why would I need a two way firewall?  Because if a Trojan or other rogue executable finds its way on your computer, a bidirectional firewall will be able to alert you that the software is trying to communicate.

A great free solution is ZoneAlarm Free Firewall.

The five word solution!

No?  Yes?  Maybe?  With regard to computer security, there is no easy answer
With regard to computer security and systems hardening, there is no easy answer

So what is the solution to keep me and my data safe from attackers?  The answer is:  There Is No Easy Answer.  There are things you can do to make yourself more protected, and there are things to avoid that would make you less protected.  Some of them have been covered in this paper.

The best advice available is:  Be aware.  Your data and your systems are costly, and compromises to your systems can be even more costly.

If you need personal advice on how to protect your data and your systems, feel free to contact me.

As always, let’s be careful out there!

Checklist

  1. Update your operating system
  2. Update your software
  3. Use a two way firewall
  4. Use a Virus Protector
  5. Download only from known good sites
  6. Change your behavior
  7. Periodic scans
  8. Avoid unreasonable passwords

Reference documents

  1. HHS reference document for HIPAA/HITECH protected information, http://www.hhs.gov/news/press/2014pres/05/20140507b.html
  2. The Free Software Foundation, http://www.fsf.org/
  3. Password Cracking Software, http://resources.infosecinstitute.com/10-popular-password-cracking-tools/
  4. Trend Micro’s Housecall online virus scanner, http://housecall.trendmicro.com/
  5. Cuckoo Sandbox, http://www.cuckoosandbox.org/
  6. Microsoft Security Essentials, http://windows.microsoft.com/en-us/windows/security-essentials-download
  7. ZoneAlarm Free Firewall, http://download.cnet.com/ZoneAlarm-Free-Firewall/3000-10435_4-10039884.html

<Article last updated 25/September/2014>


Comments

Leave a Reply