By Dino Londis
As I was typing this story on my home PC, the disk space was shrinking at about a megabyte every two seconds. I type fast, but not that fast. I have both Symantec EP and Webroot installed and neither gave any warning. Files in my temp directory were self replicating. I had a rogue dll in memory that I couldn't stop. If I didn't work in an aspect of desktop security, I wouldn't know where to start to fix it. I hadn't seen this exact malware before, but I knew where to look. What would happen if this hit your two thousand user firm?
Of course we all won't become CSSPs, but we all need to understand the vulnerabilities and trends in our little corner of IT. The current model still positions security as an afterthought. The network admin checks the network perimeter and a desktop engineer deploys antivirus and patch management. The trend is for a new position of security administrator. But that position is only good for the big picture. The day to day attacks increasing sophistication will pull all departments into a security mindset whether theyÂ¿re ready or not. Help desk will spot and report trends; programmers build security into their code, and most of all, management needs to reshape acceptable practices, even for VIPs.
That last step is the steepest. How do we explain what you can't see? A top shelf endpoint protection product shows no virus activity so that must mean no virus activity, right? The better malware writers don't write their code to be detected. It's no secret that the bad guys test their software against detection from top EP products to ensure that their code installs. Symantec recently issued a letter to its customers explaining why free software is outperforming their EP product.
An infected computer runs as well as a non-infected one. I've worked in an environment where the AV software detected nothing, yet our ISP said we were spamming and one look at our firewall and indeed we were. Several of our machines were acting as mail servers using port 25 to send thousands of messages a day. A cleverly written key logger using port 80 will have a field day.
Stop Blaming the User
We think of the endpoint as the device attached to the node, but the real endpoint is the user. The computer itself is perfectly protected in the state that it's imaged. Security companies such as Symantec recommend educating the user to the best practices: Don't put a found flash drive in the computer. Don't open email with odd attachments. Don't visit questionable websites. That's great advice for 1999 when a VBScript came via email. Recently visitors to the Drudge Report were loaded with spyware just by landing on the page. Web filters won't block legitimate sites like Drudge.
If we allow users full access to the web, then we must accept the responsibility of keeping their PC protected regardless of what they do. Imagine telling a driver that if she drives down that road, she might get a flat, but if she does, we'll rush her a new car and let her drive right down the same road. If we really want to protect the node we really have to treat it like it is the end point.
It will take a catastrophic event for management to fully understand the network's vulnerabilities. Until then, security, like disaster recovery, should be built into the process. For example, help desk needs to differentiate valid processes from foreign ones, regularly check processes and the quarantine folder. Maybe even look in the run registry keys during help desk calls to spot trends.
Short of streaming the OS, the Desktop Group should employ Microsoft Data Protection Management or Acronis Backup Recovery for workstations even if all data is stored on the network. What's important is getting a workable PC in front of the user as soon as possible. Imaging takes too long. The recent fiasco by McAfee putting PCs in a reboot cycle would've had much less impact on the enterprise with DPM.
A member of the network group could act as an ethical hacker attempting to break into the network from the outside, discovering passwords and revealing vulnerabilities before a true hacker does. You'll get anyone's attention if you show them their bank password.
We read again and again the future of IT is in security, but the need for security is everywhere in IT, so no matter where you sit, you can work toward becoming that expert. It will improve the resume as well.
Dino Londis is an applications management engineer in New York.