Whether your business is a big fish or a small-fry home office, you can get hacked just the same, and the stakes are higher than a few canceled credit cards. Here are a few tips to protect your users and your networks–steps that even enterprise-class security specialists may slip up on.
Know Who Might Be Targeted–and How and Why
With the recent news of attacks on U.S. companies including Google, many business owners might be thinking, “That wouldn’t happen to me–I don’t have anything so valuable on my servers that an attacker would go after it.” Many attacks aren’t targeted at all, but are the result of self-selection. That is, the attacker casts a wide net by sending thousands of messages to a harvested list of e-mail addresses, and the ones that respond–either by clicking a link or via a ping-back embedded image in the e-mail–are the self-selected targets to pursue.
Targeted attacks–or “spear phishing,” as they have come to be known–are a more dangerous animal. A good attacker performs reconnaissance by scanning a target organization’s Website, quarterly SEC filings (if a public organization), and press releases to find names of key personnel and e-mail addresses.
If that fails, attackers will probably prowl industry conferences and public speaking events (slideshows are almost always archived on the conference Website with the speaker’s name, title, and e-mail address); they’ll also check out social networking sites–it’s easier for a hacker to bait the hook by figuring out who’s in charge through Facebook fan pages and LinkedIn profiles.
While your average spammer is looking for quantity, a spear phisherman is looking for quality. Any key executive that regularly handles sensitive documents or has elevated permissions on a company’s file server is a potential victim. Although you might jump to the top of the organization chart and think that the CEO is where spear phishermen would focus their lasers, consider your CEO’s executive assistant, as well. This person is accustomed to receiving hundreds of e-mail messages a day for the CEO from unfamiliar senders, and is likely charged with sorting all inbound messages. The assistant is more likely to be stressed, behind a deadline, and pressured to avoid delaying important messages–and thus more likely to make a poor computer security decision.
For similar reasons, a general counsel or staff attorney at an organization is also a good target, especially with an Adobe PDF attack. Attorneys regularly exchange large PDF briefings between one another and between companies. It wouldn’t be a stretch to imagine sending a mock cease-and-desist e-mail message from a spoofed address of your favorite influential intellectual-property law firm and include a PDF with a malicious payload. The attorney wouldn’t think twice about opening such a message; and once the payload within the PDF is executed, the attorney’s machine is effectively “owned” by the attacker.
Don’t Take the Bait
Spear-phishing attacks aiming for competitive intelligence or corporate espionage are likely to have a custom-tailored message (e-mail, IM, tweet, and so on), such that the victim is more likely to take the bait. A top nuclear physicist at a research institution is unlikely to follow through on a link advertising replica Rolex watches or natural male enhancement, but if the message is inviting the victim to be a speaker on a panel at a well-known nuclear physics symposium, the bait will be all but irresistible.
Although you might think that in 2010, most users (and especially tech workers) would be suspicious of any password reset or messages declaring that “we are improving our security,” a stunning number of them will still be fooled by such schemes. My company, Special Ops Security, as part of its assessments with organizations and government agencies, will run controlled experiments where we intentionally phish targeted individuals at a company and track both click-through and captured passwords on an encrypted Web site.
Two colleagues of mine have even started their own self-service portal for CIOs to run mock “spear phishing” of their employees at PhishMe.com. It’s a particularly eye-opening exercise, and I highly recommend it.
Use Unique E-Mail Addresses to Keep Password Reset E-Mails at Bay
If you don’t believe that you would fall for a targeted e-mail discussing your upcoming new product or a malicious PDF with a class-action settlement notice, there is the ever-present category of password reset and social networking notification messages. Most Websites, as an unfortunate necessity of large scale, have a “forgot password?” function that sends e-mails to allow you to obtain access to your account.
Additionally, we are trained to expect notification e-mails from sites informing us of new friend requests, or photos of ourselves that others have posted. This is a particularly enticing proposition for the human psyche–how can I resist clicking on “have you seen this hilarious picture of you from last night?”
How is one to know if Facebook or MySpace truly sent the e-mail or if it is spoofed? Eventually there will be enough adoption of electronic signatures and DNS-level security to make these spoofed messages ineffective. In the meantime, there is one method that I employ to make sure a message is genuine. Each social networking (or e-commerce, airline, or whatever) Website that I use has its own unique e-mail address for me.
If you are fortunate enough to have your own domain name and a mail server (Google Apps is great for this), you can create firstname.lastname@example.org and email@example.com. If you receive any notification message purporting to be from a site but the “to” address does not match, consider that message to be highly suspect and delete it immediately.
For those of us without the luxury of their own domain, or who are worried that someone might be able to easily guess their firstname.lastname@example.org addressing scheme, a few e-mail masquerading services are available. My favorite is Sneakemail.com, which lets you create an unlimited number of e-mail aliases for a modest $2 per month. This way, you can use one unique e-mail per Website, and all the messages get forwarded to your “real” mailbox. The service even handles replies, so that the Website never has your real address.
If you receive a password reset notification directly to your work e-mail instead of your unique address for that site, you know it is at best spam and at worst a phishing attempt. As a nice side effect, you’ll be able to catch unscrupulous Websites that share your information with third parties. I once received several unsolicited offers from a company to the e-mail address that I had provided only to a particular airline’s frequent flyer club. Needless to say, I contacted the club’s privacy department, provided logs, and promptly canceled that account.
Don’t Click on Anything in E-Mail
As a rule, I don’t click on links within e-mail, ever. Not even from known senders. Well-formatted HTML e-mails should have a URL just below the big “Click here” button, usually in a section that says “if your e-mail program doesn’t allow links, copy and paste the following into your browser.” If you still can’t find the URL, switch your mail reader to display plain-text (in Gmail, you can use the “Show original” option from the reply menu) and find it there.
If I really want to click through, I will highlight the URL and paste it first into the Google search bar of my Web browser. If nothing else, this removes any HTML or rich-text formatting that my clipboard picked up and leaves me with a pristine plain-text URL. This strips away most of the obfuscation tricks such as www.yahoo.com.com.attacker.evil.ru, where you might not realize that the DNS (domain name server) will read a URL from right to left (meaning you are visiting a site at evil.ru) and humans will read the URL from left-to-right (perhaps thinking they are visiting a sub-section of yahoo.com).
Furthermore, submitting the URL to a search engine also protects me from homograph attacks where someone could send a link to www.paypa1.com (the numeral 1 instead of lowercase “L”). It would be obvious from the first few links that something was not quite right, though Internationalized Domain Names can add complications. Total cost to allow Google to run a sanity check on the link and remove rich-text formatting: zero.
Patch Early, Patch Often
Patching is absolutely necessary and (almost always) absolutely free. It’s amazing to have to say this, but the first thing to check–right now–is whether you are up to date on all your patching. Set an iCal/Outlook reminder and do it monthly. A good time would be the second Wednesday of each month, since Microsoft releases its security updates on the second Tuesday. Or you can tie the task mentally to paying your mortgage or rent–as you’re writing that check, also “check” for updates.
I don’t mean just double-click on Windows Update, either. If you haven’t activated Microsoft Update (a variation of Windows Update), you won’t receive any Microsoft Office updates. But don’t stop there! Make sure you visit Adobe to update your Flash plug-in and PDF Reader software. Firefox does a good job of pushing out updates without user intervention, but it won’t upgrade you to a major new release, so check the Firefox site as well.
I continue to light candles and wait for the day when Microsoft will open up its Windows Update infrastructure for all Windows software publishers to push their updates through one centralized location, automated, and with just one click. Until that day, try using software like Secunia’s Personal Software Inspector (free for personal users) that will scan all software on your computer and give you a consolidated look at where security patches are missing.
I’ve audited networks with IT managers who were quite proud that they update their antivirus signatures every 5 minutes, but they had critical servers with stock versions of Internet Explorer and Adobe, and missing OS patches from 2007! Some reports have claimed that the success of the attack on Google was due to an employee using an outdated Web browser.
Just last week, Google announced that they would be dropping IE 6 as a supported browser from their Google Apps and Google Docs services. When manufacturers release newer, more secure versions of software (I’m looking right at you, Internet Explorer 6 and 7 users), upgrade to the latest version. The 5 minutes that you spend watching the installation progress bar is well worth it in terms of the security provided by such newer technologies.
Hardware needs updating, too. Inventory your hardware and check up on firmware updates (just as important as software patches). Twice a year, look on manufacturer Websites for any hardware with a network port–not just your routers and switches, but also your multifunction copiers, your restaurant POS terminals, your Blu-ray player, your PBX, and your Twitter-enabled coffee pot.
Don’t Let Bob Stop You From Running a Secure Network
Customers often claim that their servers aren’t patched because “Bob says so” and he is the Dev Manager or the VP of Sales, and their custom application won’t run on the latest service pack or requires an ancient Web browser with all security features disabled. This is an unacceptable business risk in my opinion. If a particular division within the company runs software that precludes them from running the latest security patches, IT needs to isolate those servers in your network the way that it would segregate classified networks from unclassified networks.
Furthermore, unpatched servers should never have access to the Internet. Staff should access these dangerously unpatched servers only via dedicated computers (not the same ones that are used to read e-mail and browse the Internet) on a dedicated “less secure” network.
Unless businesses take information security seriously, they cannot avoid information theft and costly outages. Jars of peanut butter that have a small chance of being tainted are pulled off store shelves within hours of a recall starting; a financial server with known vulnerabilities that processes paychecks for hundreds of employees is allowed to operate for months. Nobody should run an unpatched server just because Bob says so.
The P of P2P Is Personal, Not Business
I’m going to say something unpopular: P2P has no business on your work computer. The risk of malicious software from P2P (peer to peer) networks far outweighs any legitimate need for BitTorrent or KaZaa. On your personal computer, I still don’t advise its use, but I can understand that there are several legitimate reasons for using it. Use reputable Websites to obtain shareware applications.
If you must participate in P2P, use a separate, nonadministrator user account for those functions. Never run software that you download from a P2P network in your administrator account, and always scan these downloads with several antivirus packages. Virustotal.com is a good place to do a quick scan of a dubious download if you don’t already have a solid security package such as Norton Internet Security 2010. If you’re a tech-savvy power user, run P2P software in a virtual machine to insulate your host operating system.
Nail Down Your Network
Switch your company and your home router’s DNS resolver to use OpenDNS. Do it right now, I’ll wait. There’s no reason to use the default DNS provided by your Internet service provider. OpenDNS has a gigantic cache that will speed up your queries and a free Website filtering service that might interest some companies. Even if you don’t want the filtering, its robust and secure DNS infrastructure can shield you from well-known attacks at the DNS level.
After 5 minutes of reconfiguration, your Internet connection will be snappier because the OpenDNS servers usually respond more quickly than your default ISP servers. Its Website explains the simple steps involved in changing your home router or your company’s Active Directory domain controllers to their resolvers, and it has infrastructure spread all over the globe to ensure a speedy reply no matter where you are.
For power users and anyone in an IT capacity at work, I’m a big fan of using a host-based outbound firewall on both servers and workstations. It is absolutely essential to be notified when an unknown or new process decides to make an outbound connection. This way, even if something slips past your antivirus and antimalware defenses, you can catch it on the way out. Of course, this won’t help nontechnical users who always click “Accept” on any pop-up that comes up.
At your company, implement outbound firewall rules. Most companies I work with have an “allow all” outbound policy for their users. While this may have been acceptable in the past, in this century I would not recommend running a business with such a permissive policy. You can start with restricting users to only HTTP and HTTPS outbound; this won’t protect you from everything, but it will close down a large portion of outbound connections that may not be authorized. You can also use OpenDNS to restrict access to inappropriate Websites.
Most important (and most often overlooked), server and DMZ networks should allow only a few explicit outbound connections (such as outbound SMTP for your mail server). Modern packet inspection firewalls are smart enough to allow your Web server to reply to an inbound request for a Web page, but very few legitimate reasons exist for your Web servers to initiate a connection to the outside world.
To be sure, there are exceptions (business partner inventory interchange, or offsite data backup, for instance), but in general most servers respond to inbound requests for information and do not themselves initiate connections. If a hacker compromises your server, one of the first things he or she will do is to use your server to connect to another machine (either within your organization or back to their network). Leaving a rule for outbound access to windowsupdate.microsoft.com (and similar update sites) is perfectly acceptable. A blanket “allow all” policy is just asking for trouble.
Steven Andrés is Founder and CTO of Special Ops Security.