Reader Question
Do you think Anti-Virus works? I went through this debate with one of my colleagues. But, I really want to know your thoughts.
Anti-virus by itself is not a silver bullet that will solve all your security issues. It is only one of many interconnected and overlapping controls that are needed. Anti-virus by itself is not adequate. It needs additional controls.
Anti-Virus and anti-malware software is only one piece of the puzzle. When we look at controls we always want to look at defense in depth. We don't want to rely on one control, because if it fails, we have been compromised. Here are some recommended compensating controls.
* Host based Firewalls
* IDS/IPS or something like TripWire
* Restricting what applications can run (Like Microsoft's AppLocker)
* Execution Protection (DEP) turned on and running for the machine
* For Windows based systems running them in 64 bit mode, signed executables
* User Awareness, so they don't open or accept potential malicious code
* UAC in Windows Vista, Server 2008 and Windows 7, I have actually seen this protect against malicious code.
* Etc… (Too many other controls to mention.)
Each one of these protects a system against malicious code from various different attack vectors. For example a host base firewall will protect from network based attacks but not from users downloading malicious code from the Internet. When we take all the controls in place, we can determine if the remaining residual risk is acceptable to us. Remember there is no such thing as 100% security; there will always be some risk.
One last point on why you need Anti-virus. Just about every security standard requires anti-malicious code software. Whether it is PCI-DSS, NIST SP 800-53, ISO 27002, COBIT, GASSP, ITIL or other, they all require anti-virus as a basic control. Due diligence is demonstrated by adopting industry standards that have been peer reviewed. If, all of these top standards require anti-virus, it would be negligence not to have anti-virus.
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.
|
|
TechEd 2009 in Los Angeles was a hit with over 7000 attendees. The keynote was given by Bill Veghte the senior vice-president of Windows business. He talked about the feedback that they have been given and a number of key issues and concerns people have. Some of the issues talked about are operating in turbulent economic times, staffing, mobile security, compliance, desktop anywhere, application compatibility, virtual, doing more with less, and the speed of change. One point he made was to ask Microsoft for what you need and want and they will respond.
He talked about Dynamic IT and user-centricity. User are concerned that complexity and flexibility need control and management.
New products discussed:
Windows 7
Outstanding responses from beta testers. Over 10 million installs of the beta, far more than any Windows product at time of release. From that came customer input that the OS was ready and performing better than XP and Vista. Some early graphics cards issues came up and were addressed.
Tight integration with Intel concerning hyper-threading. Windows 7 offers full experience for end users, more manageability, with IE 8 and click jacking protection and over 1500 group policy controls (GPO) for IE 8. Logo testing has already been kicked off for Windows 7. (Logo testing is when venders submit hardware and software for testing to see if it works with Windows 7).
For security some items such as Bitlocker-to-go that will allow users to encrypt USB drives. In addition new GPOs to control how users use bitlocker-to-go. Applocker was also added an extension to the existing group policies to restrict what applications can run on enterprise desktops.
With Server 2008 R2 Windows 7 can connect to the corporate network via VPN without end user intervention. This technology is called DirectAccess.
Windows XP mode has a license for XP running in a virtual machine on the Windows 7. Application can be installed on to the Windows XP image and be placed on the Windows 7 start menu. This means that for the end user does not need to understand the virtual machine. The application experience is seamless to the end user. Microsoft Enterprise Desktop Virtualization (MED-V) virtual machine management system for enterprise that is used to administer the Windows XP mode.
Windows 7 has native vhd support. A virtual hard drive can be mounted to a Windows 7 machine as if it was a physical hard drive. This will make management of virtual hard drive a breeze. In the keynote they demonstrated the new support by placing a copy of a virtual hard drive in a virtual hard drive.
Windows 7 release was given as currently on track for Holiday 2009. I think we should see it at the end of the 4th quarter.
Office 2010
There will be an invitation only preview that will come out in July 2009. Attendees of TechEd were mentioned as those who would receive the invitation.
Exchange 2010
Release to market, (RTM) last quarter of this year.
SQL Server 2008 R2
New pattern matching, new and improved Excel integration.
Windows 2008 R2
Windows Server 2008 R2 release was given as currently on track for Holiday 2009. I think we should see it at the end of the 4th quarter.
I will be posting more from TechEd 2009 in the near future.
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.
|
Reader Question on Server Hardening
Don,I have been tasked with the job of building a web server for our group. I plan to build it out as a 2003 enterprise box running a couple of VMware web servers; one will be IIS. Do you happen to have any advice or information (links) you can throw my way about the hardening/securing process? Thanks.
Response:
The template really locks it down and may make the IIS not function correctly depending upon what you are trying to run. There are templates for SSLF you can download and try, so you don’t have to go through all the settings. If it doesn’t work look through the settings that may affect IIS.
If I were planning to do this, I would use Server 2008 and apply SSLF settings. (http://technet.microsoft.com/en-us/library/cc264463.aspx) With 64 bit you can have the OS files digitally signed which adds a layer of protection. I would also ensure DEP (data execution protection) was turned on and the firewall was set for to deny all outbound and inbound traffic except what is absolutely needed. If you can place an application firewall in front of it, so much the better.
One point to remember is that SSLF settings will lock the server down to the point the service you want to run will not run. You will then need to hunt down and change the appropriate settings. Start with SSLF configuration and make needed adjustments. PS, looking for what to adjust can take some time.
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.
|
|
|
|
|
<< Start < Prev 1 2 3 4 Next > End >>
|
|
Page 3 of 4 |
Subscribe to LearnSecurity Blog using your favorite feed reader by 
