Who doesn't love that scene in "A Few Good Men" in which Jack Nicholson's character tells Tom Cruise's character, "You can't handle the truth. I have neither the time nor the inclination to explain myself to a man who rises and sleeps under the blanket of the very freedom I provide, and then questions the manner in which I provide it. I would rather you just said 'Thank you' and went on your way."
I often feel like I'm acting out that scenario when speaking to CIOs and senior security leaders. They want me to tell them how to stop hackers and malware from invading their environments. Usually I'm consulting on some multitiered firewall/proxy/security solution aimed at protecting back-end databases. We talk about packet-inspecting firewalls, intrusion detection, two-factor authentication, and all sorts of high-tech defensive solutions that add several layers to their defense-in-depth protection.
[ The shortest distance between professional malware and your company's data is an unpatched Web browser. See the InfoWorld Test Center guide to browser security. ]
Then I say something like, "That's all great, but it won't work." I usually have their attention by then.
Next, I throw out the inconvenient truths:
- Most of today's security risk in the average computing environment comes from "drive-by downloads" -- that is, trusted insiders get infected by Trojan software that they were tricked into installing.
- If you allow your end-users to install any software they want, then your risk of security exploitation is high.
- Even if you are fully patched and the software you run contains zero bugs (this is never true), it barely decreases the risk from drive-by downloads.
- Most malware and malicious hackers are criminally motivated and seek monetary gain.
- End-user education is highly overrated and will fail.
- Your firewall, your anti-malware software, and your IDS will fail.
How to handle the truth
This is not to say that defense-in-depth and all that other good stuff shouldn't be done. But the risk from reckless end-users unwittingly executing Trojans and installing their own software is so high that all the other intrusion methods and their resulting mitigations are but a small percentage of the overall attacks in the wild. The intruder doesn't have to worry about all your perimeter defenses and fancy log-on techniques because the trusted end-user escorts him through. Most of the big online heists you read about don't occur because the attacker compromised some Web server or database from the Internet. No, the attacker simply uses an insider's legitimate access to explore the network, find juicy targets, download data, and implant other malware.
If you want the best computer defense your precious dollar can buy, focus on fixing that one problem.
The best solution is to prevent end-users from installing random software (which is often secretly malicious). Many administrators tell me they can't do that -- their employees would revolt and the company would become unproductive. I understand; that's the reality in many environments. But not fixing that one problem means you have to do all the other things, which will probably ultimately fail you.
Does your senior management understand that? Do they know that essential truth? Would they be as reluctant to lock down end-user PCs if they knew that the money spent on all the other defenses addressed just a tiny part of the overall security risk?
If you have the green light to solve that one problem, how can you do it? First, don't let your users have access to elevated Administrator or root accounts that allow software installs. That means you'll need to install all necessary software with the base image and manage updates using controlled software install technology.
Second, use whitelisting software to control which applications users are allowed to run. Whitelisting is available in Windows 7 (AppLocker) and from vendors such as Bit9, SignaCert, and McAfee. InfoWorld's Test Center will be publishing a comparison of whitelisting products later this month.
[ Is your network in danger of a password-cracking attack? Test the strength of your password policy. ]
Of course, it doesn't hurt to implement all those other defenses if you do them correctly and thoroughly. When you patch, make sure you patch everything, and in a timely manner. By "everything," I mean every OS patch, every app, every browser add-on, every network device, every security appliance. I've yet to pen-test a network that had up-to-date code on its Cisco routers. And I'm not surprised that security appliances often go unpatched. An appliance is nothing but a computer running software, but it's software that is usually harder to patch.
The learning gap
I would love to believe that end-user education could work against the new line of Trojan threats. But after trying and failing to beat malware with end-user education for the last 20 years, I'm not particularly hopeful. I've gone from telling end-users not to boot from floppies, to don't run that macro, to don't open that file attachment, to don't run that fake anti-virus software, and no, Microsoft doesn't send patches or updates via e-mail.
It takes us three to five years to educate our end-user population against a particular type of threat, and the attackers only three to five weeks to make up a new social engineering vector. Time and human nature are working against us.
But what the heck, if you can't block random software installs, your next best hope is probably end-user education. But if your company is like most of the places I've been involved with over the last few years, you last updated your computer security education material about five years ago. Employees are generally lucky if they get a few pages of material, and almost none contain information about the latest, most common threats. We need to change that. Educate your employees about the latest evolving threats. There are plenty of graphical guides out there. Or make an example compilation of the various Trojan threats that are popular today and send them to your users for review.
I still think Jesper M. Johansson's "Anatomy of a malware scam" is one of the best to show end-users. I've listed links to some other good resources below.
And it never hurts to "spam" your employees from an outside e-mail address to see how many of them are willing to give up their log-on credentials for a scam.
At the end of "A Few Good Men," Cruise's character, the prosecuting lawyer, says, "I want the truth!" and wins the case. Today, the real-life attorney portrayed in the film is living the good life in my hometown of Virginia Beach, Va., not wanting for many material goods. It seems that fighting for the truth worked out for him.