Learning from your mistakes is critical to pushing past and benefiting from these mistakes.
- Critical machines connected directly to the Internet.
- Don’t ignore the obvious – look at the bigger picture.
- Don’t set and forget! Security is on going.
The big take away from these three scenarios can be broken down as follows:
Never surf the Web with a privileged account.
This really is a common sense thing. Unfortunately many OS vendors make the first account that is set up on the box an administrative user (privileged account). Microsoft does it, Apple does it, and even Ubuntu does it. Fortunately many of these same vendors see the problems associated with this and have disable root by default. However, many versions of Linux enable root by default. Take the time to set up a non-privileged account and use it. NEVER surf the web as root or an admin!
Make sure your machine is up-to-date (OS, App, and AV).
Make sure that you machine is patched and up to date. From an OS perspective one needs to have a change management plan in place. There’s nothing worse that patching a critical machine only to find that upon rebooting it your services won’t start. Many users get Anti-Virus as part of the machine purchase but these vendors only provide a very short period of free AV definition updates. This is where ISP could come into play. One thing that I think many Internet providers should be making mandatory is AV software… Include the cost as part of the users monthly access charge. In addition, users should regularly check for rootkits. In many was a machine compromised by a rootkit is much worse off than one infected with a virus. Even if it does wipe your hard drive clean… You do have backups? Make sure that you’re really running that application you intend to. Kernel rootkits could hide the running of compromised applications as well as hiding whole parts of the file system making it impossible to truly know what applications are running on your machine.
Know where your data resides.
Perhaps a better way of looking at is it… Know what data is on your machine. More and more these days we hear of private data being lost. It seems as if it’s on daily basis. Protect your hard drives! PGP offers whole drive encryption. Yes is does mean setting up a PKI but one substantial loss could cost more in lawsuits than the time, effort and money needed to set this up. Let’s look at the latest in military data loss… January 3rd, 2008, An Air Force band member at Bolling Air Force Base reported a laptop, containing personal data on 10,501 Air Force members missing from his home (trustedid.com, 2008). Now that tops all, a musician with sensitive information. He’s someone who may have secretly clearance… but really what does a musician need with social security numbers.
Check you logs or run a syslog server.
UNIX logs have a vast amount of data and depending on the verboseness that is set it can be overwhelming. Setting up a syslog server and then filtering the data is important. Splunk is a great tool for this but be forewarned… there is a pretty steep learning curve. Make sure that the syslog server continues to run. Can tell you how often the emails just stop and you’re lulled into a sense of false security because you’re not getting emails. Email notification needs to be tuned. You don’t want emails for every little thing, as it won’t take long before you start ignoring those emails. And before you know it the truly important ones have slipped passed you.
Insecure service running in an insecure place.
Double-check you configurations make sure that the services you are running on your box are truly needed to what the server is intended to do. There’s no reason to run NFS on a publicly available machine. If you have to have shares set up do it in a secure fashion. Tunnel your file transfers over ssh or use scp. Make sure you look over your config files before placing your machine on the Internet. We all have fat fingers from time to time. It’s best to find out BEFORE you run into trouble.
Conclusion
One thing to always keep in mind is…Trust your instincts. You know your machine better than anyone else. You know how they react day to day. You know the ‘quirks’ of the machine (It slows down every day just before lunch). Have an emergency response plan written out and available. Who do you call and when? How much time are you allotted to fix a mission critical machine before calling for help? Along with the previous statement goes an understanding from management that blame will be assessed The Internet is truly the Wild West. It’s been said that the Internet mimics the real world BUT it actuality it can be far more dangerous. The anonymity that the Internet provides is vast and tracking down perpetrators can be exceedingly difficult not to mention when found dealing different jurisdictions there are in the world can make it extremely hard to prosecute
Resources:
Unknown, (January 23rd, 2008), TrustedID Identity Theft Data Breach Alerts » stolen laptop, Retrieved on March 8th 2008 from http://breachalerts.trustedid.com/?cat=118
