If you travel to
Japan, it's not uncommon to see people in public wearing surgical
masks. Unlike some cities with serious environmental problems, these
people are not wearing masks to keep toxins out, but rather to keep
germs IN. They wear surgical masks when they have the cold or flu to
prevent infecting family, friends, co-workers and indeed the public in
general. This is in stark contrast to North American society where
working when under the weather is seen as a badge of honor. Infection
spreads through office buildings unabated as carriers show up to work
and touch door handles, office pots and vending machines. If you showed
up to work in a surgical mask, they would likely have security escort
you out of the building!
This seems to be a reflection of our mentality towards networks as well. Most of the effort in information security is around protecting your own -- shielding from the outside world. We use layers and layers of firewalls, IDS, IPS, Anti-Malware and other technologies to keep the bad guys at bay, but what about when we get infected? Do we put on a mask to protect others?
Most systems have unfettered outbound access to systems on the network and the internet in general. The reason is simple, restriction of client-side connections is so complex, most firewalls are configured for unlimited outgoing access. On the perimeter, networks may be restricted to destination ports 80/443 or sent through a proxy, but many malware can still spread over HTTP.
If we really focus on limiting outbound access for systems, we can not only slow down internal spread of infection but also quell spreading our 'germs' to others on the Internet. We get the benefit of a more resilient network while being a good internet citizen.
Here are a few things we can do to make our systems and networks more resilient to being the source of attack once infected:
-
Create strong policies for what systems should talk to other systems on
the internal network using host-based firewalls. If a web server is
communicating to a database server, the database server should be
configured to only accept connections over the applicable ports from
the web server.
- Restrict outgoing access for servers. Lock servers
down to only being able to initiate connections to a whitelist of
approved sites or addresses (such as update
servers).
-
Restrict internet access at the perimeter to the required resources.
There is a good chance your network shouldn't be probing RPC or SMB
protocols on computers over the internet.
- Employ host-based IDS or IPS to detect for suspicious traffic originating from your systems.
- Employ host-based application whitelisting or blacklisting (either executable or network/signature-based).
-
Employ network traffic monitoring to detect for unauthorized activity.
Copious SMTP traffic from a client system in the middle of the night is
a good indication you have a zombie.
Like The Vapors said in their 1980's one hit wonder..."I think I'm turning Japanese"... and maybe so should you.
Comments