EAC Blog: Thinking positively about security

The folks at TechTarget were kind enough to let me republish my posts at the Expert Answer Center here. This post first appeared on July 13. Link here.

Over the past week or so, I hope you've gotten a feel that I'm not really a touchy-feely type of guy. And I need to work hard to be optimistic about things because I'm wired to find problems and try to figure out solutions. It makes my wife crazy ("Can't you ever just be happy?!?!"), but that trait also makes me well suited to being an analyst.

But this isn't about optimism or even pessimism; it's about securing your networks and critical information assets. If something goes down the only touchy-feely you are going to get is a boot on your backside. Wishing your network is secure doesn't help either. As my father-in-law says, "If you hope, you are a dope." I tend to use the "hope is not a strategy" cliché more than I would prefer. The fact remains; you are either a hero or goat depending on whether the myriad of attacks you see every day are successful.

To be clear, I'm not talking about thinking positively here (though I heard it does help, maybe I should try it someday), I'm talking about acting positively. And in a security context, that means only allowing the stuff you specifically want to run on your network, and blocking everything else.

You can first start this on your perimeter. Basically, your access router shouldn't allow anything unless you specifically decide it should. This technique is called "default-deny." Depending on what you have running, that probably means SMTP and HTTP at a minimum. Maybe a few other protocols as well, but nothing else. Shut it down. If you block stuff before it even gets to your network, you are much better off.

Same deal goes for your firewall. Take a look at what is probably a panoply of firewall rules that may not even be relevant anymore. Have you compared what you are allowing and blocking to the router? Make sure every rule in there is for a VERY good reason and that the firewall and router configurations are in sync. Don't take chances by leaving your perimeter sloppy.

Unfortunately, with more and more applications looking like HTTP and coming in over port 80, this technique is not as effective as it used to be. That's why we need stuff like intrusion prevention, deep packet inspection, and anomaly detection to ensure that port 80 traffic isn't malicious. But doing this little stuff on your existing firewall and router is still effective and will make a difference.

Next, let's look at the desktops (or laptops, as it may be) that access your network. Lots of folks get compromised because their employees surf to a bad site (either through phishing or pharming). They can also contract something in a coffee shop, which they so kindly proliferate through your network upon their return.

What you are looking for here is a strong, positive endpoint security posture. Basically, malware infects a machine by running executables that compromise the machine, turn off its defenses and then spread to other devices. If you use the trusty old "default-deny" approach, specifying which applications you allow to run on your devices, the malware has a hard time spreading.

Of course, this technique can be controversial, especially if you decide that iTunes is not an authorized application. And it's not foolproof -- nothing is. But I've seen this approach be very successful in stopping the contraction and spread of malware.

So the next time someone tells you to think positive, you can say with a straight face that you always do. Maybe smile for good nature and say "Kumbaya!" It'll make everyone feel better.