Endpoint Security

Are Rootkits Always Evil?

Submitted by Mike Rothman on Wed, 2006-03-01 09:17.
Now that the hububaloo has died down around the whole rootkit fiasco (exacerbated by boneheaded moves from the likes of Sony), let’s revisit the topic. Aside from the religious perspectives of whether rootkit-like techniques are good or bad, from an end users perspective – should you care if your security vendors use rootkit-like techniques?

First let’s define rootkit-like techniques. Here is the Wikipedia definition:

A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge.

From a simplistic point of view rootkit-like techniques involve masking many of the registry entries and executables to make it difficult to uninstall a program and/or provide backdoors to allow someone else to control a computer.

One man’s opinion is that this is all much ado about nothing. To be clear, Sony was stupid, both in their methods of trying to protect their music (which did open backdoors) and also in how they handled the situation once it happened. For the purposes of this discussion, we need to separate out consumer use vs. business use.

Rootkits are never acceptable in consumer applications. Consumers do not know the difference and have no idea how to remove these kinds of applications or the fact that these approaches may open up a backdoor to the computer, so that is just a no-no. But Security Incite doesn’t really follow the consumer markets, so let's move on.

For business use, some of these techniques are not all bad. Sure, this is going out on a limb. Obviously you don’t want sanctioned software to open up backdoors. But using rootkit-like techniques to ensure that security software is not uninstalled is cool with me. Why? Businesses control the equipment they give to employees to do their job. They expect that employees will not uninstall security software because it’s inconvenient. But this is exactly what happens, more often than most folks care to admit.

Indulge me for a moment. IT decides to clamp down on unauthorized wireless networks. This is certainly not out of the ordinary, since connecting at Starbuck’s can present a liability and who knows what folks have running on their home networks. But employee geek is grumpy because he’s under-caffeinated, so he heads off to Starbuck’s for the triple espresso. When he can’t connect, he just uninstalls the security software and ta-da – he’s on the network. No harm, no foul. Of course, until some worm blasts the internal network that originates from that mobile connection.

So, is it out of line for a vendor of endpoint security products to use techniques to ensure that corporate policies are enforced? Even if these “techniques” could be interpreted to use rootkit-like methods of protecting the application? I don’t think so because the pragmatist in me is always focused on getting the job done, even if the solution has a little hair.

Now for a reasonably signficant caveat. This does involve trusting the security vendor to get it right, and as a customer, it is well within your right to delve DEEPLY into how they do things to get comfortable with the approach.

But in general, let the religious masses continue to throw spears at each other, while you focus on protecting your mobile devices. Even if it involves using some controversial techniques.

Cisco Keynote @ RSA: Chamber's Victory Lap

As much as I hated Bill Gates' keynote at RSA on Tuesday, I loved John Chamber's pitch. I get that the bar was low after seeing Gates, Coviello and McNealy on Tuesday, but Chambers could have given Tom Peters a run for his money. Here are the top 5 reasons his pitch rocked:
  1. He spoke the language of business - Clearly many of the RSA attendees are security practitioners, but Chambers did not speak down to them. He spoke about the business of networking and why security was so important. It's a key message for all security professionals to grok. The message was clearly about relating security to enabling productivity improvements, as opposed to security to avoid the downside risk of attack.

  2. He told us so - Chamber's repeatedly referred back to his projections in the 90's and early 2000's about security needing to be built into the infrastructure and how Cisco's roadmap and architecture reflect that. They were right, and he wasn't afraid to gloat a bit. The message here was clearly about Cisco earning the right to define the next vision of security because they called the last one correctly.

  3. He nailed that vision thing - Speaking of vision, Cisco's message is focused around consistent and integrated security embedded into the fabric of the network, which enables those continued productivity improvements. From endpoint device to carrier cloud, Cisco's mantra is the network infrastructure provides a security capability that can react in the face of attack. There was no question about where they think the industry needs to go and it was a very cohesive story. Again, the anti-thesis of Microsoft's vision, which felt so tactical, yet is 3-4 years out - best case. Cisco's seems very strategic and most of the pieces will be in place this year.

  4. His demo was tight - Of course, there was a demo of new stuff, but it was introduced in a way that made the business benefits very clear and showed the power of integration. The concocted scenario made the "dangers" of not using Cisco's stuff everywhere very clear. And even more significantly, Chambers was involved. He stood right next to the demo guy and asked good questions to reinforce the points he wanted to get across.

  5. He put on a command performance - Chamber's is a maestro in front of a crowd. He spent less than 25% of the time on the stage, continually strolling through the crowd. He made eye contact with the attendees and seemed very accessible. He made it seem like there was no other place he'd rather be. The southern twang in his voice didn't hurt either. Very down home and accessible. Everything that Bill Gates was not.
Now, I get that providing this much praise for a speech is uncharacteristic for me. But Cisco's message had everything that was lacking in Microsoft's. Whereas after Microsoft's pitch, customers still need to figure out what to do today to solve today's problems. Chambers made it clear that Cisco is poised to provide tomorrow's answers today.

To be clear, I don't really believe all the hype. Cisco's strategy is largely designed to ensure the millions of switch and router ports around the world are upgraded ASAP and to further tighten Cisco's chokehold on the enterprise network. Their security platform is still very heavy and will require more than one forklift to bring in all the new equipment that is required to make it work.

Clearly Cisco still has a lot of executing to do and must deliver on the capabilities of the vision even for those heretics for whom homogeneity is not an option. They also need to clean up their non-existent Identity Management plan, since their main competitors (HP at the low end, Juniper at the high end, and Microsoft from the application side) have made identity prevalent within their security strategies.

But Chamber's keynote showed why no one gets fired nowadays by going all in with Cisco.

Blasting Bill Gates' RSA Keynote

Bill Gates of Microsoft kicked off the festivities at RSA yesterday with his seemingly annual keynote. At times Microsoft announces new stuff and puts other vendors on notice that the "Redmondsters" are coming for them.

The hope was that Bill Gates would say something of substance. Basically give customers hope that their lives would get better. That the "new" standards friendly Microsoft would not continue to focus on locking customers into a homogenous Windows environment. That Microsoft could evangelize a convincing and achievable security framework for how all the pieces fit together, including legacy (and non-Microsoft) platforms.

I'm sure customers were disappointed by what they saw. I know I was. I thought the keynote sucked.

OK, I said it. Bill was not on his game. The demos were simplistic and not compelling. Their strategy depends on WIDESPREAD, actually UBIQUITOUS adoption of Microsoft's technology on both client and server. Everything was based on Vista, and customers won't be able to get Vista until the end of this year. Deployment won't start in earnest until mid-07 and be sufficiently pervasive (for security to work anyway) for years after that. The really interesting stuff (like Network Access Protection - NAP) won't be available until Longhorn Server, which is mid-2007 best case.

There was also no mention of how Microsoft's stuff is supposed to work with the network. If I totally adopt Microsoft's stuff, do I get to throw out my firewalls? 

Microsoft basically said customers are on their own unless they can fully adopt Vista and Longhorn Server. That's disappointing. So customers, hunker down and make sure your patch process is strong, because you'll be using it for the next 4-5 years. Don't throw out your firewalls yet.

On the positive side, NAP looked pretty cool, but it was also not clear what kind of overhead is involved in setting up access policies for the network. Microsoft's focus on Identity is also good and sorely needed. Their work to harden the Windows platform is positive, as well as upgrading development tools to be more secure.

That's good stuff, but will take years to take root. I remember a quote from Bill himself about how we overestimate the amount of progress in 2-3 years, but underestimate the progress made in a decade. That's absolutely true. But Bill must have forgotten based on another "projection" he made.

"Passwords should be gone in 3-4 years."

You figure he would have learned something from the RSA spam debacle two years ago... But I guess not. Seems that Bill's new pet project is smart cards (since the SecurID didn't work for that purpose), so he envisions a world without passwords. It's not going to happen. Not anytime soon anyway. Here are a couple of reasons why:

  1. Adoption timeframe - It takes customers 3-4 years to decide to upgrade to a new Microsoft operation system. Some of the technology requires new products, or at least the latest current version of Windows Server.

  2. Federation must happen - Sure, large companies are already working on it, but in order to move away from passwords, every company must jump on board. And there are still competing standards (WS-* and SAML 2.0), though most products will support both, the presence of both complicates things.

  3. Passwords are good enough - If I'm transferring a million dollars, I probably want stronger authentication. To log into my network, a password is fine. And will remain fine. Reduced sign-on can make passwords easier to deal with, but to think everything will move to a new smart card based reality is plain delusional.

Ultimately, I get that Microsoft needs to have a good reason for customers to upgrade to the new platforms (to keep growth going) and maybe trying to vilify passwords is a way to stimulate action. But I don't think so. There are places for stronger authentication and places where it's not worth the effort.

I hope John Chambers of Cisco does better tomorrow.


The Strength of the Password

Submitted by Mike Rothman on Thu, 2006-02-02 19:06.
When was the last time you thought about your password policy? Do you even have one? Is it enforced? Aren’t passwords the keys to the kingdom? Shouldn’t they be closely guarded? If a weak password is compromised, a not so skilled hacker can do a lot of damage, no?

The folks over at Shavlik have a piece on increasing the strength of passwords in their latest newsletter, which got me thinking about passwords for the first time in a quite a while. Read this and you can teach your users to make "impenetrable" passwords. That kind of scared me. Of course there is no such thing as an impenetrable password. I started to wonder how much stock end users continued to put in their passwords.

My hope is not too much. My fear is a whole lot. You see, nothing is a panacea. Not even passwords. If passwords are your only line of defense, then you should spend a lot of time and money making them as strong as possible. Hell, roll out tokens to everyone in your organization while you’re at it. That would make cracking those passwords almost impossible. But not too many people have fully deployed tokens to all their employees. Wondering why?

First off, they are expensive. Even a mid-sized company could easily end up spending $30/user/year for two factor authentication. That may not be too much money if you have 10 employees. But if you have 10,000, that's some serious coin. For remote employees or those accessing very sensitive data, it’s probably worth it. But not for everyone.

Secondly, you don’t have to. There are a lot of other defenses and mechanisms that layered together make your environment reasonably safe, even if a password is compromised.

Let’s also not forget the cost overhead of very strong passwords. Some password rules are so complicated that the end users can't possibly remember them. So what do they do? Right, post it under their keyboard on a sticky note.
Those not smart enough to write it down, inevitably forget at an inconvenient time. So they call the help desk, which costs you money. Maybe if you implement self-service password management you can alleviate a lot of the labor involved, but those solutions cost money too.

So, indulge me for a moment and say we are going to relax our password strength requirements. What’s the downside risk? It’s easy to gain control of a desktop. So what? I’ll let you in on a little secret. It’s easy to gain control of a desktop even if strong passwords are used.

If you have endpoint security running on that device, there isn’t a whole lot of damage the hacker is going to do to the device. If you have network access control running, there aren’t a lot of places a compromised machine can access. If your servers (which hold many passwords and other critical company IP) are hardened and run host intrusion prevention, your application data is protected too.

Yes, endpoint security, network access control, and host intrusion prevention cost money. I get that. But that’s not really the point. From an architectural perspective, make sure you have Plan B (and Plan C and Plan D too) in place and operational. Implement your security in layers to remove dependency on any one method. So even if your passwords are broken, the bad guys won’t have free reign over your network.

And you may even save some money on sticky notes. I’m sure your CFO will love that.

The Drumbeat Begins for Windows Vista

Submitted by Mike Rothman on Thu, 2006-02-02 07:52.

It seems Jim Allchin of Microsoft has been a busy guy. He's hit every major tech media outlet over the past week or so, starting to espouse the new security capabilities of Windows Vista. Here are just a few of the links:

You get the picture. The guy was everywhere last week, with good reason. The new Windows Vista technical preview is about to hit, and users will get to see a mostly feature complete system. The remaining time between now and release date will be spent bug fixes, optimizing performance and ensuring compatibility.

So what? Microsoft is adding a lot of good stuff to Vista from a security standpoint. It will somewhat reach parity with Mac OS X in terms of the ability to protect the OS from rogue processes and requiring authorization to add new programs. But, that being said, Windows Vista does not help anyone now. In fact, it will be towards the end of 2006 before it's even available, and then organizations will need to figure out a deployment plan. This takes 12-18 months at most decent sized organizations, even longer if there are many home grown applications.

The reality is that Vista's impact will not be substantial until 2008. So users need to make sure they have Plan B working for the foreseeable future.

We've already discussed most of the components of Plan B. A tight upgrade and patching process for desktops, and likely some type of endpoint security to protect individual devices, especially mobile ones. The idea of network access control will also help to keep both unmanaged (devices you don't control) and insecure (requiring patches and other upgrades) machines off the network.

The message here is to not spend more than one or two seconds envisioning the Windows Vista future because it won't be here for a while, and you've got lots to protect until then.


What a Relief! MacIntel Not More Vulnerable

Submitted by Mike Rothman on Tue, 2006-01-31 13:23.

It seems I'll sleep better tonight, given that eWeek's Larry Seltzer has clarified that MacIntel devices will be no more vulnerable than Mac PowerPC's. There has been a bit of huff over the last few days (mostly perpetuated by the media) about how Apple moving to the Intel processor family will make it easier to find vulnerabilities. It's good to hear a reasoned explanation about why that is crap.

I won't sleep easier just because I have become a Mac convert. I'll sleep easier because finally someone in the media is calling out the various chicken littles out there that have nothing better to do than speculate about what will or won't happen. There are a lot of bad things that can happen. We need to spend time more productively making sure we minimize the risk of those things happening and that we can contain the damage if something does happen.

Just to level set, think about a few facts:

  1. Every OS has vulnerabilities
  2. Vulnerabilities are not an issue until exploit code is available
  3. Exploit code rarely (like less than 10%) appears for a specific vulnerability
  4. Even if a patch is available, some percentage (upwards of 50%) of people don't patch
  5. Unpatched morons get nailed if exploit code appears
  6. The rest of the world doesn't care about the exploit code

These facts continue to be proven over and over again, and still people don't learn. And this would apply to both Windows and Mac equally if not for "The Path of Maximum Impact." This dictum states that hackers and fraudsters go for the most prevalent OS (Windows) because they have the highest likelihood of finding the most people that are unpatched to wreak the most havoc. To be clear, they want to create havoc, regardless of whether the objective is to bring down networks or perpetuate fraud. Hackers don't waste their time trying to attack the Mac because it's just not worth it to them. Apple makes it a bit harder, yes. But the reality is there aren't enough users to make it pay.

So why do users care? Because ultimately it gets back to the same thing. Keep your systems patched, whether they are Macs or Windows devices. Most importantly, train your users to not do stupid things. Stupidity does not play favorites and is just as likely to happen on a Mac platform as Windows. Create smart users and it doesn't matter which OS you use.


Inciting: SATOevents Endpoint Security Webcast Feb 1

Submitted by Mike Rothman on Fri, 2006-01-27 15:37.

This Wednesday, yours truly will be participating in an online web cast discussing endpoint security. As part of the event, I'll also be doing a Q&A at the RSA conference in February. I assume you'll also be able to access an archive of the event if you can't make it.

Click here to register. Hope you will participate. 

PART II: END-POINT SECURITY                                        ONLINE

February 1st, 12pm EST
ABSTRACT: Recent surveys show that the #1 cause of financial losses are Viruses, Spyware, Trojans, Worms, Phishing, etc. Perimeter solutions are necessary but not sufficient . However, the problem has only been partially solved. As volume and variants continue to grow, organizations should take a proactive, end-point approach to ensure across-the-board security from within for the entire enterprise.

Mr. Mike Rothman President and Principal Analyst, Security Incite; Former head of META Group's Information Security Research
Dr. Matthew Williamson Senior Research Scientist, Sana Security
Mr. Jordan Ritter Chief Technology Officer, Cloudmark; Former Co-Founder Napster
Mr. Nimrod Reichenberg Director of Marketing, M-Systems


Day 5 of Incite: Endpoint Hostile Takeover

Submitted by Mike Rothman on Wed, 2006-01-18 08:20.

Driven by the prevalence of unwanted applications, internal zombies outbreaks, and documented information leaks enabled by key loggers and spyware, users will increasingly lock down endpoint devices, despite pushback from the business users. Limitations of the Windows XP security model makes lockdown difficult in 2006, but much easier when Microsoft’s Vista operating system is ready for deployment beginning in 2007.

There is pretty much only one thing you can count on if you are a security professional: users will do stupid things. How many times have you said, “Don’t click on that unknown attachment” or “Kazaa is bad” or “eBay does not need to confirm your user information.” And how many times have you cleaned those machines of spyware and just shrugged your shoulders in resignation? Another weekend of cleaning up outbreaks that could have easily been avoided. Great fun.

Repeat after me: “Users will do stupid things.” So you need to accept it and work hard to stop issues before they start.

This is further compounded by increasing mobility. Almost all knowledge workers now carry laptops, so they can work 24 hours a day. Interestingly enough, some do. But that means they work at the coffee shop, in the airline clubs, at conferences, and in hotel rooms. Let me tell you, these public networks are literally cesspools of malware.

The most rigid perimeter in the world is of no help when a company laptop contracts a worm in the Crown Room. We need to extend the security down to the end point. But we need to do it in a manageable fashion, that is hopefully (somewhat) transparent to the user.

Of course, this being the security market, there are a ton of small companies (and even some bigger ones) chasing the endpoint security market with varied approaches. Let’s level set for a minute and go through the main options for end point security.

  • Personal firewalls – Personal firewalls were really the first viable option to protect individual desktops. By controlling access to the network on each device and enforcing some policies, you can stop most simple attempts to take over the machine by brute force network attacks, prevent worm propagation and zombie activity.
  • HIPS – Host intrusion prevention techniques have also made their way to the desktop, so the software on the device detects (and blocks) activity by matching a known attack signature or using an anomaly detection approach to stop atypical behavior.
  • Application control – This relatively new class of products is a bit simpler to understand. Applications are either allowed or not allowed to execute based on the policy. Users cannot load (or execute) applications that are not on the “approved” list. You can also use application control technologies to shut down USB ports on computers, thus foiling the “sneakernet” attack.

Many of the endpoint security products on the market today use a combination of these techniques, since one size never really fits all. One man’s opinion is that pretty much any of the solutions are going to be good enough to make it difficult to compromise the device. Hackers, especially of the drive-by variety, opt for the path of least resistance. If the guy (or gal) next to you has nothing, who do you think is going to be the target?

The ability of application control-based solutions to simply lock down the desktop is pretty interesting. Much of the spyware that plagues your system are executables or installed by executables. Worms propagate by initiating their own nefarious executables. If those aren’t approved applications, they don’t run – thus no outbreak. You also gain more control over what business users do. Maybe you want to allow iTunes on your corporate desktops or maybe not. Controlling Kazaa or Skype is probably a good thing. Application control is simple and clean and does not really mess with the kernel.

Now for the downside. Business users are going to hate this and they will very likely make a big stink. You’ll hear all types of pushback because users like to feel in control, and locking down their desktops really takes away their control. So, this will be a good test of whether the powers that be really want a secure environment or not.

If not, it’s never too early to start polishing your resume…

Endpoint security should really be a function of the operating system. Microsoft added a personal firewall to Windows XP, which is a start. But, the reality is third party solutions will be required to perform the lock down for at least the next couple of years. The problem is that in most cases the local user needs to have administrator privileges on their XP desktop. You can get some level of control through group policy objects on Windows networks, but not enough. Windows Vista allows a lot more granularity to secure the administrator role and better safeguards in installing software, so that will help. But of course, best case Vista is a 2007 thing.

So, Security Incite believes protecting each desktop is important. If politically feasible, looking at application control is a good thing to do. You are able to stop the issues before they start. If that isn’t possible, there are network level controls that can be implemented to provide protection against worm mitigation and unauthorized access. These Network Admission Control (NAC) solutions are poised to break out this year, and will be the subject of tomorrow‘s rant.

That’s all for Day 5.